2ca1d256b48ed1f5f607a3f9af91fd98cea5d659a0b3f70b29c5ff082c9d52e2

Analysis

max time kernel
136s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492eb5ec4f3501718b3b8c82064480c0_NEAS.exe
Size

256KB
MD5

492eb5ec4f3501718b3b8c82064480c0
SHA1

d14b5fc4c31ea8fcb07c5a24cedaa1ef87f287e3
SHA256

2ca1d256b48ed1f5f607a3f9af91fd98cea5d659a0b3f70b29c5ff082c9d52e2
SHA512

492d47d9b11ea899afe3be5c1be703232835cd2752bd4faf3089624f97c7c5e66bc74f01e5e68fcc715ac5532dbadeabd6af5f1717f23c4b6af31b1f76e85b14
SSDEEP

6144:hjicY5uiKPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynnH:hjicY8ruqFHRD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe

Executes dropped EXE 64 IoCs

pid	Process
1932	Haidklda.exe
4976	Ibjqcd32.exe
4668	Iidipnal.exe
4064	Icjmmg32.exe
3624	Iiffen32.exe
4560	Icljbg32.exe
1444	Ibojncfj.exe
3596	Idofhfmm.exe
3560	Ifmcdblq.exe
3352	Ipegmg32.exe
4888	Idacmfkj.exe
3908	Jpgdbg32.exe
2516	Jfaloa32.exe
1296	Jmkdlkph.exe
2392	Jdemhe32.exe
1000	Jbhmdbnp.exe
1884	Jfdida32.exe
4556	Jibeql32.exe
1608	Jmnaakne.exe
3136	Jaimbj32.exe
2552	Jplmmfmi.exe
2752	Jdhine32.exe
2112	Jbkjjblm.exe
3532	Jfffjqdf.exe
3828	Jjbako32.exe
1656	Jidbflcj.exe
4044	Jaljgidl.exe
1292	Jpojcf32.exe
3904	Jdjfcecp.exe
4512	Jbmfoa32.exe
3664	Jfhbppbc.exe
2608	Jkdnpo32.exe
4328	Jigollag.exe
208	Jmbklj32.exe
1012	Jangmibi.exe
3636	Jpaghf32.exe
3824	Jdmcidam.exe
2132	Jdmcidam.exe
3304	Jbocea32.exe
2344	Jfkoeppq.exe
1096	Jkfkfohj.exe
4660	Jiikak32.exe
1936	Kmegbjgn.exe
948	Kaqcbi32.exe
3080	Kpccnefa.exe
3392	Kbapjafe.exe
5056	Kgmlkp32.exe
1828	Kkihknfg.exe
756	Kilhgk32.exe
4796	Kmgdgjek.exe
2196	Kacphh32.exe
892	Kpepcedo.exe
4404	Kdaldd32.exe
1256	Kgphpo32.exe
2624	Kkkdan32.exe
1016	Kinemkko.exe
4580	Kmjqmi32.exe
3952	Kaemnhla.exe
2628	Kphmie32.exe
4364	Kdcijcke.exe
1660	Kknafn32.exe
4812	Kagichjo.exe
3456	Kkpnlm32.exe
2172	Kmnjhioc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Ecppdbpl.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Ljnnch32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6004	5924	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1932	1832	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe	85
PID 1832 wrote to memory of 1932	1832	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe	85
PID 1832 wrote to memory of 1932	1832	492eb5ec4f3501718b3b8c82064480c0_NEAS.exe	85
PID 1932 wrote to memory of 4976	1932	Haidklda.exe	86
PID 1932 wrote to memory of 4976	1932	Haidklda.exe	86
PID 1932 wrote to memory of 4976	1932	Haidklda.exe	86
PID 4976 wrote to memory of 4668	4976	Ibjqcd32.exe	87
PID 4976 wrote to memory of 4668	4976	Ibjqcd32.exe	87
PID 4976 wrote to memory of 4668	4976	Ibjqcd32.exe	87
PID 4668 wrote to memory of 4064	4668	Iidipnal.exe	88
PID 4668 wrote to memory of 4064	4668	Iidipnal.exe	88
PID 4668 wrote to memory of 4064	4668	Iidipnal.exe	88
PID 4064 wrote to memory of 3624	4064	Icjmmg32.exe	89
PID 4064 wrote to memory of 3624	4064	Icjmmg32.exe	89
PID 4064 wrote to memory of 3624	4064	Icjmmg32.exe	89
PID 3624 wrote to memory of 4560	3624	Iiffen32.exe	90
PID 3624 wrote to memory of 4560	3624	Iiffen32.exe	90
PID 3624 wrote to memory of 4560	3624	Iiffen32.exe	90
PID 4560 wrote to memory of 1444	4560	Icljbg32.exe	91
PID 4560 wrote to memory of 1444	4560	Icljbg32.exe	91
PID 4560 wrote to memory of 1444	4560	Icljbg32.exe	91
PID 1444 wrote to memory of 3596	1444	Ibojncfj.exe	93
PID 1444 wrote to memory of 3596	1444	Ibojncfj.exe	93
PID 1444 wrote to memory of 3596	1444	Ibojncfj.exe	93
PID 3596 wrote to memory of 3560	3596	Idofhfmm.exe	94
PID 3596 wrote to memory of 3560	3596	Idofhfmm.exe	94
PID 3596 wrote to memory of 3560	3596	Idofhfmm.exe	94
PID 3560 wrote to memory of 3352	3560	Ifmcdblq.exe	95
PID 3560 wrote to memory of 3352	3560	Ifmcdblq.exe	95
PID 3560 wrote to memory of 3352	3560	Ifmcdblq.exe	95
PID 3352 wrote to memory of 4888	3352	Ipegmg32.exe	96
PID 3352 wrote to memory of 4888	3352	Ipegmg32.exe	96
PID 3352 wrote to memory of 4888	3352	Ipegmg32.exe	96
PID 4888 wrote to memory of 3908	4888	Idacmfkj.exe	98
PID 4888 wrote to memory of 3908	4888	Idacmfkj.exe	98
PID 4888 wrote to memory of 3908	4888	Idacmfkj.exe	98
PID 3908 wrote to memory of 2516	3908	Jpgdbg32.exe	99
PID 3908 wrote to memory of 2516	3908	Jpgdbg32.exe	99
PID 3908 wrote to memory of 2516	3908	Jpgdbg32.exe	99
PID 2516 wrote to memory of 1296	2516	Jfaloa32.exe	100
PID 2516 wrote to memory of 1296	2516	Jfaloa32.exe	100
PID 2516 wrote to memory of 1296	2516	Jfaloa32.exe	100
PID 1296 wrote to memory of 2392	1296	Jmkdlkph.exe	101
PID 1296 wrote to memory of 2392	1296	Jmkdlkph.exe	101
PID 1296 wrote to memory of 2392	1296	Jmkdlkph.exe	101
PID 2392 wrote to memory of 1000	2392	Jdemhe32.exe	102
PID 2392 wrote to memory of 1000	2392	Jdemhe32.exe	102
PID 2392 wrote to memory of 1000	2392	Jdemhe32.exe	102
PID 1000 wrote to memory of 1884	1000	Jbhmdbnp.exe	103
PID 1000 wrote to memory of 1884	1000	Jbhmdbnp.exe	103
PID 1000 wrote to memory of 1884	1000	Jbhmdbnp.exe	103
PID 1884 wrote to memory of 4556	1884	Jfdida32.exe	104
PID 1884 wrote to memory of 4556	1884	Jfdida32.exe	104
PID 1884 wrote to memory of 4556	1884	Jfdida32.exe	104
PID 4556 wrote to memory of 1608	4556	Jibeql32.exe	105
PID 4556 wrote to memory of 1608	4556	Jibeql32.exe	105
PID 4556 wrote to memory of 1608	4556	Jibeql32.exe	105
PID 1608 wrote to memory of 3136	1608	Jmnaakne.exe	106
PID 1608 wrote to memory of 3136	1608	Jmnaakne.exe	106
PID 1608 wrote to memory of 3136	1608	Jmnaakne.exe	106
PID 3136 wrote to memory of 2552	3136	Jaimbj32.exe	107
PID 3136 wrote to memory of 2552	3136	Jaimbj32.exe	107
PID 3136 wrote to memory of 2552	3136	Jaimbj32.exe	107
PID 2552 wrote to memory of 2752	2552	Jplmmfmi.exe	108

C:\Users\Admin\AppData\Local\Temp\492eb5ec4f3501718b3b8c82064480c0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\492eb5ec4f3501718b3b8c82064480c0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\Haidklda.exe
  C:\Windows\system32\Haidklda.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\Ibjqcd32.exe
    C:\Windows\system32\Ibjqcd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\Iidipnal.exe
      C:\Windows\system32\Iidipnal.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        33⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        34⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        45⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        46⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        54⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        55⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        68⤵
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        69⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        71⤵
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        72⤵
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        73⤵
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        77⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:864
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        81⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        82⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        83⤵
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        89⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        92⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        93⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        94⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        95⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        96⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        98⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        103⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        106⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        111⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        114⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 408
        115⤵
        Program crash
        
        PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5924 -ip 5924
1⤵
PID:5980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
256KB

MD5
d1f39bf6f7f45b3e0c9f3a3b429b2ff6

SHA1
60dc12462f35df1a64a2b68510c892808208958b

SHA256
7a8cf9996ab64b0da76cd9cab2e38786bb7c6866392a2732518543b6fa2552a7

SHA512
a06cfd5903187b141c763749604c483858904a2742de69c2912dd930283c7393250529007105fb60c0d2ccff6cea227af24fc0196072f1e2cbc7a87d34adacce

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
256KB

MD5
2fa5a735d9ab338cb1bae4773e1160e8

SHA1
4111b9646ab68898c70546cd0255da6b90082ff8

SHA256
2a47f345097c3ba2263e7ca472ddb7226ce667f0af2df9b60b2b3ede06bf5be3

SHA512
35625ccb59899c12859c0bdb90bd3da77b308f3b4aa7f53d01295130e21d91777df85f1f8e24823d70ef25dfd4efb305d2ee474d7c3a9d6b85d7061c8e4d759d

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
256KB

MD5
c480e3980ed90d4513560c2655afe283

SHA1
e04f64df4c7c24d1883a8df6a0b1aebcdf8bde22

SHA256
e0431e92b19e7cea6b0a31abff4f10bd974f00412f9cb44adf53bc044b7e00f6

SHA512
c8d3ed13596c23f166c03dc21eb57d9c789200db9ea515451bea9b8d8452c479d2c9a3b7f44bcdc0dd38706951af0bf77838783f44131dc709e668e97a46a8e4

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
256KB

MD5
015db7eafeab7eb4bfecc3c34c396570

SHA1
5f585ad4de60b1674d1f7836c102abe0b6e81573

SHA256
1bafd9ad8ad90e30d0939b39e96e1b8410c05549a41c22f22c7ef82eb8bfe9b1

SHA512
1e7ef4b4b626d5841620f87404c16980d4f470ac5e14c53abc6e5d1cc55aab1bacb75665dd34a02661e1306de5c88f87ba8572366ea41fc7e1f4fd742cdaf4d6

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
256KB

MD5
840c376a08daca6f1ab78839baf7e16a

SHA1
940662406d7ca70ba8a0ac9e366d1fa87a0563cc

SHA256
e68ac4fcfa40e968d4a3b36f52831f8be485e8d407b3f7491eba29031e149ffb

SHA512
1b27f95292219e1403156e8f17a74e2cceb85b10c8184d5df41aa3273de58ced4bce67ebb894f1196d4453e93198179f8c646420342aff97b33e357134185cfe

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
256KB

MD5
fda562ef3f12420c8125fceec65d555e

SHA1
8dbb7b8494c701e164009e6c66189c4eaa6d8227

SHA256
a3cc28612012219a6860225eb412662e9b802c2a51d70099128ea2efb20b1e52

SHA512
c4f9d8c1ef63b8054f674cbc1f7001ae1d4a210382a269130279c3dd9d1f2e69e32ad8644173c152a56c8e2b09244b6539eff076386ea8f4179b9a30236e8e56

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
256KB

MD5
5948a5bd11a3356bbfbc3b47e063b30a

SHA1
78815ecf46a5de1b8b3f35ce5418f741ece2fb0b

SHA256
d8e64621fb9f34631526990ecaf74e4c594efdff7d9a7e620fab6e0564082c49

SHA512
786720cd59b3b21c869fe93cabc7f4610dcfeab54a7e217c74e87327669cf0156984d2b900a31a88fcc61bcea7096c3624bab6302c9b0f3fd46ffb0259cce2b3

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
256KB

MD5
9e7fc80a2fb17ce0912717f2a35fc3be

SHA1
0ba184d369e11285631bbcfe652655efdbe40176

SHA256
e3bdf90cb8c4209f791173826159e2886e9cbe810cb57442749964fe965b900d

SHA512
cf050b5bf6222536b3018a8092572a45778c6f07edf2d83f19e125ebf452b8aad8317e317f5e7fb87ace06c0528745e0a0f994c996929963d298a21f3a028ea5

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
256KB

MD5
b83c398eb682c2eee255fab88f3ed384

SHA1
32cbdf33f72b65ee20292089923eee69eae9835e

SHA256
f3880abee1f5e1d946d464a272256e6f7fc9f76a4335bb7baed358ca62eba122

SHA512
a1d05becff78de7c7046ef1b03704e69c2825217e2202dd0f8851c4cb921999b934204d3406cece1323e7336d28e917520883f1b05758ab81ecb9753ecf674ed

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
256KB

MD5
40ea675b6d38aedc427fa0c6d78fe441

SHA1
d288ce69608ac37525f25067145353468d1b645b

SHA256
72106ab12c35c2feaf22b2d839b379be31a6c92ccca43159e5de921963072525

SHA512
e2b672075d3dbf0f45b26c9f5e48bdcad858ab8695905927509af0103721d29eb96872d8c65819cc68e12fd301c51b92f49bcb0155c7f18d08a57397228b87e8

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
256KB

MD5
838739513a6a73e22f6b87e03fb4fb9b

SHA1
1cd8cb12680db2c174921cd4627a7eae81acc357

SHA256
1c6a9afc8e828b235d8825ba869c6e41179a2e08257d69d6ea8845d31122d83f

SHA512
706fb02c351d3b4e3c2bf2414f72cc99c76d82c5beba92a2c9099faf4afdb73cea1b707bbb282e94d5b7d067089a7786394a26beef10ad2b12098ed78bf210c7

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
256KB

MD5
a4b32c44b5d4588c6e7273eae8ef9c6e

SHA1
fc342742217cf4d930bcfecdb279cbe7f9344fcd

SHA256
0b5db4aa202aaaf7adf294bd15a3e4d995423b62089a9c6a208af8b2cf72c2ce

SHA512
cf1f14ed9528874aed937ce082838587f8b5371b69a3a37750abf218f70027108426e519f513c9767acb29f0bcdcfe6c66830ab18c2ddf6060afeb0824c6c22d

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
256KB

MD5
03f3efeb0b9b824a25055b9746ee3dd6

SHA1
701c42048bb8ac79eece043fb6ab4454835f9637

SHA256
4ace63ccb5b96a1172843d3c9b497001aef2c78cb36560e853ee30a03fcc2072

SHA512
6e61d13b3c41f9bfd51982d4412dc894534d65c9dd3145ae42f4977fa573754c3e9dbec614cee9af9bdc42b1cc447e7915c8f08219a3f1c5c28a706c1a19fb8a

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
256KB

MD5
2c55e997d68a2c2549367ee93f524562

SHA1
4456ac9492558118d5e98eb0fa88ba8a3e680848

SHA256
276742e7da44768a25e537cfa94639135677a4fd9dc9066f614c36d80a31bf4a

SHA512
b3eb7b27c9f23d37d2c2dbe928846778f2a663b48250789680a960ebb0308a27fa2cbbe45f1d9b65d64275c8b8ef9ca83b0b602bf90033d02d697bd4151c955a

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
256KB

MD5
fa53a1392d02831ed4f4354b5fd12555

SHA1
ec1e4629f5a2e19ba19e17bc92b066c83667e5d4

SHA256
1a1651477b1797c4c51ec41857e22f4f4db8d2ff1e10d00eb2ed68a372df34f9

SHA512
958f98267cfe4fb8f4ecd17d13a572724aaee0bf7c28a7e0c1b5993970c716ef04ca2a1346cac36eb86b0fd5ee7941b2e7b083858df0001b5d12d0f7580a22ad

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
256KB

MD5
bbaa142a255bbb69a06f6e0724778a20

SHA1
221c820cabc043158472e2a89397e3e762a5d023

SHA256
baa1bb37aad79b1fc6300d316e2b4365448cf1274a85166adf829c7b2a9a379c

SHA512
27b7888f418c6f6c18f71f23cc333e586130ffdd1c89b9a42bddf37f05c2e2a0e714b2759d5a4bf6ca830565fe31262acbbf939309ddf3973856e3905dae24ae

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
256KB

MD5
13d5eb7c5ff6ac6ab1c4ff381b68ce0e

SHA1
d1261b5f3adea3c146421cbb2e9127b5fd60747d

SHA256
82e2f3bb74669b45c90c5f91b0e4b20598b323ac29c3d9f8ce7697f707c3e68b

SHA512
0fadc9fcabef16b8fc6a6d2acbf3b5d94b6407ddab528d57e608b85bd3078b4030d4e3d51ec4e9dabd236bf73622a330aa931489c6351833de2caa7f86f795b6

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
256KB

MD5
1a1276727ea45203ccc8ac64bed79a68

SHA1
e55a30d60e402f305fa3dd20c9ec3a80fe58c125

SHA256
4065c79e6b6be44bb7f258a555cffdcc3ebdddd5fd177d32aace44fb74c4ba66

SHA512
5be73f1ab2781734977ec7cb67272e22e053ae1d8a425ca2aacb30140bfdb05d37132ca883044b3f7bd1fc4bbdee2e4c7cce9e4b5f017ad3931fb647c48b4f2f

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
256KB

MD5
ef4facd8e745b90ae2d27787f11f34c5

SHA1
5055ca177709ce2a560dc23c7eada6bf5081792a

SHA256
a81f8a0e5b8d6c651e57f5b1f7f2bf55e96804cc8a9da6806196d0d9075c15a4

SHA512
8ec2513af5d908398398bfbf835ab94488cde7915a0bb8f74f1579430981c2461c2b181694737a12b882a61f86a908f9610f5713bc8271444d2c9fed5c02c7ae

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
256KB

MD5
02bf6dd530f568c3ff5ffefec9015eba

SHA1
144f41149e85d4ece953cbed5b0a1fdde0f0fe53

SHA256
052888976c3975ad11be87ce19a3ff9d00d57a0fb3a7dd10ff74508db712ed85

SHA512
f12ac7b89a5d808ce2cc9ee12050ff3d94502b2285041e0a653af265505f6c17f42aacd86860ef60c105b37d8a19b5ac45fa69d2445e53a5bfca6d0f3d6c772f

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
256KB

MD5
268044fdf1926adcab36b20a5030e062

SHA1
c753c434b51c3df34ce5d48ea90b4632b03041c1

SHA256
9f27c9ba2a2d912010f042441eca576d05f5d5bf375b6f22c5afe70f43f46369

SHA512
fa34e007d3f55238439e1264419eec31a9ae8a4ea5129dcbdad1cdeaebcd2a08ffb5a4edf99879bf632bd9f094ac6c6254ba6f824d849dd20a7c5ad4ec8a5dc2

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
256KB

MD5
430118b421d64c1621f05d444637e712

SHA1
af2cf709d0a1cfd91c06df57486bf0c9030bc0f2

SHA256
9b07c733e324395f5d491f1ac04178b58edffcb92c344a2ab4a2ff3808ffd7db

SHA512
4428e4654dcc55d2db7d720278f401cf1693cc81cff2a7778bf9d50608c857c1711efd23dc12c0fcf7c03eb8980879b52974c23638efe50eadc8e7189313984b

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
256KB

MD5
48c388fce0ca7b108f541879b34e1c10

SHA1
d4cbe3d417591e12718c4725ca72268812517a72

SHA256
d65444ffcdf3e04aaec6b547c398de7a8d21c1ac8692db2fb985c47e6181f0e7

SHA512
a3375dd77fa75605960a49e05ef5fc037fa4f72cf7d87eaa73c0169706d13ca41dc07935cdf42a4e8fe193533f955c325a71e350b21417c2b4ed24c589fe1afe

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
256KB

MD5
bee999e7149a3f09ad96983121a700d9

SHA1
7f4ae57c738e06f90b0949eebb0ef373582738cf

SHA256
56494cc53c089aba383ddefff914447b4e84f800eebb75234d866fcf633ccec8

SHA512
026e47f86835172799faa1f740635ff3ce5f26a9be6159e3256a19c98e9ace9acb60a0d2acd9224292e8c435e03eb2880568f255fe590223dfdb8333a6feed63

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
256KB

MD5
543f1695d6e5c5f0c29801b8db2b971c

SHA1
c0f56d8ac6de39f92031a7c42977c538096a8bff

SHA256
eca0e8013cdf61ea0b3b53b1fee2e348d218321400075f03be6e72d2a7dec9c4

SHA512
3d2af2ccb3ebd939e7e6b4d7e1379a6ee07468bbb9124031112cb738f694704bb0beba14fe35453180bd7426dd8fa1cd1e8c1e6fedb3af75d6c5466f9a6f5c01

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
256KB

MD5
0c03ed5cb8ed0e47357dbce56b638a84

SHA1
a41d5f510ba563726f0e268ea41ee3ea509b97a7

SHA256
f0092f35eb23dd03ccecedd1dba5f2eaa1bfc989f4f82d6f356519b56075d9ef

SHA512
226cf58ddb89b4150f8ce425c9211f824f509b03abd1d80d14f98cc3ef95be012613c4c3292f9436bae1388a91a5a15ca06ef33212023a4b65b9d1c8c856a582

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
256KB

MD5
762a14c702564c11da275f25e11fc787

SHA1
cb748ff2b6da6e1a3f6501bb80e1894b302fe280

SHA256
a3724d1cf8d03ab54ff0dc0b1d565dd12cea3e37fe7746dd021f274c2326cd4d

SHA512
ddb68fe7ad6697e7ce0c7a7cfaccded7671dad66b5a6d67ef9f675da5d23e0bca96ed50487055347eaf32c27bb61c87d04dfda22b70c0520da4c0ae36cfa6b73

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
256KB

MD5
ea62410b1e48b20e728743948a188674

SHA1
c03e0b8a15a36bdc676c3daee51fcb0fb4d5bcb9

SHA256
150ed838e5c60ee7de0b90c5d8ef8e318fad32a3e9aaa6322a2aea5d86701e77

SHA512
f05abeb576ce450e1feb0560b8ed044e5d7e2fea7d1b310de9f8fd68ab39e2f6f08c10a92d9d5e9fe00f04676194ec73f46a179bb349ffa07bacb78a18d56dd6

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
256KB

MD5
e514c8c46ed3605cd3260dd89b6f1b14

SHA1
8516dbbebf5a77e6b8b35e0fd6b191acde244aaa

SHA256
b491806ab0f6df7c48a3a15332789c9000d99df54ba4003f4e939b94ce379c0d

SHA512
386521d185df4bc1764c2fa94109635ff33b5b1e6aca2e24031d527745531e50575e15d48236becee7d6a372bc9729aef846d4bc12a0be2b4542e21e05ae3e47

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
256KB

MD5
b2789348ea9ca013d23774842aa714cb

SHA1
5e00bc03734714ce6315326a647285e7e78ae52a

SHA256
88d17ddb421237d7f73ec4a0bd9a9a5c32f8218045010c88a39f4dc7a750c688

SHA512
eec2e04b77f0d238f925998cabf60fc9b4de48831437a811f86a475827df8868d13ec740a9d7c303c13c89b8c0f5e4ba47b159c725221de64fa1adbd3b4e7d44

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
256KB

MD5
873637d87add716cd916893231d33960

SHA1
b278cbb0e8a1b0a65b5c57f1896b0cd8e9cdaf5e

SHA256
9d131e07ce7a8c46aec924e38df75bf522066575bef217999a30c0b7438e68f7

SHA512
46ab72aafeba6bc2d8b39bb44485c5cfd186dba6d5177553f0d0dee42a33c9289d1cbd505200b971309bd622428de9e1132eb7bc163bee6efe2f8ed3041a7cfe

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
256KB

MD5
4d99bde59c2b98f642b32a8ba0a3f67f

SHA1
e176c64cd19d53173ddcb0140e975b7598cbc73a

SHA256
00bf028876273875681b56299589f2f2f6d25e62055972b087bf14ef390d9c82

SHA512
84af842c9ab91c1eb30702a48523293a4e4cc19db5c74e139f1937836698aaf5b4a82a7d5e7243c66d46a9cce38e4f821907204e40f13505a6318565fea522a3

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
256KB

MD5
dd3664167182472c293f8146f74ee2b3

SHA1
8be3cfeb44c6b45ffb9c8c49b54dca5b10c9883c

SHA256
7c0b70485643b029c26aefc24771b51bb979a92f95a2676d806c6474c2231b5a

SHA512
f6fbf31d444c9846d7cdf54e2700948af35360cf9454bf5f185c9a14826221142b6534cbef598f04ca8b74028407712542e6f84091820d69c593cac3c409c3a7

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
256KB

MD5
c0305a7e95e34fe0d050f60bbe198e0b

SHA1
005399fb27e62751644063164f5e62d992a75738

SHA256
06b0a43d47158a5e40c67b3b41cd1a967dc752468bfd8cb23cf875ba64dfdcd7

SHA512
96c15082ff2eef08431abb91268229a96a2af4876447b27e297940e9fe6a41ecad4213b7d482c7a18bb69eaaa909c546c9ab74913c9dd2479e64e11587f3f347

Download Submit
memory/208-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/368-531-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/864-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-613-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-532-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1256-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1832-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-612-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-619-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-530-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3824-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3904-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-602-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-600-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-630-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads