b581523374314dca6c413d0c34d5422a8d498fe71916c7d97023b1e5b728345c

Analysis

max time kernel
138s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 18:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe
Size

88KB
MD5

dfd5b5844571bd0c52fd894209d5e5fa
SHA1

a0914dad8690a395d5a3c3b0a55350fb3fc94a55
SHA256

b581523374314dca6c413d0c34d5422a8d498fe71916c7d97023b1e5b728345c
SHA512

be1c7bbba19171dfc37d392c64af9ee286d49447a6970dcb8a2b446301cbcd7a9bb8dfc8af3110e1be22ceec3ff780d637e486658806fe9a01f7eedd0effa5a1
SSDEEP

1536:pi8axHwfm9z/cGpGl1Fv8R46NUra0iZJWWvRnouy8L:pjaxHwfiYGYlwRGa0iqmRoutL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe

Executes dropped EXE 64 IoCs

pid	Process
1044	Hjhfnccl.exe
3144	Hpenfjad.exe
3464	Hfofbd32.exe
4628	Hmioonpn.exe
4424	Hpgkkioa.exe
3712	Hbeghene.exe
4624	Hippdo32.exe
3108	Hpihai32.exe
1692	Hfcpncdk.exe
2180	Hjolnb32.exe
996	Haidklda.exe
4192	Icgqggce.exe
3996	Ibjqcd32.exe
4616	Iidipnal.exe
2780	Iakaql32.exe
1040	Icjmmg32.exe
4836	Ifhiib32.exe
2700	Imbaemhc.exe
1460	Ipqnahgf.exe
3708	Ibojncfj.exe
4776	Imdnklfp.exe
4504	Iapjlk32.exe
3740	Ibagcc32.exe
432	Ijhodq32.exe
1028	Imgkql32.exe
4980	Ibccic32.exe
5056	Ijkljp32.exe
1500	Iinlemia.exe
2788	Jpgdbg32.exe
4620	Jbfpobpb.exe
4500	Jfaloa32.exe
4300	Jagqlj32.exe
2744	Jpjqhgol.exe
5020	Jfdida32.exe
2604	Jibeql32.exe
1960	Jmnaakne.exe
372	Jplmmfmi.exe
1732	Jbkjjblm.exe
3912	Jjbako32.exe
3400	Jidbflcj.exe
392	Jaljgidl.exe
964	Jbmfoa32.exe
2872	Jigollag.exe
1828	Jangmibi.exe
2168	Jpaghf32.exe
1812	Jdmcidam.exe
512	Jkfkfohj.exe
3564	Kmegbjgn.exe
1020	Kpccnefa.exe
2988	Kdopod32.exe
2540	Kgmlkp32.exe
1048	Kmgdgjek.exe
4848	Kpepcedo.exe
228	Kdaldd32.exe
1412	Kkkdan32.exe
4860	Kmjqmi32.exe
1344	Kphmie32.exe
3692	Kbfiep32.exe
4720	Kknafn32.exe
1724	Kagichjo.exe
2632	Kdffocib.exe
380	Kgdbkohf.exe
1628	Kibnhjgj.exe
4992	Kajfig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5164	6084	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1044	2220	dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe	85
PID 2220 wrote to memory of 1044	2220	dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe	85
PID 2220 wrote to memory of 1044	2220	dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe	85
PID 1044 wrote to memory of 3144	1044	Hjhfnccl.exe	86
PID 1044 wrote to memory of 3144	1044	Hjhfnccl.exe	86
PID 1044 wrote to memory of 3144	1044	Hjhfnccl.exe	86
PID 3144 wrote to memory of 3464	3144	Hpenfjad.exe	87
PID 3144 wrote to memory of 3464	3144	Hpenfjad.exe	87
PID 3144 wrote to memory of 3464	3144	Hpenfjad.exe	87
PID 3464 wrote to memory of 4628	3464	Hfofbd32.exe	88
PID 3464 wrote to memory of 4628	3464	Hfofbd32.exe	88
PID 3464 wrote to memory of 4628	3464	Hfofbd32.exe	88
PID 4628 wrote to memory of 4424	4628	Hmioonpn.exe	89
PID 4628 wrote to memory of 4424	4628	Hmioonpn.exe	89
PID 4628 wrote to memory of 4424	4628	Hmioonpn.exe	89
PID 4424 wrote to memory of 3712	4424	Hpgkkioa.exe	90
PID 4424 wrote to memory of 3712	4424	Hpgkkioa.exe	90
PID 4424 wrote to memory of 3712	4424	Hpgkkioa.exe	90
PID 3712 wrote to memory of 4624	3712	Hbeghene.exe	91
PID 3712 wrote to memory of 4624	3712	Hbeghene.exe	91
PID 3712 wrote to memory of 4624	3712	Hbeghene.exe	91
PID 4624 wrote to memory of 3108	4624	Hippdo32.exe	92
PID 4624 wrote to memory of 3108	4624	Hippdo32.exe	92
PID 4624 wrote to memory of 3108	4624	Hippdo32.exe	92
PID 3108 wrote to memory of 1692	3108	Hpihai32.exe	93
PID 3108 wrote to memory of 1692	3108	Hpihai32.exe	93
PID 3108 wrote to memory of 1692	3108	Hpihai32.exe	93
PID 1692 wrote to memory of 2180	1692	Hfcpncdk.exe	94
PID 1692 wrote to memory of 2180	1692	Hfcpncdk.exe	94
PID 1692 wrote to memory of 2180	1692	Hfcpncdk.exe	94
PID 2180 wrote to memory of 996	2180	Hjolnb32.exe	95
PID 2180 wrote to memory of 996	2180	Hjolnb32.exe	95
PID 2180 wrote to memory of 996	2180	Hjolnb32.exe	95
PID 996 wrote to memory of 4192	996	Haidklda.exe	96
PID 996 wrote to memory of 4192	996	Haidklda.exe	96
PID 996 wrote to memory of 4192	996	Haidklda.exe	96
PID 4192 wrote to memory of 3996	4192	Icgqggce.exe	97
PID 4192 wrote to memory of 3996	4192	Icgqggce.exe	97
PID 4192 wrote to memory of 3996	4192	Icgqggce.exe	97
PID 3996 wrote to memory of 4616	3996	Ibjqcd32.exe	98
PID 3996 wrote to memory of 4616	3996	Ibjqcd32.exe	98
PID 3996 wrote to memory of 4616	3996	Ibjqcd32.exe	98
PID 4616 wrote to memory of 2780	4616	Iidipnal.exe	99
PID 4616 wrote to memory of 2780	4616	Iidipnal.exe	99
PID 4616 wrote to memory of 2780	4616	Iidipnal.exe	99
PID 2780 wrote to memory of 1040	2780	Iakaql32.exe	100
PID 2780 wrote to memory of 1040	2780	Iakaql32.exe	100
PID 2780 wrote to memory of 1040	2780	Iakaql32.exe	100
PID 1040 wrote to memory of 4836	1040	Icjmmg32.exe	101
PID 1040 wrote to memory of 4836	1040	Icjmmg32.exe	101
PID 1040 wrote to memory of 4836	1040	Icjmmg32.exe	101
PID 4836 wrote to memory of 2700	4836	Ifhiib32.exe	103
PID 4836 wrote to memory of 2700	4836	Ifhiib32.exe	103
PID 4836 wrote to memory of 2700	4836	Ifhiib32.exe	103
PID 2700 wrote to memory of 1460	2700	Imbaemhc.exe	104
PID 2700 wrote to memory of 1460	2700	Imbaemhc.exe	104
PID 2700 wrote to memory of 1460	2700	Imbaemhc.exe	104
PID 1460 wrote to memory of 3708	1460	Ipqnahgf.exe	105
PID 1460 wrote to memory of 3708	1460	Ipqnahgf.exe	105
PID 1460 wrote to memory of 3708	1460	Ipqnahgf.exe	105
PID 3708 wrote to memory of 4776	3708	Ibojncfj.exe	106
PID 3708 wrote to memory of 4776	3708	Ibojncfj.exe	106
PID 3708 wrote to memory of 4776	3708	Ibojncfj.exe	106
PID 4776 wrote to memory of 4504	4776	Imdnklfp.exe	107

C:\Users\Admin\AppData\Local\Temp\dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\dfd5b5844571bd0c52fd894209d5e5fa_NEAS.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\Hjhfnccl.exe
  C:\Windows\system32\Hjhfnccl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\Hpenfjad.exe
    C:\Windows\system32\Hpenfjad.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\Hfofbd32.exe
      C:\Windows\system32\Hfofbd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        27⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        32⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        36⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        46⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        47⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        55⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        67⤵
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        68⤵
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4076
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1456
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:808
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        72⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1056
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        74⤵
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        76⤵
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        77⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        82⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        83⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        84⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        85⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        88⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        92⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        93⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        99⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        100⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        101⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        103⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        104⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        105⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        106⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        111⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        118⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        119⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        120⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        121⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        122⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        123⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        124⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 412
        125⤵
        Program crash
        
        PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6084 -ip 6084
1⤵
PID:5156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
88KB

MD5
e8e8df732c5f13eb26538164a4818e63

SHA1
cff6e7228e6554bf2505131ada37b7323e71077e

SHA256
f179755079c48a12cd43d5d1ce164ec34161554b1506be62680381b4c802f1b1

SHA512
d1375f2c999bd064ebb956cfabece92576a5307569bf7fa700e3bd744825d9206feaf62e92b4ed5e69d7ec86dd422501c46f1fdb5d640de58fbe3b67056f4d34

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
88KB

MD5
bbb84d980ede7ab93a3843e1e759eabe

SHA1
a6dd90f83763ef0a509ad920a8ac7b28183f1a5f

SHA256
2a6a04d9ff96d3a98a64b5c27c6c087bf71fff8ef924ed4891f0f985c64bf840

SHA512
51a086a631eee93e8858a14222d318e35f0ceb7b2997600e58d4dc179307e69d69624dc83a4fe9180aa42bd3897b5d5212da9e8ef4046ce160251befc9581fc3

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
88KB

MD5
1fabe7e243e514b1531d152cb533efd2

SHA1
c0573087702bd3269643dee6d0db19ca40fa6dbc

SHA256
0003929da33d0f87fac8173e2083854b9659805edb3f43f0b0e5159eb55ebe7f

SHA512
b9fc520db9b671fea8e6f8672ac03d645f0e3b0d27b87b90894932fe4ba31c80c40a204937a1635e94e8bd7883a7ecbe2c693177d89d944cce2752a05f6f8729

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
88KB

MD5
74555e1a4ee64638a798eb1b119ad298

SHA1
7c7f69210d108e9715646ef6492351ebb60f5573

SHA256
801fbf90d5a40128764328167d7ccd2f5a570e3fd002fdef03d9bfd674d58d77

SHA512
812035f11f7c872dfa576f3cb1cc0515ec9249cfbeb7666aeb477dd171035c89108eea61e389ffd525a7bfa51c9ed7d84da59cad38eb53b5fa42379a029e1f84

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
88KB

MD5
1a49d4092c35baa6835a52b416c48d88

SHA1
7c6cf36834e8ecb716dcd240baaa6c8745658f7d

SHA256
e12195f64cbd6e16e04b19bb2f420255354d842433ef128d1b46d89f8bf9014a

SHA512
292a85be0c05116cc5f1b6c5987b85ad471a69116fc4797a4bebf92ca442400aeaac0fd7adf52a5463efb21b0333760a9878947c5551f967f9817d4406f6c3bf

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
88KB

MD5
4da1f0c5b5797c82146c03a40a8b74a3

SHA1
ff5fe58e9983e5232d1538aeb6d183259d7de5a1

SHA256
768d451092519800796c182e09aa852fea95362fe0ce48dcc9d180c6ab8a127e

SHA512
8fd3c0e1cce3402a941718bb66725d6d529bca477268a5529d97c0b26f363b67759c64f3b70bb2bf24e0e62ab4df7cd450404de9c955e1502ea0db8e08571e0c

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
88KB

MD5
cb009f4c90df472c4f36362aa5498a81

SHA1
30942b71704477dd0edc99202929cd082817f4f5

SHA256
ede31b213945090eb5b102141eaf9cf9c2aec426ba712ac15cb5e1a5ae8d9f51

SHA512
c94e000080eb87c79b8ed596714ada74797ffae1d8ca6f691b9416a2489fe8839dcfc012120dde867b3e1a6948631ee8b324c5f44c2ff1a5174a6792b59703ef

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
88KB

MD5
0028411218b30d57f5799152cd18c430

SHA1
b00495b0ce0a3a626a6cd320d41da0389a39debe

SHA256
c4efdd08245b010f1f204b56842151f6d1c9095cccf757b5acd64d03c22b1340

SHA512
d7122570e9d298d4e4811c335c2314cdb919d94f4bcb0eb4f13c8b597213d5af848e57de6994a71c981ed446ea68deeaa0d27d6542256b55525fe5a89365b6db

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
88KB

MD5
5372106743fd98c9d652c7883aad2f48

SHA1
0f43c2bb0c5d660d2e3e2ce6fd4196ed609c4f25

SHA256
825d1884507f13153b7558c65d8c820e1905fd121f6cb8674bfa879730aeb253

SHA512
91143868556496d67392c9970413d3567b036667623488b31a2080dc55c390abc8556b25ccd2c28507ca04288c663709060597f86230fd7f13bd3fd0c7d4b118

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
88KB

MD5
952d6f392b50000e2aeedce40f396b0e

SHA1
0cee1f340f1fb9629869781276e6ebb669a83864

SHA256
4fe6ce44e717c746e3740174c374ae64804b5085daeebb873d662bb99ff33599

SHA512
5fc7eb9e49232152a86723be377e1e29506d0a425f5f9b6d4addd8e6ff65c45612c8875dcfe1d3cf4368cad57c80e697bfd7d84780d0d8619a7a8a003de00a29

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
88KB

MD5
28547204d90af0ec76a27ab2fe96c2b1

SHA1
dad6996ce445491616bff1ec22f8a5c619ff7d3d

SHA256
eb9f3c92b90184f77e895350f327f556eaa25f1e2d508b1172472837917fdd45

SHA512
a7c5c93ff4fc15f36598a3226b9b06c414be78c9f45264af00d48a7842983e05d8e824c1eac54c9111e0f55be8b72fc10a26bf65d4e789d91d242ead43397d7b

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
88KB

MD5
09ac1b497f4518f8b189e52f1200dc23

SHA1
9e2f701f5dd6823c0e41badea8557b509e2d2b65

SHA256
3f923fe4e1bee7faeb8864900934d0df0888efb82edc2b2b6696a29d38ff2bd9

SHA512
a84c4197e0a56568dec22f16a44e6b0b0106af23a78e4d0ef48f1b53894536681fa18e1df4d4d856a740cd0bc679bd7514a6c3ba8ecff078e6adf267cb4fea4a

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
88KB

MD5
41994239c244482cc28d8944f1c31bc6

SHA1
c430c290675f1764d54daef2eebc5c799892af49

SHA256
2227f85a1accdf7b5f36b6ef14de7eeae46ff7465621861085ef7377781bd4f8

SHA512
0bf5e6f6cdf6b3be6f068e1bf3a56467b9743c0fbe79cb578a0661e9f2d277c55425135ca6cdaa938b1a39cf33b32bacd812c8eb3fb47fe7b32ba1929284ae41

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
88KB

MD5
ab6f7a86032a3e6bd51baee63c4452bb

SHA1
a9816f53b6a276e17d1e1f11398fc417e5115b43

SHA256
e9426eaa3423b5b3a6d056638671f3dc5d90ec2cfd512f5e35b9c5941cfeb87a

SHA512
3c9b8e1479a95b0f2e8ba6118907e86f37edf75c5fabee7f29b351c653da4dce90420aa8139eaf617f21afa6ff22dc08be27f518427cca5af59c9e7f51dc58d7

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
88KB

MD5
575f133ca9966a057e24f2d4ada7ecd2

SHA1
ea4504f1683de04dabce62b6bcddd21117eb2c14

SHA256
066ee476a39825c4fc0c14e485133e7bbf347a80ec7fc7c68b5064944ac58adc

SHA512
f07c3232a5d6edb35c7f4b40fe74f6aeef35a59644db4b10fccd480077cfd41fbf0cce13cd0d5850df78538fc11d3680cd5f2c12fd86a5c62e7f4402322a481d

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
88KB

MD5
9a6741d81690921d124b207afd03f34f

SHA1
a84b1a9025ba85471d9abd47fd2e33a64d83fefd

SHA256
1328f12276595f65c0b76e309c7a8f578c17caf687c985a82d6d89502adef85d

SHA512
e543c72e7ff408759b6604ca238279ac7cc5d8cd7c6f25d3c1b69543008eab85387d9dfae064c3dc52aef3a2c74ab3a99df3bd41340462632bb2be872477b0e9

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
88KB

MD5
0fa23023f8d5ec3ad7c0e9f6c4a16c3f

SHA1
acfe08e19a9cf147dbfa2f52b7b82067a2c61f67

SHA256
28c8d1b7f50fa86e95cf92508dbf19cd14786edb9f7f385046cf48826ce78780

SHA512
da1d63cf2592c9f89e4c31bf690b5e64404a3bd469229adfe1474ef2016c510555a649fd156e4a94a638c3814ff6c81332d2231eee350d714ca2f5a2ea56dac8

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
88KB

MD5
2b80e125a61ed47d892e9ec30d7e3ef1

SHA1
8454c8832714c8026a724ccb9e76ef9d57e8124b

SHA256
1637794ee080daedf54fd5b570e729a610a7afdd1ad3a17414fe0f797ed4eb7b

SHA512
2a77a8949e8e1597cd035d85e1ca366ab97f6dc09b58710b5dfe9aa71f81af544ee1549bc0cc0de1ff2835ae170e0085177da26a8825733a1641700e8e7998b3

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
88KB

MD5
6f033f08768b49d308a690fc76c9153c

SHA1
9e27aad825910ff13f68caaec9bdaf68227af89d

SHA256
700ab0f4ef573ae36f515994415deba9def4966c9091a821ad6b33df9350672d

SHA512
518a2f548710a2352c16d71c2338ebefdccbd8d3911fddc26c9ef4b94ae633809c21670905c344a9bde7baa30406f9e029de5253ee71b7507c66ceeae3d38e03

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
88KB

MD5
0ab15cf59c4394c9880ce28596c15909

SHA1
cc7c62e9da24e3d5c7237f3d9f8926c27763f06e

SHA256
82678ad01b8983c274fc8515bdfa76a0ad3068e89559e6289b715db4ed67d58e

SHA512
b92ae8fcf41753a699bb7865363177c742e0a4eed2a00e767adac090a7932014749e41d1c59c12eac8ffacbd67e05b79ef4d4a7a8e1a78c928c0f4d33d0d9a4d

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
88KB

MD5
6f03b445a3b463a30b8571f03b2d4b05

SHA1
0199eae78555e27ebb44206f233c5ed78cc488c2

SHA256
18dd46a2ff3711e9e4e0c092dab16aebcfa98044fe3816d6d6840ed9b76b0927

SHA512
7ef6388fdedbae5438561c788b1664098aea1ff3c22d2c5fda77fe576e876e85fbd646d86113952dc9c634dd455d91a6fb283f74028bc761f2a8c3f379b13c5e

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
88KB

MD5
7cc04b1cb37c99d18ad9e81abb0744e1

SHA1
279a57f83f564e92b8443c5d77c64d19280ea5b2

SHA256
f138f3d07d0198886ec6566f93c7955eff77d0f57ac0b6e363c30bd5009cb7ae

SHA512
71efb8fe87c665abfd9ed50f33bd6df40ce713106eccb41832da52260d59b0a61171791c23e75982b1088754c2f1eb1c2b0ae3b1a5a8c912ec51213ae8905605

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
88KB

MD5
68760b7fbaddd749a1c2f5fff6e02122

SHA1
5c4503fca172229a183f2c0cd165fa7b9b489095

SHA256
c9417065c79f78023fbab459aa6a6c4304022dc252031b0d5035b39ce598621c

SHA512
c314358ed21fa266ce7b6b0b1f45b7cb3611db3d94463fe1538c66e5403aedd70eb6f1234cc6864962a9cd3d130c546911e2508228f78b6beb447a60b5f1d90b

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
88KB

MD5
fd4907688152c7add57da323c2fb0523

SHA1
b7d53034ae9b4c2e3b3a29362cea57d74167b91a

SHA256
27a711f2c39cf9addc3fd78d66d92069e04345c393f150158c0163fc1c167b9c

SHA512
b445f50dbb3ece294336ba8c3aa5c9d6d0850b2b8ce78b2e320d7f2cdc973da4c6ae10f03a167820484b08f1298b8b4d915de760e05932d65c0646e889feb74a

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
88KB

MD5
8b29b404e7988b2071d892e5fbb6b1b8

SHA1
930af93b5125ab455dc4a971b343dca0214e71bd

SHA256
7d0f06f518becb5fe7a616ae0e5f5b12a8d1bfc278fbf1edcce06338765940ec

SHA512
34b64341eacbfe2342b03653ef4e2eed7ee370f9bfee28ba2b65a572f01475fd28d95af263a008d5a367982c92c99db9a106172173b61f3f3d9d80043f378287

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
88KB

MD5
a25ad26ae5db90f1785e5f4c6f9c6e71

SHA1
eb66a00923617c2e51c6038a700925a3cc1896ec

SHA256
81bea53f20e9c2974ee5a858cd3c702f9604f8c435f05a33a4b7af33b7a4c8d7

SHA512
4409e727a85c3b1d7991a2e5e718cd089d3825b946731f1ddba09ca3028ad33d50f1ce328418336598dc91294ce7eb0f3533932bf6825101995afcef6d3f575d

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
88KB

MD5
a2424937b9762494635816ed2bfbd8fb

SHA1
b2fcdd2dc0172beca6582742297b59bd000ab6c5

SHA256
5b1f2add7bd8cbf6c7aa75fd9cfc8312ea39d0e82774544f3103de96c5eb733a

SHA512
f5fce07ca23fa52e8c42209c4cd10e849a140f7fb7c554503539a11c1d8bcd2c32d2fc2d59f916cf9e9f7e37e99de18579f3800690a56b24a9781f18c1dca2c9

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
88KB

MD5
1c7a3b3f0ebcd6ffe47afaca0ecef532

SHA1
454cf074c62ecfe49d488b0c23b2108800904962

SHA256
25da98d9b1820839aa7c638ec091b5ff2da52622d6b5205306991249d0627078

SHA512
fd8ae767319387480a12c395f7ea80ee0cdbe3d92517ad1124a9edba79f72f9fcc5f826edb6169e075462c018345ed55415e31778b68d1a6f1fa4c6e24e38114

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
88KB

MD5
5b8d6a9b5e9401b55422715d8f3267ed

SHA1
aa74d62b0c83ecb8fe7fbb090c919601410132f2

SHA256
7346a87288e2ac31eb722db72b6fa4e9dd11a3a6904fd928ddbf53f6409c98ef

SHA512
c377f5fbaf4a87b86ef22c9c67f32fa97d21f745bc045dfce637b363eaf5d4da6a69aaf04a1acc892f86851df59c1416458fa2993abb0eb8f62b94c0da84f877

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
88KB

MD5
166130f7edd57bba2e942febfea5e3d5

SHA1
1e75278b1da545e2e1cb0c322e0587c4eda7db29

SHA256
9c29911044b4191e34da4a25240b5e793e6225e6673bd7bac921d50ede91e8cd

SHA512
0d76090f2335d8d594307cc0875f5cdd2ca2fa3c87146b3fbcad5a6281776084dd7f1dbd1e67e45655c386dda9110b768997a4de05e910e08dca3d3cb8b1e7e4

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
88KB

MD5
7ad309049bc8a466aef5d13a8900d4fa

SHA1
21b0a095e473953e68f63be4db7486a09ba6954f

SHA256
0d6173c8ce54b915b628f05ac4e5ff23bb8eef6a87b8d3e5d314c318188f1ae4

SHA512
a4857fb9792a73c51523c9f5cdd1fde30eab8b868cc6eccb28d533c10922ab2666d9db25a736168ea2a0cadd9df60ec9748d92434744f7ca9db805b68714f6f3

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
88KB

MD5
56c3206dd38f7cfce2b52bd4cf156636

SHA1
2e00e67b2e4f95bae00fa2ae14da05a514004f3a

SHA256
0332e01c380712bdceb03b9d1781a4281d1a0c4f59ff050dd45334307beaa884

SHA512
a54128af0fa44ff81e8fd0e4ae2acbd93006f0d3961ab8a4a851438ce71bda70627e12c3464128a01352d1daf0aad6a6bd2e59760e4df2fb84b515e1004bbf25

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
88KB

MD5
140ee72c49c44a48a859625cee48b684

SHA1
5869506a3e4a5d3f2d7eda23d1345ad81902e56d

SHA256
0679cc177d438943cc7df0c31279ab5eb3c74abe481580568f6e7f697d689ee7

SHA512
f6e2c72ae8e78ce3106d2cf73b3cf39bdf1368d18b5a89d4bea5be9a6d3325abc144c029606036b0d4a7fcdbee4d7b7f8a0ea045055207f63cd66b4ca918ca60

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
88KB

MD5
3a60c19f04f1595ea04e1be7efc5cb92

SHA1
a34ff9cc59837dd4140da4225a348464b5719aaf

SHA256
5cfc5c2bcb0ad15f28bbf639f3968fb2e220e850b4c5c010f839d00e5f47f629

SHA512
05d3e32ce42d274d0092b4d58ed8c56394ee4e279779bad518636a5bb6aa8dd803a1e6ebbb36719c91403f9c99c92577869a133240300b0839e5df08288114a4

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
88KB

MD5
affb2401fda5cefacc71ef5a546a7235

SHA1
a2869d43594f0a47500f4fe3caee6362074660ea

SHA256
82f6d79f3aded0e0404cebafac7f138441383f17f732598d67e23254ff9568a4

SHA512
55951e063e70fd2c0dc487d3e0890ba657762fbfee4220207f2b9a69afbf0ee5802a121aba70758a56209f2d1cb0adac6b5c338e70d7a280b05423ad9f4f038c

Download Submit
C:\Windows\SysWOW64\Mbgaem32.dll

Filesize
7KB

MD5
673694bf27c1717aca36e5d834357c31

SHA1
0ca99fb691ef4904be37d15a964cb96e099697a5

SHA256
237827bcc1bb149736ce143844e3f301cd874aad005776b69cfb4a859529cba0

SHA512
919a4660f20306d333384221229b3db03fc7154ea31af8db0804569c3c17056c8f27e87d6a51c69f650fda752957afa0d7078f7d9ee1815b3499cac7e9a86114

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
88KB

MD5
e7f006f10b0a35bea5b6efe3ee95c143

SHA1
14af676d21f48d81966dead24365ea1e95adf6ad

SHA256
beac5760dcb0e25369e20c9c58c843cb5ec36355ed98533d945367d6e27d0f59

SHA512
e399eb1bbd1c69eb2518de6ef88cebd17c58477edd8b403bb12f5dcfa16fb05c03a8769e9c4d1fd338546f62006d8489b338b4332819e5ed3935b19292ec57ea

Download Submit
memory/228-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-928-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5300-889-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6012-868-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads