d67c24420d1653fa7d21207ee2e7264df55a7df79101925ac0936d337fe61ac7

Analysis

max time kernel
129s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1059d4877b0911a9b9a01a140cee70_NEAS.exe
Size

232KB
MD5

be1059d4877b0911a9b9a01a140cee70
SHA1

00a6bb92e4489a0c120d4de8fb55ed04cec726d6
SHA256

d67c24420d1653fa7d21207ee2e7264df55a7df79101925ac0936d337fe61ac7
SHA512

32a25a8e53dd1d13bfe35ad173b9d496fc077c229a25bb2c0feea86e935f9883263d0f7f6ebd834cb180ac10018f94babda868eedab05bf393f3df2e53444710
SSDEEP

3072:X+MthIEQw7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPadOF:uMDIEX6s21L7/s50z/Wa3/PNlPX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe

Executes dropped EXE 64 IoCs

pid	Process
3828	Gmhfhp32.exe
3496	Gogbdl32.exe
1148	Gjlfbd32.exe
5012	Gmkbnp32.exe
5044	Gbgkfg32.exe
1656	Gjocgdkg.exe
2012	Gqikdn32.exe
1220	Gfedle32.exe
3952	Gmoliohh.exe
620	Gpnhekgl.exe
4368	Gifmnpnl.exe
1844	Gppekj32.exe
2348	Hjfihc32.exe
2128	Hmdedo32.exe
1032	Hcnnaikp.exe
4560	Hfljmdjc.exe
4664	Hpenfjad.exe
3984	Hjjbcbqj.exe
4552	Ibmmhdhm.exe
4616	Iiffen32.exe
1116	Icljbg32.exe
5020	Imdnklfp.exe
4244	Ipckgh32.exe
4360	Iikopmkd.exe
4992	Idacmfkj.exe
2536	Ijkljp32.exe
220	Jaedgjjd.exe
2548	Jbfpobpb.exe
2428	Jmkdlkph.exe
3884	Jdemhe32.exe
2608	Jfdida32.exe
4856	Jmnaakne.exe
4804	Jdhine32.exe
3260	Jidbflcj.exe
3156	Jmpngk32.exe
1948	Jpojcf32.exe
1232	Jdjfcecp.exe
5104	Jfhbppbc.exe
4480	Jkdnpo32.exe
3600	Jmbklj32.exe
2776	Jpaghf32.exe
2204	Jbocea32.exe
2504	Jfkoeppq.exe
4872	Kmegbjgn.exe
884	Kaqcbi32.exe
2464	Kdopod32.exe
2584	Kbapjafe.exe
3120	Kkihknfg.exe
4800	Kmgdgjek.exe
4668	Kpepcedo.exe
3908	Kbdmpqcb.exe
3608	Kkkdan32.exe
3624	Kinemkko.exe
664	Kaemnhla.exe
1684	Kphmie32.exe
5000	Kbfiep32.exe
4488	Kknafn32.exe
4024	Kmlnbi32.exe
3620	Kpjjod32.exe
3384	Kcifkp32.exe
4888	Kkpnlm32.exe
4400	Kmnjhioc.exe
2936	Kpmfddnf.exe
3844	Kckbqpnj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5284	5844	WerFault.exe	213

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	be1059d4877b0911a9b9a01a140cee70_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3828	4996	be1059d4877b0911a9b9a01a140cee70_NEAS.exe	84
PID 4996 wrote to memory of 3828	4996	be1059d4877b0911a9b9a01a140cee70_NEAS.exe	84
PID 4996 wrote to memory of 3828	4996	be1059d4877b0911a9b9a01a140cee70_NEAS.exe	84
PID 3828 wrote to memory of 3496	3828	Gmhfhp32.exe	85
PID 3828 wrote to memory of 3496	3828	Gmhfhp32.exe	85
PID 3828 wrote to memory of 3496	3828	Gmhfhp32.exe	85
PID 3496 wrote to memory of 1148	3496	Gogbdl32.exe	86
PID 3496 wrote to memory of 1148	3496	Gogbdl32.exe	86
PID 3496 wrote to memory of 1148	3496	Gogbdl32.exe	86
PID 1148 wrote to memory of 5012	1148	Gjlfbd32.exe	87
PID 1148 wrote to memory of 5012	1148	Gjlfbd32.exe	87
PID 1148 wrote to memory of 5012	1148	Gjlfbd32.exe	87
PID 5012 wrote to memory of 5044	5012	Gmkbnp32.exe	88
PID 5012 wrote to memory of 5044	5012	Gmkbnp32.exe	88
PID 5012 wrote to memory of 5044	5012	Gmkbnp32.exe	88
PID 5044 wrote to memory of 1656	5044	Gbgkfg32.exe	89
PID 5044 wrote to memory of 1656	5044	Gbgkfg32.exe	89
PID 5044 wrote to memory of 1656	5044	Gbgkfg32.exe	89
PID 1656 wrote to memory of 2012	1656	Gjocgdkg.exe	90
PID 1656 wrote to memory of 2012	1656	Gjocgdkg.exe	90
PID 1656 wrote to memory of 2012	1656	Gjocgdkg.exe	90
PID 2012 wrote to memory of 1220	2012	Gqikdn32.exe	91
PID 2012 wrote to memory of 1220	2012	Gqikdn32.exe	91
PID 2012 wrote to memory of 1220	2012	Gqikdn32.exe	91
PID 1220 wrote to memory of 3952	1220	Gfedle32.exe	92
PID 1220 wrote to memory of 3952	1220	Gfedle32.exe	92
PID 1220 wrote to memory of 3952	1220	Gfedle32.exe	92
PID 3952 wrote to memory of 620	3952	Gmoliohh.exe	93
PID 3952 wrote to memory of 620	3952	Gmoliohh.exe	93
PID 3952 wrote to memory of 620	3952	Gmoliohh.exe	93
PID 620 wrote to memory of 4368	620	Gpnhekgl.exe	94
PID 620 wrote to memory of 4368	620	Gpnhekgl.exe	94
PID 620 wrote to memory of 4368	620	Gpnhekgl.exe	94
PID 4368 wrote to memory of 1844	4368	Gifmnpnl.exe	95
PID 4368 wrote to memory of 1844	4368	Gifmnpnl.exe	95
PID 4368 wrote to memory of 1844	4368	Gifmnpnl.exe	95
PID 1844 wrote to memory of 2348	1844	Gppekj32.exe	96
PID 1844 wrote to memory of 2348	1844	Gppekj32.exe	96
PID 1844 wrote to memory of 2348	1844	Gppekj32.exe	96
PID 2348 wrote to memory of 2128	2348	Hjfihc32.exe	97
PID 2348 wrote to memory of 2128	2348	Hjfihc32.exe	97
PID 2348 wrote to memory of 2128	2348	Hjfihc32.exe	97
PID 2128 wrote to memory of 1032	2128	Hmdedo32.exe	99
PID 2128 wrote to memory of 1032	2128	Hmdedo32.exe	99
PID 2128 wrote to memory of 1032	2128	Hmdedo32.exe	99
PID 1032 wrote to memory of 4560	1032	Hcnnaikp.exe	100
PID 1032 wrote to memory of 4560	1032	Hcnnaikp.exe	100
PID 1032 wrote to memory of 4560	1032	Hcnnaikp.exe	100
PID 4560 wrote to memory of 4664	4560	Hfljmdjc.exe	101
PID 4560 wrote to memory of 4664	4560	Hfljmdjc.exe	101
PID 4560 wrote to memory of 4664	4560	Hfljmdjc.exe	101
PID 4664 wrote to memory of 3984	4664	Hpenfjad.exe	103
PID 4664 wrote to memory of 3984	4664	Hpenfjad.exe	103
PID 4664 wrote to memory of 3984	4664	Hpenfjad.exe	103
PID 3984 wrote to memory of 4552	3984	Hjjbcbqj.exe	104
PID 3984 wrote to memory of 4552	3984	Hjjbcbqj.exe	104
PID 3984 wrote to memory of 4552	3984	Hjjbcbqj.exe	104
PID 4552 wrote to memory of 4616	4552	Ibmmhdhm.exe	105
PID 4552 wrote to memory of 4616	4552	Ibmmhdhm.exe	105
PID 4552 wrote to memory of 4616	4552	Ibmmhdhm.exe	105
PID 4616 wrote to memory of 1116	4616	Iiffen32.exe	107
PID 4616 wrote to memory of 1116	4616	Iiffen32.exe	107
PID 4616 wrote to memory of 1116	4616	Iiffen32.exe	107
PID 1116 wrote to memory of 5020	1116	Icljbg32.exe	108

C:\Users\Admin\AppData\Local\Temp\be1059d4877b0911a9b9a01a140cee70_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\be1059d4877b0911a9b9a01a140cee70_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\SysWOW64\Gmhfhp32.exe
  C:\Windows\system32\Gmhfhp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\Gogbdl32.exe
    C:\Windows\system32\Gogbdl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\Gjlfbd32.exe
      C:\Windows\system32\Gjlfbd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        34⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        35⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        47⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        67⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4696
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        71⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        73⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4752
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        77⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        80⤵
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        81⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        84⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        85⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        91⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        95⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        97⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        101⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        102⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        104⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        105⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        106⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        107⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        108⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        109⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        112⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        114⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        115⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        117⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        120⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 400
        124⤵
        Program crash
        
        PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5844 -ip 5844
1⤵
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
232KB

MD5
7149433f21811742799fccba09bdc7a6

SHA1
9451dedbac1cd8257ae82816d78fd70ea8973a01

SHA256
81c14e970909c5d3d7f989391100f89e75c0439a9306865eb21c07fc9b012a41

SHA512
a5e224cec7e24dba89fbf466865f80258bc62ce687a27ac9f4c1b0b5c10184218dccb7cd27452118e743860de9a4a1e71319cf40d4536a5ea5c9237acd6c851c

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
232KB

MD5
1481ac286e7c70084efa56e6b8466bd4

SHA1
aa936aafdc37f307eff67e469c6b254084e7c5c2

SHA256
681683fbf44558e144b66068af2c3d8456bbd2f24c494e544c6874397ce2b535

SHA512
31a874f2a4b41c2afbd1fa66003a32641266c2d258e43d2c9c81d4188132b45687d4b7025ed8fa527e2298455db60a2647dce7c4b62bb1026d192de666754be9

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
232KB

MD5
813d455ae75e02209d0128192fc2cf06

SHA1
7c1f43207363554c489a237ccf93eb0b45ee1ee3

SHA256
ff57126901f1f07f4da801b9b54839396118e7ff07402f76547d7c9994794b55

SHA512
841fa446e9e8763e4790912230304adc5c59828b045e4538e665d2c01bab01802516af4930305ac2cf38e3278b1688c8975fcf887628dfc76bf3daf7427d2af8

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
232KB

MD5
b500b8e48432559b77c9f0bc41f8d25f

SHA1
de86887001070cd2d57ebb7a413e74c083d3dceb

SHA256
136a011cf08af82bc5a27ba22b5ca16b1d7adf945b2d96cea1be8a0c2f4293f5

SHA512
09f4e45ab7609d6af3e03f03db1c38b19ec59d5e5a21bcdef810693d6dccd0cb4fbe68e0f18ed8c4e26520a5a91ea8a2532bc9c66f97b849dcec50bedc0aeb62

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
232KB

MD5
cd11a81308bbea745e343d7dced4e8d1

SHA1
ba310fa8c4d1b59e6c80d15ac8f2ed8b6c6bd558

SHA256
fc0f1ba745bc2d0ffa0949d5e58cac3fe6de99f5037fd3eb4e30b41637847c58

SHA512
a73ec84fb34a2b4f1ec0ae6dfc2c5add9eeb0690ccde8492be8b89fbc90db0b99c6ea0dc4754e78100c27f4f3878bf69f530624be1df6be5a4fcd55661b580bb

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
232KB

MD5
fef8d6ea3e28c3207e4e654dfb7c80bc

SHA1
cc883881d4cd7a335f7a797f089e1c66b160a307

SHA256
beb3f29b03348c2b194c623af4f079b2eb59a0a374debd4a27e20bfadec3853b

SHA512
3942d08d0fe63742c764967115184dc2bc411c73e55b3ce3d4088450cf5043f69fd24f1aa91933e5a5e637d55f1bdadab7cc617ae9666a42e633f696b91c205d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
232KB

MD5
52775a41630a3d1c60d030bc5eee0bd9

SHA1
900d8373abb27f3217d7b0dc1be73dac994a2a31

SHA256
54bfc6283cf47a8842f21557fdb295de816fd4cc8b965e0de2368caeb6db1f71

SHA512
d794251b716d233df5a67a52709c8d9770195ed36692c221a94583e5aaa86d4126bf305581c3589808307da0e82102f0e0f67748932b59f6c05a975ea32ca3d0

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
232KB

MD5
a9a92abb41d8d713a0dadf8114e58a4e

SHA1
64d0d39788d4659945202115e363f81e4e6bbf62

SHA256
973914145bcff0a1d5713f5ffcbe7c7c6ab3a1089f007c827b608894a1d592ea

SHA512
897f875b519a818a5af1dd169e197be3bdbcc39548223030064b8d65a62b1b2dc2349a227dc109be99dc030d819260a30e3554c49ecda13c7541b91861d2b083

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
232KB

MD5
92df6ba381831f5b575952ceaf10ba2f

SHA1
c467a7199f249b8062d0813c05aebfad87739035

SHA256
64f75f4a3427a96319328af13d8d260d2650be78b55a59ccc22c3ed32bbcd9b1

SHA512
11d7fa8348dd797b3a5c15820691246c01f9b07b1b2e97eec32ef64f7351736045f45db3b9ede56492272fa7a6f3fcd699d82b9432c446bc0fb5ac47cff89f95

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
232KB

MD5
7f9b667807afd218858fb0307ab7dafa

SHA1
b7d93dc7e585dfd83ebcb4b829bcb14e7aeafbf8

SHA256
064ed1f42d60cf4e710234b5efe081e042b1bd5ebc4d05164ca9711c20e21c08

SHA512
431c88b76f091e67eb2e4363c4c4171ac55f523915217e37d7678435588406e49016a0f3dfed424407913262fb916e603d9118cd6f09999a6b0e2bf6958014ca

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
232KB

MD5
6181132180a6e6c07eebada62ffb5886

SHA1
fc2dfcf3ee9bafb3dff6bfe18cff31ec826677c1

SHA256
f48544e1812cbe8b9d0b9481c017a374cb67ecc28ad094640d2e73da9246cd9b

SHA512
ed5bc7f791fddea34044bfb1eaeeae43238cef382b0d78d77012d1d9360e8ff2c684c3b2abbb5eca8ce429ac76219553d054825412f832e95d351b7e9bd79579

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
232KB

MD5
3fc853752db322b582c033e78d521921

SHA1
e707e0c012133df4f091bab6fcac6809a425a085

SHA256
b15fe244b6206d40ce2f97ab550a8b5f70c40a0a8b165be01d58c50ad18606a4

SHA512
de10e7c08f49c72dc16be79fe1cc56a73f5e38b889dd2a03396201439fc227602d488f16e8676810b66b88d279d2a47e7d91a8cbd52495e660255688d6585e89

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
232KB

MD5
ebeec63d3e9ee693e101d013980e8758

SHA1
098cbaf82398d0132b29118982f5e1f50baa999a

SHA256
5c8831d6b273b259bfc825aab67a18cad5cc13a9de8e646f7a1ed667c47e1dd5

SHA512
0b697fc7cd6f17324512227e29f3632d1560f9b513c10a2486f04a2b3eecd63150d977c26c7514c89c3bf628fd0387c63bc1cb68e7f9e40da5166c32439bf231

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
232KB

MD5
565c257f63da697be4ef8e936ed6814d

SHA1
9e595304b5afc3998ae8fa6ed69cdbfc5320e77a

SHA256
c9b19f874486ec9d7d9ef6fac341422817578b30c443d5906d68a02e6c5efe16

SHA512
ff061128f7ce925adaa9d09ca509444e5f56a8facb634a5c1f0786bdf71ef33a10445c5aefcbb0bd44c98b7a4c070e04766ba00ffce3ef5c0c562025a5cb24ac

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
232KB

MD5
a0e2dbff03470707a93bbb22183bdceb

SHA1
428b5ec3e16303240df8b5273ce46507d33ff844

SHA256
66b3f8f19f98f365489ae5d8a67cc107e89acd170190f6dd092b4e52d25fa35f

SHA512
c0eb20de0b7c06a50567fc0123a4859b2bc6306e304b24dc1d4deb8c8037778efa0d813c322f345c4a5f5f15b5a21b5d87e9219d773cf9db1cd008a9d678fef4

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
232KB

MD5
7811be816274478180f9fd1b374f0afd

SHA1
65367fa4fbecc0186c0c3d4a89701f28ff86c449

SHA256
3088f2cb8c57194918da69946f03e375831b3844799a7be81573be57d39411e2

SHA512
8661b374b42bec4ec721277546669e887460dd1eee93ec02ecc686949b84e4ddd1cd176316a12e0a8f958210114a50672cd2f523cab94bdd0dff9615a5bcfd21

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
232KB

MD5
e05e72e1d1413c93543b878b4ea6b5da

SHA1
92f4667e6e7b1068403e278ba35d9c46609dd4d2

SHA256
dc47ea2247e1cd8aa93454281f3b8f08ec5c3c9bf67430a36d4f28d7639834e1

SHA512
beaec5497182e015a0cc9bcf1c401eb9036829127f058adbd657233f8161c567134bdaf0201a32039e31d35af9cfbda071b0ec470ed16baa50fd103a0c7466e8

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
232KB

MD5
f5c0298a1a833b6cd416890e10e23d01

SHA1
907ce6589c0ff237abbacb18983c5e63fc9508d9

SHA256
bc9fdedd3e7f61c3df5be5e6be11ec64805eaaa7fd732724790f6cc34b23c28d

SHA512
6b76a2b619429d37af8a4dcc69ca7bd00b6f7648c74964eab2c28b626b3f61635120a2c8ef1f6147fdafa44a68055bd522fc80c7e806c64fd53abffe9451b353

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
232KB

MD5
cb19a7e071a6ec56e334be24e7683b09

SHA1
942893aa7ece51d766f99dc86c65bce2b2997a10

SHA256
9932ba413352999ecb53a74b5d4a4f147b1ab9468ed5c37926cfbe2962ef8223

SHA512
f6bf5801d20ddbb2bf551589e41a4947eda340cf07e93f0132dd3a627d8da2f3df316bdb092002d69482454b0e9d836bc17f98c57ac31d3a92dad45c63057979

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
232KB

MD5
4337c3415292cff9e63fe74462c05660

SHA1
234088763d264fd37b1b351a487a0e2d47e1f5ff

SHA256
2ca59de95cd976e8048537c58c1475e3f9fd57954265b9b2e28c1281f39f7c5f

SHA512
6b8f3c1aa044a3840458ac53a25541356ea745887ad10b18b72c9f75c212d4b8e40e8eee237eaf5426f346cf241a7810f06a5b23727e3ed076031dc616a05eba

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
232KB

MD5
3bf635fd827078a615ac7c2157b40594

SHA1
b746cdf70a2fefa0364d6357be0b4898478fe8e7

SHA256
5c19bd865731314ed661159fd101fdc3f3a0e120dadd753ae02368061f1a2077

SHA512
e0437c1957bca9276ced5054274fb395a28fb0dab1ad1e6bc86ffab1a28e1ae24a6c17e3634970ea2aaea8ae5116bff3f1cb183f12fba1181529519e90eca00c

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
232KB

MD5
25d6e34559205cc4901d43f802c03f5b

SHA1
08f250bbab97483e260bb52b54ad9f761634e4a7

SHA256
02bff00c4482bbe52a799c44223041d36ac23a78fbd2dd7bc9a15cf0d9bd2315

SHA512
25058feca94abc0d662b85212709317d6685b82d36282434c1b937de969398ce5963642bac454b28a8e37029a86c3f77b197ff943d4c59af69984cd87d507281

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
232KB

MD5
e071d4d1aa19bad0dfd47636ae872ec9

SHA1
1aedae772f3edd583b714c3d9fd374f06778ca96

SHA256
397dd6a283fe479ec55fa4976e7dffa9552021e7f23391ab15b4b348d67c8690

SHA512
a61e589378eb89b2a6248cfca122a8ab4ce4072a77cd68be88b95f73001fb3d009a0707f1a4a8623ee096c9726f9ad52fd5f3436d86e69f7ef2057bef3fb1c7b

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
232KB

MD5
d65f7c7d1b27fa689bb594ac2275598e

SHA1
e9b862562423fd508ed661d20c5abfb675f5b854

SHA256
c9f16b68e2a7178cbd2a5751603d96ade22efa5d2c1dd9dc7182ea8a15d2d304

SHA512
14b9f4961c58941f6543a3163bbb69caccfbbd9ff992997eed871115baeab8673583042011953adc0ed76743f845d735a7da71e0aef67424b06cb68fc10a9749

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
232KB

MD5
ea93ee17b000da25888d61da1db62da5

SHA1
2ffcfe167bc959d429575fe2b8287c12a14ffde5

SHA256
24aef07b3b322a1090bf353a4a936b7e6a66959b7f29ca76fc279b95b60e777c

SHA512
8045cbfcc327160041db3aa896f126a3633ce361d2e1ff677627f24f0a50670b916c706a5920cd185dd164b3b41c471af92f7d34243ccf773d3f4943a081c258

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
232KB

MD5
80269224bff6d7eb37ecbed3cc7ede6d

SHA1
c7b130da4b2de50453ff4eefacaff4c040538f4c

SHA256
bc0f8e53b99d38427d0b4a5c2d37a938a7f438958dff1a9cfe3a371fb5908174

SHA512
086e62c079f604e24e80e9388817d2d880857232a773f9ccff8cb0245fd810438aee4037b70932cbc827e964b1c9dabe8ca39b7162bfd18c56877337f4622a85

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
232KB

MD5
b14760f972593cee145617b929fd5ba4

SHA1
06027d5c6a95353b8765f6dafac680e740acbecb

SHA256
2a549a3ed58bd70c233b009093ce23672b4bbc7b82313e1981de4157e234dd6c

SHA512
f3983559988fe50404b4ecbee43cb65bb1ba4696182701c2cae1fc444287d5a449b94c9b4ba9743989e60fa5a2a5d71e2597bec17c412f5d0f01559d7b4302f1

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
232KB

MD5
8db3c94755481bdbed3eec0ceaeb06ff

SHA1
dc2417d6d6c9302a68506682829e8cae1dac3274

SHA256
20933ecba5bfb3d686fdd626619ae89e1f2ccab847d7f8e669d9585b2dad7ed0

SHA512
90eea1a64ce141dcfbe075d4e777a1e3d93b2e147d46f8b1c298dee939716d4c6002ea8a690d0fdcfa9a37af41188733168b891b4e74d035144fb1ea4d4d087f

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
232KB

MD5
fa0570dfa35011b75e4867c68c6fe160

SHA1
f1b1c5d81523b022a269ae329a7c7fafd76e19d5

SHA256
85913561ddee450db4dbdd6d922d6842cb06b5eaa5bc548d0f8505b51ec082e2

SHA512
83fa32b0cb7efba90fe0b64cd8a421a1ca60631c0544d8599740607847bb2bebb867554e50297de9b50a2df356a6ed2da58a8677baae1893678dceb3aabb7bbd

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
232KB

MD5
627729f3c66673218d067a28acd71e2a

SHA1
7f5ae8c924fea8d9a1a8068d676fc782e399615e

SHA256
d23a45abe845f78ccb75fd26adbd3bd736df47e1f05d291f0ca887ae3e92b75f

SHA512
890a2554799fdb28c15ccc7ccdd6e62f5cb769b270f8099a4fb0b5c55265ad718b8d40fd26e72508a4ae956aed13a6d5ec82d23f5426bf1973247b2aa7ce06e2

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
232KB

MD5
9d209523dc14c04dac9e962cabb088e0

SHA1
cc7094637e67b4452d203caa208fdb7134a6a468

SHA256
e346fd2c0605f14aea75ec377773c3c0291e07ff5e1f10e55ec171a022762774

SHA512
19445f60b5ec5a0565397274901fbe8c28b71a753bbc7e82df6d1fe6b67aa43b16fb9f00d9c7ef61b896148caaacef6384a0a2e5418bf63960a5e40a120f7253

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
232KB

MD5
fa514ceb02b4574ee983783dac66a21a

SHA1
f31c830a40ba8bbdf9be86aa6bde88acbe51d2d8

SHA256
19984983a22afc19522cfaa41388ddd8dc4adf3ea835964e52ef3c6a9ff05883

SHA512
3c2725600c2b788536c5836524bb23db8a760eaef4a8ef6e8e18fbf15de8dc2fcba57f9e4fdd37f07ab595eaa45cddea52ba26f173830db89672a1cf1de72c85

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
232KB

MD5
3c401a7b7b1a47aa4303a370b9108d7b

SHA1
7ca66ef7bebf462e338682b727e08b6bc77b13ab

SHA256
bf9cfe744e39459962295c1429df46f2b73cd0734c5869beb92e0b5b46105b87

SHA512
7007e6e36c552040e7a25f8db6ce0aaa5ed1ae6cc856dce66f2bbd59136468e21a55e9ea50f77f1f27364d1fc4144df937aee9b1e80ffe6768d17d26428b2856

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
232KB

MD5
06ef7dbac7bf2f4ac878f5022d3e6907

SHA1
2145dcad14fbd91c8a80aae9a2783155ebca7617

SHA256
1f6bb69c55cde7c0323beb7316863c1612408b66a0a8faf5ad9bab1ec3e68a66

SHA512
36d2b81fb3195a1a277f638a66b197d27ca8dbc533c589cd94d0f13510dce6f5c5e1e865b9f7f05a371097626eb98d1c6589c74655a4c74c9d24ee502263d8de

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
232KB

MD5
4074ece0bbad17ec47137e16751451ec

SHA1
245de650492e7282ca8d612f94539ec555fedf9b

SHA256
90373d256d6ecafe9c651fb4458d497be4232cb8fa4a2240aca29c3e9b370fc0

SHA512
7db7283996dd81c64c5cda2889c4729287132b37c652107dcf94fd153fa171adf80b9776eecf3d6eab1be7d0f272dab6c23459d7fa1326ddc1053a0404186053

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
232KB

MD5
aadafbcaab1cf189c797a19caf44abcf

SHA1
5ccd3e5628a9f90411dc56c4eecfac5b6d6aaf3c

SHA256
0a5c5fe947d82c804cf78012088187173adb628f830cdfe695bab7411b038ada

SHA512
85fd162834e951c3a183b42ee785c04ffd76220ca8cc411dc449b483ffda9a702da64e03ffc51d2ceed2f21131623915e3857729cf287806f49bd386cac2c926

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
232KB

MD5
a4431292660cb77f7a72fe731f11f56c

SHA1
b08b7e28b7a852b67c2dd402d581ba7ef52d8b55

SHA256
68cadef80d0ffcaf51f91156d2b1ffab1917dcc657923a53b67f4067ebf8dc41

SHA512
5c2cb5e5cafc6f5f6363dee6c5b7ea09c5a602aecbc313b539b4c6b072731ddd3e486e936c477b15cb04fe2731402c3612b20e79af77dc66e0fe88d455e62a5c

Download Submit
memory/220-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3152-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3384-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3908-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5160-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5204-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5204-889-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5252-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5300-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5344-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5392-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5880-864-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads