5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7

Analysis

max time kernel
143s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe
Size

194KB
MD5

bc4822b90049dd0abdfedade59924c73
SHA1

c66f841b40ceefd48ff194bcc6131201bc006333
SHA256

5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7
SHA512

960815c09a5da26673568743c9730a7ae6b38adfdf7cdb8f9a6d74933a03299993b97204799d94ff4fb61dcb400b25b9d788432bdd498e965e5bcaa87c89832b
SSDEEP

6144:yh1aqPdmydSfUNRbCeKpNYxWlJ7mkD6pNY:wfPd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe

Executes dropped EXE 64 IoCs

pid	Process
3712	Imgkql32.exe
2300	Idacmfkj.exe
4988	Ibccic32.exe
2828	Ijkljp32.exe
4000	Iinlemia.exe
4788	Imihfl32.exe
1792	Jaedgjjd.exe
1984	Jdcpcf32.exe
4344	Jbfpobpb.exe
2088	Jfaloa32.exe
4884	Jiphkm32.exe
3016	Jiphkm32.exe
2900	Jmkdlkph.exe
2160	Jpjqhgol.exe
2780	Jdemhe32.exe
3340	Jbhmdbnp.exe
4672	Jjpeepnb.exe
1312	Jjpeepnb.exe
4716	Jibeql32.exe
2184	Jaimbj32.exe
2956	Jplmmfmi.exe
3120	Jdhine32.exe
2424	Jbkjjblm.exe
3156	Jfffjqdf.exe
1928	Jidbflcj.exe
2004	Jmpngk32.exe
1940	Jaljgidl.exe
1504	Jpojcf32.exe
3436	Jdjfcecp.exe
4572	Jfhbppbc.exe
4772	Jkdnpo32.exe
4348	Jigollag.exe
1908	Jmbklj32.exe
2500	Jangmibi.exe
1684	Jpaghf32.exe
4440	Jdmcidam.exe
3104	Jfkoeppq.exe
2228	Jkfkfohj.exe
3168	Jiikak32.exe
2144	Kaqcbi32.exe
4512	Kpccnefa.exe
700	Kbapjafe.exe
1988	Kbapjafe.exe
1920	Kgmlkp32.exe
4888	Kilhgk32.exe
4300	Kilhgk32.exe
556	Kmgdgjek.exe
1216	Kacphh32.exe
3128	Kpepcedo.exe
4612	Kdaldd32.exe
628	Kgphpo32.exe
4900	Kaemnhla.exe
3732	Kknafn32.exe
4508	Kmlnbi32.exe
2504	Kagichjo.exe
3684	Kdffocib.exe
1372	Kcifkp32.exe
4872	Kkpnlm32.exe
4044	Kibnhjgj.exe
876	Kmnjhioc.exe
4864	Kpmfddnf.exe
1960	Kckbqpnj.exe
2404	Kgfoan32.exe
4400	Kkbkamnl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jdkind32.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5664	5560	WerFault.exe	197

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 3712	772	5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe	85
PID 772 wrote to memory of 3712	772	5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe	85
PID 772 wrote to memory of 3712	772	5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe	85
PID 3712 wrote to memory of 2300	3712	Imgkql32.exe	86
PID 3712 wrote to memory of 2300	3712	Imgkql32.exe	86
PID 3712 wrote to memory of 2300	3712	Imgkql32.exe	86
PID 2300 wrote to memory of 4988	2300	Idacmfkj.exe	87
PID 2300 wrote to memory of 4988	2300	Idacmfkj.exe	87
PID 2300 wrote to memory of 4988	2300	Idacmfkj.exe	87
PID 4988 wrote to memory of 2828	4988	Ibccic32.exe	88
PID 4988 wrote to memory of 2828	4988	Ibccic32.exe	88
PID 4988 wrote to memory of 2828	4988	Ibccic32.exe	88
PID 2828 wrote to memory of 4000	2828	Ijkljp32.exe	89
PID 2828 wrote to memory of 4000	2828	Ijkljp32.exe	89
PID 2828 wrote to memory of 4000	2828	Ijkljp32.exe	89
PID 4000 wrote to memory of 4788	4000	Iinlemia.exe	90
PID 4000 wrote to memory of 4788	4000	Iinlemia.exe	90
PID 4000 wrote to memory of 4788	4000	Iinlemia.exe	90
PID 4788 wrote to memory of 1792	4788	Imihfl32.exe	91
PID 4788 wrote to memory of 1792	4788	Imihfl32.exe	91
PID 4788 wrote to memory of 1792	4788	Imihfl32.exe	91
PID 1792 wrote to memory of 1984	1792	Jaedgjjd.exe	92
PID 1792 wrote to memory of 1984	1792	Jaedgjjd.exe	92
PID 1792 wrote to memory of 1984	1792	Jaedgjjd.exe	92
PID 1984 wrote to memory of 4344	1984	Jdcpcf32.exe	93
PID 1984 wrote to memory of 4344	1984	Jdcpcf32.exe	93
PID 1984 wrote to memory of 4344	1984	Jdcpcf32.exe	93
PID 4344 wrote to memory of 2088	4344	Jbfpobpb.exe	94
PID 4344 wrote to memory of 2088	4344	Jbfpobpb.exe	94
PID 4344 wrote to memory of 2088	4344	Jbfpobpb.exe	94
PID 2088 wrote to memory of 4884	2088	Jfaloa32.exe	95
PID 2088 wrote to memory of 4884	2088	Jfaloa32.exe	95
PID 2088 wrote to memory of 4884	2088	Jfaloa32.exe	95
PID 4884 wrote to memory of 3016	4884	Jiphkm32.exe	96
PID 4884 wrote to memory of 3016	4884	Jiphkm32.exe	96
PID 4884 wrote to memory of 3016	4884	Jiphkm32.exe	96
PID 3016 wrote to memory of 2900	3016	Jiphkm32.exe	97
PID 3016 wrote to memory of 2900	3016	Jiphkm32.exe	97
PID 3016 wrote to memory of 2900	3016	Jiphkm32.exe	97
PID 2900 wrote to memory of 2160	2900	Jmkdlkph.exe	98
PID 2900 wrote to memory of 2160	2900	Jmkdlkph.exe	98
PID 2900 wrote to memory of 2160	2900	Jmkdlkph.exe	98
PID 2160 wrote to memory of 2780	2160	Jpjqhgol.exe	99
PID 2160 wrote to memory of 2780	2160	Jpjqhgol.exe	99
PID 2160 wrote to memory of 2780	2160	Jpjqhgol.exe	99
PID 2780 wrote to memory of 3340	2780	Jdemhe32.exe	100
PID 2780 wrote to memory of 3340	2780	Jdemhe32.exe	100
PID 2780 wrote to memory of 3340	2780	Jdemhe32.exe	100
PID 3340 wrote to memory of 4672	3340	Jbhmdbnp.exe	101
PID 3340 wrote to memory of 4672	3340	Jbhmdbnp.exe	101
PID 3340 wrote to memory of 4672	3340	Jbhmdbnp.exe	101
PID 4672 wrote to memory of 1312	4672	Jjpeepnb.exe	102
PID 4672 wrote to memory of 1312	4672	Jjpeepnb.exe	102
PID 4672 wrote to memory of 1312	4672	Jjpeepnb.exe	102
PID 1312 wrote to memory of 4716	1312	Jjpeepnb.exe	103
PID 1312 wrote to memory of 4716	1312	Jjpeepnb.exe	103
PID 1312 wrote to memory of 4716	1312	Jjpeepnb.exe	103
PID 4716 wrote to memory of 2184	4716	Jibeql32.exe	104
PID 4716 wrote to memory of 2184	4716	Jibeql32.exe	104
PID 4716 wrote to memory of 2184	4716	Jibeql32.exe	104
PID 2184 wrote to memory of 2956	2184	Jaimbj32.exe	105
PID 2184 wrote to memory of 2956	2184	Jaimbj32.exe	105
PID 2184 wrote to memory of 2956	2184	Jaimbj32.exe	105
PID 2956 wrote to memory of 3120	2956	Jplmmfmi.exe	106

C:\Users\Admin\AppData\Local\Temp\5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe
"C:\Users\Admin\AppData\Local\Temp\5d56016ec1aa8b58b98417895d593245c5fb80b1efc11e6a97836f4138161bf7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\Imgkql32.exe
  C:\Windows\system32\Imgkql32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\Idacmfkj.exe
    C:\Windows\system32\Idacmfkj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\Ibccic32.exe
      C:\Windows\system32\Ibccic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        26⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        47⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        56⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        63⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        66⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        67⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        68⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        70⤵
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        73⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        77⤵
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        82⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5100
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        84⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        85⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        87⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        89⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        90⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        92⤵
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        101⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        111⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        112⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 412
        113⤵
        Program crash
        
        PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5560 -ip 5560
1⤵
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibccic32.exe

Filesize
194KB

MD5
f87ae048172c081e4a33b798d49555ea

SHA1
a4e27ba7990183ad54285f8d9a9ebb2c78524b53

SHA256
f71b5a95627c12700ef1a175846484fbb04fc4714833b69157f596a4d64b8bd3

SHA512
ccbc5c73b48c2b64d0b5b18a4f675daa10e321e41a4c7a1edd31e84aa2cb43b58b20fae57a859f37d3fd1859d1d0470b7107955979011cbe98b9a60b95790371

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
194KB

MD5
bd01bccb28bab2a5cf43a4d4d33bca86

SHA1
45d2bb58479d5d0e6d714fa6adf557a06631d3ac

SHA256
d03eb8b15b14166cc5e256a3a87bc568a1962682ddb2a12263a0a658bd915c5e

SHA512
66b28cebaba5ef281184b8f9106c6ac3cdf570ea9aa45770ba75e7f4edcc295067c140d78103093cee818e784352728c1345cc8b511eb269623abcad34ceec5b

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
194KB

MD5
30dd8fcec4a110ad2e556fdf7e0f9e09

SHA1
05b7072019cff1493913db614d5adb3e72bcec61

SHA256
93b615a44b46212f3e41f7c3ba4326d41f75ba86773fd156487a880e0c29bc7c

SHA512
8416adfae8d5a4f18ec9b5be949c6a457ba0e43b4f2f503cf67cf863ebb1c65508f5d4b2e609c5821d628430c035d0ab751b4c327bf8c4a085004ddd5f75291e

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
194KB

MD5
9ca5b33dd33d2563f41a1acafcd685f7

SHA1
3f1f4480d39b66825d6948bd703f4208f23aa0fd

SHA256
5274e64ce5e92d018c0552384fd175e9dd8656866de09045f839cfb427f841f4

SHA512
1b88b35c59629720362692a5fb6479b116e8491524d27eae948b8efe7a6451d935ebf623526d775c2feb7f2fc849cf3c85f9730b0ab44fdbdd271d5698987afb

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
194KB

MD5
01d3c85230d452ce2773450ba42e0845

SHA1
975367b5bb54bbe27069d5364960519ac48610df

SHA256
9164b855699c8b42b208c0d58af39fc79c10c570b05e869a8021b61601acbfed

SHA512
1e82f6d48817b0bc9b0217b85469e3cb77f790e83809aa580314242d4a1a5ff6fe4844b97629db7fdfd584561e3559a9413f990e89b5b8c6a3f882aa65c5ce1b

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
194KB

MD5
b170c44190ec3e92e2fabb2a17ed1499

SHA1
80ea4359c88360e5caff1ace484b59dee7497c7e

SHA256
044e244058837950f84bf2e3c265c5ab891a1904e2993bea9447ee3460347f89

SHA512
337115a2c365a72da594a2d26c0b7959158fe1389ad920b25a99e75eb97f2db06e0b7317aad8787ba39d48bfe07843959e624ee030dfac2ad92a258e0605ccaf

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
194KB

MD5
542e7bd7b3ad15cadb729678acad672e

SHA1
96a1fb4d42ff4fbb6a80faeed75d8e461f392809

SHA256
841499bc7e57e77206e71863e698c2962c8703200444ef089ccf3062f593f3b9

SHA512
6f1c94bc5433b9334932380556a730245c35dc6dea2827578c5f8f6beb468e9c285d3b4a584c4b418eb5eca43831df9ce8cba75d6922ddb9e0f122ab40529a68

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
194KB

MD5
19ec4e53ca9ef76ca85181a1175ce369

SHA1
d9222dea7117c746fbbe4ab784d445fa975e86fc

SHA256
c612f164470f5591e18d244091615c07aed3003985dc73cfcdc7fe87b50f1923

SHA512
edff73f839ead08132cdf2dbc5ed1967ce3b68dfce324ab04d9c07e13399979a1c6dcc83cb82de411a0229b84d3b69d50766d3d0e5312890bf6e715a699f2140

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
194KB

MD5
2c6cd33198571e9fab684e584114cd94

SHA1
412ee4c20639cc83bb60fc82ff958ed15db41546

SHA256
90c9a651c56a634cc400f7310aa43bafe1edc9cce142995262dd31d26d86e98c

SHA512
e24c9dd19205a414cf1a98ff46707a4e1b247207ec08f0ee1ba7707fc1854b73d0c1cef82d6b822e16e66cc18930f37a14ebf182ff91a3b514c9d789379e8480

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
194KB

MD5
102b031ea3f03dd21b7710f1e0442398

SHA1
6d12b3fa2dbe476a41f6ee5e7845f203d75b26c3

SHA256
c4dddecd411934a3d25fe9b0ded4d1b5b33da7cf796bc5ad27351d200a65bc7c

SHA512
9c5f94a44d869d3413214d49b824bdf0b5291812c3302b9aa96d7beb4f443aa959e2b2884d43649204f13c781c0c45bca05eb90d90bd94fc5c607b8b905b2ed9

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
194KB

MD5
8e8b0f9fd36ee9cbb2ef85dbb6d5101f

SHA1
91a77e3be25336cb900a640a8b8ddba4bf510b94

SHA256
5be85b67836317cdec8d8193bb6d033180425a1fc20cf97beacd2d4417b5885a

SHA512
15cfa43f4c1a46564d6438cfc944425d9bfec385451322c25d9303c1cd8c8d3114b34c5f73607f08c3f84b8c35ed2b3171cd5f93e50605504764d69bd3eb70e7

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
194KB

MD5
2fb4d769aa05233c4fdde7476e536cf4

SHA1
b97e9f8bd63375b727bfb23ddc75091c05aadd83

SHA256
7aebf20c5ed02fb95ac4f6177db3e687fcd052ff0b1ede2119fd7f70766097f1

SHA512
c88ace1e6bb593e7b47e777d5bfd00c2a3f42309270a9e8740661ad8af7092099aaf5072837494f255fc0b4f8f14239c1638fa556fc71c59a1f6a0d2ebaf96f5

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
194KB

MD5
e3a309e23af564b0c20728889bb16a35

SHA1
dcf1dcca4068ec1448f1e10374a54017f5095f55

SHA256
ca38c66af550f49e97f93069e17b9557c292128207f9ba1b2cd9ebf56d144097

SHA512
c9d4bbdd17dbfe80435a1803f3a2c26563373e5c59573ce2910299533678f6a465342baea84802a8949950b23d79b8b0e9229361194566f7321b79f72a025614

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
194KB

MD5
7d42a3cd9cf49d4d23962b63a26a8ba6

SHA1
e38bb1ad75120756459cd099add3c6c94dca4cd3

SHA256
acd2fa5455d7319718c751bef80b4aacf68d751f988d05417944f6116a4aab6e

SHA512
4db51bc2ca8bffd78a23ae1be7373fb14230694bf0ff1d3724f3d6f49b09fa395ad813fd41a996756f141b6d4c4c3a32ceb78cfbde140ae18f595aaa7762c11d

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
194KB

MD5
8843565fea9628208d05b8a77f45a0c7

SHA1
8df5ea462ed44963e9bb5b34815105136adc547b

SHA256
7e6e45707b545f1974f3b96b8b386ee8f9f827b3f83344940bf0bbeb1f4f3b24

SHA512
24a737675e4b9706f3376980e226c9e11de81aadfa3e28ac1b1388c8e55e0c4dd12d3fb3e7178387ffb2926930efea22ca11342efa8c581cc22bb819589ef173

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
194KB

MD5
d68eb0e9de04f71546a509f1be50c37e

SHA1
2d779e9619ad0aca72eac9171732ee1477d58185

SHA256
e3608331499d9982ef562d30d9727c6c56297ecb023297852d201d163348b7a2

SHA512
b48ec4f230852b1c49ce8dbdd4654db645e147ad05f47a5bc778c68e64a476837272b3dab453b95722e421b14e4783f1b1ee2243ececabe94b59a6bf4a246f0a

Download Submit
C:\Windows\SysWOW64\Jdkind32.dll

Filesize
6KB

MD5
f4842c31a185d5b3a1eddd273cd36b4b

SHA1
153d6fa94bc28b1c80215d8604beb80b45e5f706

SHA256
ba7932667b0eb1567bbb084f25524212060b22965f45e33621955fefb9cd1272

SHA512
7ac93a4e503a464c3e94ef148805c421f4d347ae46026e90717b0362e3b1b8727458a1d3b446226b07af2b6fc6f240e5c542eb4e23f94b2559e6bf305a869670

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
194KB

MD5
32c42151de999a1827bebb20f50ab02b

SHA1
77fd72ea3931bcda1b330f3517caa32a78387a93

SHA256
ae01f2a7fe2e0bbfe9a125087d5f39368113a0a501051debb2123e95f52a03a9

SHA512
9c791497e2b85b9f6f643dfecf62bc3bd774f0522dc3d4c6151e7c893f43e78cfddd0abfe477568e7a794c9aec5b576f4200503ca3a832b27f675e8440083c15

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
194KB

MD5
ee2c3edb0080611f673eb017718f3aae

SHA1
be62397aa6745561db9b1bb70895a26a86c48e33

SHA256
9f1187a6f81aba5cff51b6d9bd0afea4fbb2c158236ecf8b5c67fec3f43d560e

SHA512
cae0328262a822814852a808fc43757851f1608b4b0613dbac8301056631b177905f97b6296ae113bbeee538cf5659cf307ea0ea72149514cb873fa32928ff63

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
194KB

MD5
a54f7f65e99d082cbeac39c4c885b92d

SHA1
9c556a458282de5028f6c5ea911172ca60a53e60

SHA256
4396eaddabed3e00e4e5b5e79f0f5c54a916a099c3ff44957b3e1fe5f9c2e823

SHA512
1ee3a06b96516eca804bb892f245d1d2f1933954794e526f6ef355a795890cc851a6f47018ed273e26d46fb3e821e60977599ac2ad86347c7c53e9ee2d2e0373

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
194KB

MD5
90569ce1fbdb4658496d0ffb3aa1d499

SHA1
a034cc6dd58c788e86b849fee03770ffce644326

SHA256
e7451ced22ac1c4a26a84df70ecbe70eda12c48ad5f2342fd00441035a830e87

SHA512
ad5be783d5b131ce33c9c13207e55dfbd8f549f2aa84e0d16e81acf67b2583a2f3a2b040f45b47138d80f7926fa5de5bec2cf7db5483e755dd68166627194f89

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
194KB

MD5
61fdabf01f2f261965a0f64938ed8bf2

SHA1
d5f6ceeaf5ce8537be7327a7afdf09cfe966d7a7

SHA256
ead03cead7aa4ab83d8a017d4a208870716a34d4f49c77b93f5afd0be646b716

SHA512
bc530a6fe49322c78e3383cff26891a1cb81d4aa8a5a238837ecc37c03fb8d5db3642af7043a7f94f6e0aaf27e24f802a31caa7b954dd961faab43f71802da38

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
194KB

MD5
027bc6ea6e491e25b57bc1e412f5f8d6

SHA1
74005b10a2bedc94accee94a0dc2cf6c1a340e5a

SHA256
1bf2d284c7180eba9f270419f429bae0d756be9b86ef6e0aa8c1e24b89c9af00

SHA512
affe3f58a855b0f2025490f216dd2a57d79fb950c8288505db51ff9f736b15202adb1d6a22f7aaf7da0e83d9b53ea163c2e5a8b149918971df5d55562ff38cd0

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
194KB

MD5
74794a7b60620cbd71fa2bb9b6d19105

SHA1
0532f95294d5c87599b81d0fd684f8548aab45ef

SHA256
a1af31663ce97935ccf93d9fe9d443033bed9e6bbb155784fe11b4ea4c256c12

SHA512
2fae4d5cd1ee416d449384bc3a51008e4987978e7f17c5563c5eecf234bd3abf549dca8ae53e9d5f412e20d9bce642519fc0551da24eef8274d52c2018726951

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
194KB

MD5
046a26180292e7702f0b50987af80ec6

SHA1
682a5a171a2009ef596013ead406dc136565745e

SHA256
5f3167e4f63ccd482f88249efcbf4b6fd4798c98d2f37805949efc82e1c24c81

SHA512
bca514c35cdbc2ecee92c2df9002414d8b9ab80a01461f3d0ac6739434cd755dd157fcf32847d4ea4724d70dccbf61f0b2eda16d97a01f93f6a88bad02ee6952

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
194KB

MD5
b70e75de75fd90b80dbf32c9e653f786

SHA1
f4bfe00da6c0bf773d8ab17f4b794d5da5835b0c

SHA256
37010c018aa7da34e73bde54be6410815f1b15155dbce22d995c16a57b140e24

SHA512
0972399904cb32ceccc38aa6e0d84c25d5a458384e4ac0d4d09d5102a0440581462b5e7f3479118ae73345022d6422fea3630d52c8b910954146b3250dfad4e6

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
194KB

MD5
63ac0a4e60da05f2d09b50cf1bcb9622

SHA1
baa2fe499d68dcbaea4a77d607f2243c407904df

SHA256
5df551ec9995ba30558f0dea571b849fae255ccb4dbc4b68300c7f8f271d836a

SHA512
b2bdea84ae3d42c508d6e26ec4b272ba32b502ac06395b2bade46f1f5fc339b252f5733f5bfe88356ca4ad475a6656b44abb3491ab755569476c78556038a6b1

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
194KB

MD5
0cb3fe2ced3242c190b24d4be7104659

SHA1
7f2864d1a1521f5a803b9dbebab5654422a99c48

SHA256
20061308fb39e375a99857da4cad72f441920a11fe33e0361444de2cf812f29c

SHA512
e7797c3afe1f91b5c4248b8f6c0fd06f0d72733a1942b89dd456dc218964745d2b18573ff8e2883c2591d204c188105b67012a262d57d31c854b8a820f970da5

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
194KB

MD5
440017bafe8c7ea292e899a88a869aef

SHA1
244951d780bc3d4931b924b901d2f45471c4aa64

SHA256
02fb43bd1bd0914c5db5ee3fcfd38687eeee153351aa7f7aab40411b0282e748

SHA512
d23c0be29cee50f9a048523e40ee0db14ce8f2a3205a7c527f3c07f66360a6ac65191d8ab7b8c2a993a3e2fcbda44d2957a174432a5ba93f96540032721d64f4

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
194KB

MD5
4d33411bae51e8b695ed005df1393749

SHA1
130a1661ca797cfd63fa4064652953bbbae701be

SHA256
f339c6e953fef9ad88e29597d790e0709eac42fcb5773cffd7624589702458b1

SHA512
92ca43029de8d65535040e7815feda339d2680bbf0176531255f2d90dac4d3bd2884eb1ba4118b05a960289760c7d44e3fff4f86ac896afd943c044e1f1a2b06

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
194KB

MD5
9b6b4c6c4e3d1254600a51ca54a544a2

SHA1
4dd8884d6410f061e9c523c1ff897dc26b389d55

SHA256
90a76d75aadb1b1d614b7f11bdc621ef7bfdd3896d4f44fd09396d2c06e142a6

SHA512
bd7e5f9b3aa61fa9cebbb34a7248215d650d411905d43183d50c347a9c8b0b43c1fc3a431ff79c97f79e136c2100d51ddb0a29d3d0dc3ad805493087b2ab5791

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
194KB

MD5
f9c38bf778239f7acb9ce65b97eec12e

SHA1
3b95a6c3af798856e1745fbe54475d3937eeb5e7

SHA256
34d80dfc2288aa34847afaab3a4c638047ba60838b7a1e57e1945bec76d78519

SHA512
b577bef3727e35656f119a2fafbe330597a3c17d0df768121b71647b8852de84fd44eab5cfec30e95207436ee305aafa56892fcf2240152714938f27738c3c41

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
194KB

MD5
b6a2750e41f1ee7d322965842a17f86a

SHA1
7683c1d522d206fa0ce033b997a9f9843cc180b3

SHA256
4f5e7ca7d3ea86fcd8edb93f5179005b6efcee2b7672ce52aad08301bce6ef43

SHA512
92cb5dcb8915dc10c84c39021a7ba0f5b842ecba4c443f03caf293c9f642df2802e06b036fcdce67e4930c1f38ccef0335fdeb2bb05cee042340b55de7b5404f

Download Submit
C:\Windows\SysWOW64\Qdhoohmo.dll

Filesize
6KB

MD5
a958638bb9a0c3b3061e5142fc685d41

SHA1
594564c55b986b3ae16d7f987c1334b9c08eab38

SHA256
b235b0a77f0b3e28fc63efc4e09cf87ad172eca7b2cd1e81cd42bf63ecd18c4c

SHA512
00363c3075c99221fbf5696ef0ea611e51243f7102a24c32b795f87a3ecf09376891985bd875700f3d9dc759bd43938f4ed301d81b2280591a3f06859c7b3875

Download Submit
memory/452-687-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/452-589-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/700-331-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/772-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/876-382-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1028-521-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1028-711-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1148-487-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1148-723-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1328-474-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1372-378-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1504-315-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1548-709-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1548-532-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1684-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1716-573-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1716-691-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1792-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1908-320-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1960-424-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1984-311-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-725-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-486-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-707-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-533-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2144-330-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2228-328-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2300-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2400-699-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2500-321-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2504-373-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-447-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2828-306-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2964-509-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2964-717-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3016-314-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3044-685-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3108-534-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3108-705-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3436-316-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3468-419-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3476-703-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3592-693-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3592-567-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3712-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4000-307-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4036-515-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4036-713-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4044-380-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4132-697-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4132-560-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4208-689-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4208-579-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4344-312-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4348-319-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4380-727-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4432-458-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4440-323-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4500-695-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-372-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4572-317-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-497-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-721-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4772-318-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4788-308-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-683-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-601-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4868-418-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4872-379-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4884-313-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-701-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-549-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4944-425-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4988-301-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5016-715-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5100-719-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5128-602-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5128-681-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5184-679-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5220-618-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5220-677-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5256-619-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5256-675-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5312-625-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5312-673-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5356-670-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5396-667-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5396-636-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5448-647-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5448-671-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5480-665-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5524-657-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5524-664-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5560-661-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5560-659-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads