9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe
Size

128KB
MD5

280adb5c48d4e97a63167051da19448d
SHA1

f32007cefebb0bf9c3d7f33be5d21aaae5d2aca9
SHA256

9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee
SHA512

71a703a2933d96fed1b3a08b37e7db31c23df49d42ecab682d67f4eca0cef58660e8a7e2292174c88efed793a6f7798bdae3cb17c03eb432bbdceea4d5e6c6c2
SSDEEP

3072:GiiXAOMXw5GN6ljPdOe2UEdmjRrz3TIUV4BKi:eWO1EdGTBI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe

UPX dump on OEP (original entry point) 36 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023434-6.dat	UPX
behavioral2/files/0x000700000002343b-14.dat	UPX
behavioral2/files/0x000700000002343d-22.dat	UPX
behavioral2/files/0x000700000002343f-30.dat	UPX
behavioral2/files/0x0007000000023441-38.dat	UPX
behavioral2/files/0x0007000000023443-46.dat	UPX
behavioral2/files/0x0007000000023445-54.dat	UPX
behavioral2/files/0x0007000000023447-62.dat	UPX
behavioral2/files/0x000700000002344a-65.dat	UPX
behavioral2/files/0x000700000002344c-78.dat	UPX
behavioral2/files/0x000700000002344e-86.dat	UPX
behavioral2/files/0x0007000000023450-94.dat	UPX
behavioral2/files/0x0007000000023452-102.dat	UPX
behavioral2/files/0x0007000000023454-110.dat	UPX
behavioral2/files/0x0007000000023456-118.dat	UPX
behavioral2/files/0x0007000000023458-126.dat	UPX
behavioral2/files/0x000700000002345a-134.dat	UPX
behavioral2/files/0x000700000002345c-142.dat	UPX
behavioral2/files/0x000700000002345e-150.dat	UPX
behavioral2/files/0x0007000000023460-158.dat	UPX
behavioral2/files/0x0007000000023462-166.dat	UPX
behavioral2/files/0x0007000000023464-174.dat	UPX
behavioral2/files/0x0007000000023466-177.dat	UPX
behavioral2/files/0x0007000000023466-182.dat	UPX
behavioral2/files/0x0007000000023468-190.dat	UPX
behavioral2/files/0x000700000002346a-198.dat	UPX
behavioral2/files/0x000700000002346c-206.dat	UPX
behavioral2/files/0x000700000002346e-214.dat	UPX
behavioral2/files/0x0007000000023470-222.dat	UPX
behavioral2/files/0x0007000000023472-230.dat	UPX
behavioral2/files/0x0008000000023438-238.dat	UPX
behavioral2/files/0x0007000000023475-246.dat	UPX
behavioral2/files/0x0007000000023477-254.dat	UPX
behavioral2/files/0x000700000002349c-359.dat	UPX
behavioral2/files/0x000800000002297b-664.dat	UPX
behavioral2/files/0x000700000002351d-779.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
2548	Iffmccbi.exe
3552	Ijaida32.exe
2716	Impepm32.exe
2652	Ipnalhii.exe
3884	Icjmmg32.exe
3860	Ifhiib32.exe
5036	Imbaemhc.exe
2280	Ipqnahgf.exe
4992	Ifjfnb32.exe
540	Iiibkn32.exe
448	Iapjlk32.exe
4428	Idofhfmm.exe
2692	Ifmcdblq.exe
4928	Iikopmkd.exe
1516	Iabgaklg.exe
2112	Idacmfkj.exe
3416	Ifopiajn.exe
2012	Imihfl32.exe
4012	Jaedgjjd.exe
4952	Jbfpobpb.exe
2664	Jfaloa32.exe
4484	Jmkdlkph.exe
1064	Jpjqhgol.exe
4364	Jfdida32.exe
1444	Jplmmfmi.exe
864	Jbkjjblm.exe
1692	Jjbako32.exe
2728	Jidbflcj.exe
1532	Jdjfcecp.exe
4332	Jkdnpo32.exe
3476	Jmbklj32.exe
2296	Jangmibi.exe
4804	Jdmcidam.exe
4548	Jfkoeppq.exe
3944	Jkfkfohj.exe
836	Kaqcbi32.exe
1800	Kdopod32.exe
4092	Kbapjafe.exe
4504	Kkihknfg.exe
2352	Kilhgk32.exe
804	Kacphh32.exe
2336	Kdaldd32.exe
3324	Kinemkko.exe
1816	Kaemnhla.exe
3216	Kphmie32.exe
4380	Kgbefoji.exe
4956	Kknafn32.exe
2776	Kmlnbi32.exe
1508	Kpjjod32.exe
2032	Kcifkp32.exe
1180	Kgdbkohf.exe
3016	Kibnhjgj.exe
1556	Kajfig32.exe
3524	Kdhbec32.exe
3184	Kckbqpnj.exe
5064	Kkbkamnl.exe
3388	Lmqgnhmp.exe
2620	Lalcng32.exe
4888	Ldkojb32.exe
4492	Lgikfn32.exe
2632	Liggbi32.exe
876	Lmccchkn.exe
3456	Ldmlpbbj.exe
4880	Lgkhlnbn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5816	5680	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2548	1164	9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe	83
PID 1164 wrote to memory of 2548	1164	9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe	83
PID 1164 wrote to memory of 2548	1164	9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe	83
PID 2548 wrote to memory of 3552	2548	Iffmccbi.exe	84
PID 2548 wrote to memory of 3552	2548	Iffmccbi.exe	84
PID 2548 wrote to memory of 3552	2548	Iffmccbi.exe	84
PID 3552 wrote to memory of 2716	3552	Ijaida32.exe	85
PID 3552 wrote to memory of 2716	3552	Ijaida32.exe	85
PID 3552 wrote to memory of 2716	3552	Ijaida32.exe	85
PID 2716 wrote to memory of 2652	2716	Impepm32.exe	86
PID 2716 wrote to memory of 2652	2716	Impepm32.exe	86
PID 2716 wrote to memory of 2652	2716	Impepm32.exe	86
PID 2652 wrote to memory of 3884	2652	Ipnalhii.exe	87
PID 2652 wrote to memory of 3884	2652	Ipnalhii.exe	87
PID 2652 wrote to memory of 3884	2652	Ipnalhii.exe	87
PID 3884 wrote to memory of 3860	3884	Icjmmg32.exe	88
PID 3884 wrote to memory of 3860	3884	Icjmmg32.exe	88
PID 3884 wrote to memory of 3860	3884	Icjmmg32.exe	88
PID 3860 wrote to memory of 5036	3860	Ifhiib32.exe	89
PID 3860 wrote to memory of 5036	3860	Ifhiib32.exe	89
PID 3860 wrote to memory of 5036	3860	Ifhiib32.exe	89
PID 5036 wrote to memory of 2280	5036	Imbaemhc.exe	90
PID 5036 wrote to memory of 2280	5036	Imbaemhc.exe	90
PID 5036 wrote to memory of 2280	5036	Imbaemhc.exe	90
PID 2280 wrote to memory of 4992	2280	Ipqnahgf.exe	91
PID 2280 wrote to memory of 4992	2280	Ipqnahgf.exe	91
PID 2280 wrote to memory of 4992	2280	Ipqnahgf.exe	91
PID 4992 wrote to memory of 540	4992	Ifjfnb32.exe	92
PID 4992 wrote to memory of 540	4992	Ifjfnb32.exe	92
PID 4992 wrote to memory of 540	4992	Ifjfnb32.exe	92
PID 540 wrote to memory of 448	540	Iiibkn32.exe	93
PID 540 wrote to memory of 448	540	Iiibkn32.exe	93
PID 540 wrote to memory of 448	540	Iiibkn32.exe	93
PID 448 wrote to memory of 4428	448	Iapjlk32.exe	94
PID 448 wrote to memory of 4428	448	Iapjlk32.exe	94
PID 448 wrote to memory of 4428	448	Iapjlk32.exe	94
PID 4428 wrote to memory of 2692	4428	Idofhfmm.exe	95
PID 4428 wrote to memory of 2692	4428	Idofhfmm.exe	95
PID 4428 wrote to memory of 2692	4428	Idofhfmm.exe	95
PID 2692 wrote to memory of 4928	2692	Ifmcdblq.exe	96
PID 2692 wrote to memory of 4928	2692	Ifmcdblq.exe	96
PID 2692 wrote to memory of 4928	2692	Ifmcdblq.exe	96
PID 4928 wrote to memory of 1516	4928	Iikopmkd.exe	97
PID 4928 wrote to memory of 1516	4928	Iikopmkd.exe	97
PID 4928 wrote to memory of 1516	4928	Iikopmkd.exe	97
PID 1516 wrote to memory of 2112	1516	Iabgaklg.exe	98
PID 1516 wrote to memory of 2112	1516	Iabgaklg.exe	98
PID 1516 wrote to memory of 2112	1516	Iabgaklg.exe	98
PID 2112 wrote to memory of 3416	2112	Idacmfkj.exe	99
PID 2112 wrote to memory of 3416	2112	Idacmfkj.exe	99
PID 2112 wrote to memory of 3416	2112	Idacmfkj.exe	99
PID 3416 wrote to memory of 2012	3416	Ifopiajn.exe	100
PID 3416 wrote to memory of 2012	3416	Ifopiajn.exe	100
PID 3416 wrote to memory of 2012	3416	Ifopiajn.exe	100
PID 2012 wrote to memory of 4012	2012	Imihfl32.exe	101
PID 2012 wrote to memory of 4012	2012	Imihfl32.exe	101
PID 2012 wrote to memory of 4012	2012	Imihfl32.exe	101
PID 4012 wrote to memory of 4952	4012	Jaedgjjd.exe	102
PID 4012 wrote to memory of 4952	4012	Jaedgjjd.exe	102
PID 4012 wrote to memory of 4952	4012	Jaedgjjd.exe	102
PID 4952 wrote to memory of 2664	4952	Jbfpobpb.exe	103
PID 4952 wrote to memory of 2664	4952	Jbfpobpb.exe	103
PID 4952 wrote to memory of 2664	4952	Jbfpobpb.exe	103
PID 2664 wrote to memory of 4484	2664	Jfaloa32.exe	105

C:\Users\Admin\AppData\Local\Temp\9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe
"C:\Users\Admin\AppData\Local\Temp\9159947681c687f103ca048bfe03bbd9d4f6c1a57ab73c48a64b533c01b382ee.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\Iffmccbi.exe
  C:\Windows\system32\Iffmccbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\Ijaida32.exe
    C:\Windows\system32\Ijaida32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\Impepm32.exe
      C:\Windows\system32\Impepm32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        23⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        29⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        39⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        40⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        45⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        49⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1588
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        67⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        68⤵
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4228
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        74⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        80⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        83⤵
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        85⤵
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        86⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        90⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        96⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        98⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        104⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        105⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        109⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        111⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        116⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        117⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 412
        118⤵
        Program crash
        
        PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5680 -ip 5680
1⤵
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
128KB

MD5
964fb94dbda55cc6f74b8d020dc4e2fb

SHA1
ee2487c6e6ed192c62fb61f7a639d36d1b12d85a

SHA256
68c297d82551e965bf4c033f1411a02bb4de2858dc2ebc69cf16db766e4aa3bd

SHA512
c7714034d0162b8a77940fc418de0f5e7c99fc1c5b51b749fd17aa460b5f06d1e4d43093f24e84b5916e66ddd2f617d9cf90fd2228674ff54c3947bc53b84e00

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
15283e4d17ac43a6e6cfd9c938703667

SHA1
a8e4bc377c727adfadb48670cb717eca45e273c2

SHA256
3cc3411efddcc206d85daffd1c4cdc190392f5ce2d36c62352af9d2e7a8d9d67

SHA512
f33fc1ea30050f6f13790bd1b8996576ececc1ba54b12bce82f381a78f7edf8f8ca601dba5b45719b490645b0e24a79029913254a2c788378ccbf4636807e7a3

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
128KB

MD5
289f167861cecc8c27afd5be498ff648

SHA1
55730ff9223cc3cfd0c7526fd4eea625be24d070

SHA256
c4edceddaf98560934b0b883401dd2dc5b560c67792861dbe73b746d312d32c5

SHA512
21fd993dc4a83c0c6e811fefa99266a88c1333881b231aa745845fedb8b28285f2d111579614c5b910a6584078d58e82521f5767a595dd57b86b51d50ab4fee5

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
128KB

MD5
f683c5a0a36f6fdc5024b9d32a0a8f1f

SHA1
536a42dbeeebbd846555110c51bb03d7f279c3b8

SHA256
e47774410f4058aa4a4b4ab69d147ed7e1333a7a329cc6a757c4d6a5c526bd08

SHA512
87c673843f5d244b5ae4bf9e24d26c3c12120abc864d038ed233ebfd6b34ec98b7f1596fb393081a7cc40203db509c38658ca0be6b23b75d0ef5b52f3badd785

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
128KB

MD5
820989a203457e405be4fd17c71b2236

SHA1
c1284364782f342f4e837fea222d66f5c5d53f32

SHA256
53c04c87224bd5601376a338a3a418e3938b73660f829cc90d3119985f7a5ab1

SHA512
d9773495967563cdd247b000a7412b835185970fc2ac9e0580b19ab57c3ed41cec8a1e481f5febcf0e315eff9fed7c42846107d584b61a7776fa70a1bab64055

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
128KB

MD5
69100d908cc95dfb5f1efa0454608ec8

SHA1
c632f7ddf1f5d73515adcf573cb57cfc43f7fb3d

SHA256
ed670d37d24d5594e4d6f18d9d689f4e7347954955e0ec4dd5b61cadeb8c8388

SHA512
1894de18e34b4bca60e75d69b5215a585f0b3b5a69da270d96aa34f35f00a853f2b25c26e0f96ee30880f83c9fbadbe45573dc7870c1ede826cae11e75ad7c66

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
128KB

MD5
156265e9751b88d49f41f54eb2d405c3

SHA1
486538b06c762ffa470d8d361fecaae115e99bff

SHA256
2d12ca586b92393845a7c59c59d27c50220f9f4231f84e7311dff7e307d6d5db

SHA512
eb17762c6cb0797461852464ece6ec11759d395f0a5577105c9d0a929dd2adeac9147ef970befb61142840f37a2ed19ca2c96fdea18e6b5016ca7a518cb5b465

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
128KB

MD5
0842962ad8239b8989d81fc6e92e50ce

SHA1
3b93f8296a8e15f1b4eadde6e1cb46907f8a1f2c

SHA256
12ee5b4eb3fa77e0fc4d5e4d9a0810832d9c27583516b6c41e75f9772206abde

SHA512
f3cb930e7d1f187de3b3c5dbfb2c67fd46a6ecac36d72eb9012237341a8c5c950c784171e74b73ce92a39e5ea71b64fb151a4f1775dcd2b8c9475211ddeb4be3

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
128KB

MD5
06e4abeb38c64b87e0d6d9dcab7b5728

SHA1
e91b1357a766a097ca8f98fda268e2c997ed452d

SHA256
562fb465aa3d1bed7a84550aac50c4a2f9972626e45116e1417fb9418c51cad3

SHA512
075af33c8102193979fcfe9f32055a5404066fa6c57c2fe6550176c86a72bb20d740493f90d41c6762d5ada78a5ca81c7c6cf5435be0cd38cd0faa401a7144ff

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
128KB

MD5
9bebab331f025c9e1361e89b21988f74

SHA1
637e8cc0aff53761b65ae28fcaa0551e9c9f3006

SHA256
89e8ae0b6682a6d440f9115c30efd771bacfecd914c2abb56b04c9a523158b4e

SHA512
62c3e66921650a7665e392bbb61f8f8595d1bd26c6d63128d96ecd6a9ea4724727e656ba21183f5cc8c6e3abb1431b894463e10b02eb1113aedc2210548479e8

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
128KB

MD5
ce1d9a064d44d80fa58e92b9ccd07aa5

SHA1
c032f39b54d9e4592aa5144f3d072d1f792ea74d

SHA256
cd3a2f2fd842dafd51030c9fb040ca67133940809acce86e2f2601a05e39cd4d

SHA512
819cd54891316819c9231947305050f044eec989745de10d0821264b889d5e75e1b3407f8661740346506570353675a7765a0020d96518ca20328085ac61d2de

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
128KB

MD5
67e22ac958dec00e9827851df31d3172

SHA1
739b29b242955f2f58cd3340ade9df6fbac7691d

SHA256
b1fbc9904ab0bc660a8432d81e038703e2145ee9c578e234566a27c5653a38ba

SHA512
c51aacf1c5e2d24e72a82e9ad896bf7faf3bc6f17171354ac07196bdd8d32e88f18dd3a6f1796258dcdbc5928872bb555780082437d677855e6953fbaac3d941

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
128KB

MD5
c4cc4c688a0296d9d9f49809ebcc3764

SHA1
e00d1b0a7631458951f3f9ef9fd0e99b50cfb4c2

SHA256
e9ffcb61819ec6263f334220be2e29569337bed2e658db42457a3020e50fea77

SHA512
835b9a116e327f6c50716931bd050747c2676ba97436ea9c7922b29fd613d10def9bdfebe4eaf078badc952025b280060c72828c4b017f2d3297a4b5b9a0a97f

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
128KB

MD5
240d1a1ccea060a0de9a3e6073ddfe7c

SHA1
bb242447134c3f3b9ccf016373b8ec73605e68c1

SHA256
fa3a04333c592cbe9da1c2235ba419efd71296fdf0cf02a7e7a1d804ec034560

SHA512
5ac44b302d9be6137fcf215f534f3b5207af75df531ae4b2d4567ca20f457ecd92a25bc86186b449e1db2588978ced443c9b8e8bd1b9c44a5dcc77589314f740

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
128KB

MD5
bf6b577501f75cc9ec12460100d2857f

SHA1
156901b01b7431cbb97cbc7a4057146a54f814bc

SHA256
c761fdb3d7c21a42d2a86767637044273c174b933677a2d7e28f6d1a32fd2b42

SHA512
e4c27f9bbfefb7ef72025517b2c671d4efc34abd484fc8239ea2962d7208ae48696207589ae3a8b788c15058d253e98fbfedd0b23ffae3e8b78ff63e144f065a

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
128KB

MD5
be5d2c91cbc9fc631e752f719506f0d7

SHA1
8daf05e6a1cbebeae1c1ab91cb6e2b718367f71a

SHA256
1cd3413ec95b6eb8fd8b205721cc3fa54ee3de238508e7e4401456da04d07c83

SHA512
323861d47f5bc432bcd9c484455e78cde472a8fc0cb8d768d9d150580b490d5caea6165f104c70b49a3aac2c4c93c39cd382aaeb844dffbd043156eb0f2af418

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
128KB

MD5
6f294a8293129aab22393d01ac54f136

SHA1
9334863ea70a90a41ba2202158c09234df754329

SHA256
ef193763ae9a28f366c2868d440c71b311cb226f953e8899f216fc2cf22ae345

SHA512
8d73db36b8f0ac501f6d3888030bf8edf7d221636a93d91b88fb53e48fb388b957e142aaab6b2c3fbbd93fb29a157f9f53df8355add38a670d5af71248d4fd03

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
2dc9ec79774624c4a5fa61dbf7c624cc

SHA1
0511ef1a036ee3ca10f6519d139c090eb8005f44

SHA256
84abac8da117b046d46d0c2d52a94c44779ab12b2ebf1dbf1fb06a7649c32717

SHA512
aebaeba0bacd984c445d2750158a421b9242cb3c859d38eb0d9bc960680c9b5b383dd36e7530313ab7b9722c1d3e33c77e426530c5f94e21e2a4d9729baaf799

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
8d1328f28865e70eaa8a03e6ab2562fe

SHA1
272641fd89704109f07349cee5fc8ff0c1652942

SHA256
b732f25dde9a62ddde0407a1a832e3ecb449a980b386c787feed30ead9a633d8

SHA512
b23343cee868db3c575cf1c0f381dd3900c12cbe502fd848ef87295698559cd4d6a8893d9823d8923ff6e3c6eb339d3f07f2deb685ebd4ec73d1f8da4d9a8059

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
128KB

MD5
fbf395c65539c323e566eeb6b733cd19

SHA1
70f1adbd4373bbac019c737c07820623b2b4ac07

SHA256
05a25e86dbd62427c90c8451cb58232c213b314e0c628bdd781caea7b2d0dbe4

SHA512
3cd138eafe54f466a105bd73c07b15cd909fd2a90dded94f04a667cd104593ce177fabe9d8ec6fcf0cbbce2c6c6d5a58f17d6c32408501512639c0266cba57a6

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
128KB

MD5
42a60dc59b39b15c2a026eebd6cc100f

SHA1
45cc5898e3b12c0597d21f84ada51c262962e565

SHA256
34d2d39671c07aa1b3d68351ca72e565485935d44679cb7774570a25ea624690

SHA512
617e831fe1605ca0aecda50158f8ba92d7f6721d1693678a6fe5d744bfd7fdd132c9973c7844e3ecf2cd6241bc98603327b7f40f43ff265267a1b025d214dc07

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
128KB

MD5
55183d47a157dd526fbaf93eb14717dc

SHA1
13dba0d3e2400c4e3a970db3346589f4ce542aa0

SHA256
a1d82ddbb53ba17620fc0a9f780fd1d2dab24cb0a70b6da05b819d4928f01852

SHA512
afb12b550b929d36b2a3a9e1d389664d5c0a53129e41aeaca5b45bf3503a6f4d2a10c1c3ebe611fcd3ba97cee09d9979cfe5d9b5fdd3679f027fe5877d1f67ee

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
128KB

MD5
4d4ff48d32eec1f695491df641856f65

SHA1
109ad8068c6206548aef99451712abd8232f964c

SHA256
6cf85be6e41bbf94ffbdf397294e8ea92b77cd2b3208c54eaec190af4cb76d50

SHA512
e070fe2340ef308279eaed780c6988fd19e91765ea958b2ed337ef0879abfe533b471fb1d9b47cfe4ea43a264bdcd11ba1a708662126666076d80f722162ad29

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
128KB

MD5
afc917f9b40f4431e8460bb75257a855

SHA1
48b3531aad3c62a3fde5b74ea6dcda880f3f71b8

SHA256
1e4dccabde4f753052fe4a2c09042918ff1540575bea6b2d71da933be6d1e109

SHA512
5ff93971cb702059bf1d562d4fe54255f6693cbae2f9fa57e713e1632b551f8caff241aaca8736cb814588a956e63028ab7f453c490af4276356010c6d3ca994

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
128KB

MD5
224af464684b62d47c4244ea19090ac4

SHA1
24b907431d73e55a794f16d2e244e25a31946595

SHA256
516a8e7adc60b45841386524bdafb39a4947edfa5286d845077dd50eb16d5bf9

SHA512
db1a0b84fd5b7e23781715cdeac44c805812d1268852b583ce048c4a136b4102b4c2a32aba6941db2045f4ab7f2498a862f6028a52231007681b7b8c8b662010

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
128KB

MD5
caaf0cff10120a8827bfdea7e2de8ff8

SHA1
ec96ed1a3631b11ad28d1853ca51fd5149fcfa25

SHA256
de28f030b79b80b41403e2dcf2574e752b804e7ca85ce82e3dc1b7bf2fe25929

SHA512
9011d92e1419d71863ab3b9d7148fbe95551c450e7b56b356bb52482d3da96c44609b0dc35ab2b9d98933456c15a6e410d89d6730a2c2e2a2b0a4acef5ec75d8

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
128KB

MD5
7a2d913cca40dfb6b7284e25b9d48998

SHA1
3c68b311c477e60814b22cbc053c5bd33e290e15

SHA256
7ddf489b2587bcdf60e8dc7bfeb302c7f8fe537f97ffefebcdbff3184e83463b

SHA512
3fee9e4fd2576db54f1c77ae00897d7d0b37aa18b0492fd6e00511007f3e3c4b03f4e31a817e15762c0f40706145319d24fab1367ea511ea3b6f754076e323f0

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
128KB

MD5
ac9a47d737d89c38d6a7069ecda8ef9f

SHA1
363163800d9a9dff724ae6d1840d2a88d285129a

SHA256
35e71e0544cc3008fea6bb54a32a9a77862517b86e68565cb5a8e84c317946a5

SHA512
7586f9cc03bd82a6ec0c1506a59248db4a87e26d6b30e1a90c31bbf4b0fefeda488011d61cb4f395a2080e66d977b307078a7f581cf48a039ae6b4700c4d0ff9

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
128KB

MD5
1a486ada4d76edeba34c014c4239ffc5

SHA1
75a94525e462ce513fb44fd060eb204ecf65efa5

SHA256
b526ecca4d509dc794280d4170095c20997ab389bc8b47806dbd32bd9d6aa21f

SHA512
4a6bd63a9b792b86d819893562ff43701ad4af978a93b6436d673d3b0b59e7e943a3854eef801d601944045ec8e542e13b9d2c8c8d1d7459b0771b03fceea0d8

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
128KB

MD5
9bec8e60592436b70f83a13788c1d029

SHA1
14c1a16ac3f7e0ca8ad1d4b1ee12c1fb1b9fea0e

SHA256
ae8d4d3af59cb26c96ed51d22a1abc6adfac168c80784a7eb8f8aa73ea49bee9

SHA512
c33b3d926f89b29db8e42110527f42abf17cd6b1a322752352662420914f1248a99be9ed39d712a4c6b4307f42f167e5fd076454f7046c120b6fb5e587fd9b27

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
128KB

MD5
e1730486fb3426bb2b0852789eac9b5f

SHA1
3aa6b5801f172ea07ad94775eb1f02f089adec06

SHA256
127568fdf106ac551505712d370c1af0f12de9af427e05986be443b371be1037

SHA512
1f6f28cebd99a28284b0c8c137897f428a32cd0e14a16855d54797b035a89b9f6cac93b8bfc037a797336716b5923358d8e958c096c35f7ff93454dfe6e8c81d

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
128KB

MD5
6ef3abf978164bd33a5846b2c8631673

SHA1
9664f9c222941099475ff4102d9ca3ca7e39fc16

SHA256
0f497a80b6aaee182c788786dbe58a49a9ea8f5aa0d47c1b326a5b9c43dab0de

SHA512
144bc2f30a625a781661e576c84a69a5e16ba430993481c56463cfb1ee0fd4e7f3d0b5aba27f1eae00ed8e4183321185d9248d77ebbeaaad5aee06c6abe45fa6

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
128KB

MD5
13ea00371e56d033865d6604af5f3328

SHA1
42e751a5b1524162c15764e172e8d5079642e5e8

SHA256
852bbbeb759e3b921232092bcaea1a54f5b4026ec47c3ce7106dba8f4ce40400

SHA512
ff1e17e025011bd13f7a3c578c15c8cad4e6c59a14091975af24a511136ac5d181cd364f168ce617a1fcb33eda437172c7b84d14c175275614ecc2d2a328fa98

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
128KB

MD5
c3310c19e6c6ce40df1a0e81a01458e5

SHA1
7670e9fed0307ecfc5621f1edb5606bea33eea9c

SHA256
71be0cd8da81e82d3551a2df958faffdf256c399d5486ed2a66c7f0cadb7ecc5

SHA512
eef9ed9c7af3b05322a81ab8538b71c7174b0b757206f9872586111e3d0de0394bcb0c0d90aab45516db98bbfbc5012bbbd5c9e645cce299531a96baa7282595

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
dd72ff9dce7a12fe8b9b914a11832a8c

SHA1
11432d5f0428d072c598b0acc9a744e84214958f

SHA256
d83d3bf8435f57ffab0bbd7d3cbe0b4414f251763400084c3566cad43e16d8ba

SHA512
860ea1215e3e90fb4eb8096d33b4d3303683762141324fe2c91365beb0935391b5cc6830460948ab4dd746d3db58267c911dca9996e3368f34848c51a64f6e1c

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
128KB

MD5
02907db523fc65b29914831169462b99

SHA1
9da366e474dbda74f4289b89461e8c14b0ddb0f0

SHA256
a1b46963e299f6bc7258bfcbb3a8bd52651c0a3495082cbaa37c0805a78e0748

SHA512
8432a3dec108181b6f40b752243c4df04861b217821819ac65073e61c382ee5a9dfdac309b1778ec5d76e4e1e89e93fc3a4b1d679b5e1cc40f96b0ebccb69984

Download Submit
C:\Windows\SysWOW64\Pglanoaq.dll

Filesize
7KB

MD5
f10f14d8e1c41fe3bb7e3251e775f3a4

SHA1
6594aeb4f38bb89c680002926fc64f3b2cea157c

SHA256
47b4b9cc64ffacc382a5dff3400cec0a944dfeb294392f52c7fbc9ea73344b7b

SHA512
2b71ef6f031b0d47c2f0fef5edbd48af7c9b327da95bbee1a4477301762075ac3064524ed217b22d1ac2e602e57a48e81c23861c32703b2eef0e692afb1690cb

Download Submit
memory/436-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-885-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-836-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5160-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5680-785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads