a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
Size

464KB
MD5

8629173939e1c984413a65bdb3d9ae56
SHA1

52555ea910aef7b38295d458c2752c1138dbf617
SHA256

a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e
SHA512

4baf28ffdd8370279a5f0894ccd5a9b0740d0462ef72185292888a781eebef6796be79ee9b3df1fa12147ae95c22e25eb3166adb74dc876768144595a36d9945
SSDEEP

6144:B4eKaiMLwEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:BNRsEVI2C4EVu2JEVcBEVI2C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe

Detects executables built or packed with MPress PE compressor 64 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-6.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023407-14.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3176-16-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023409-23.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4208-24-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002340b-30.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1268-32-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002340d-38.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4320-40-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002340f-46.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4668-48-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023411-55.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2988-56-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023413-63.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1112-64-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023415-71.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023417-78.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2196-76-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2468-79-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1864-88-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023419-87.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002341b-95.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002341d-102.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4064-100-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002341f-110.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023421-119.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023422-127.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1352-132-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023424-135.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1448-120-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2176-112-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000c000000023375-143.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1284-144-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023427-150.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023429-153.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4440-152-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1680-160-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023429-159.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002342b-166.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4328-172-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002342f-182.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4484-206-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002343e-241.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023440-248.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4336-383-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/432-393-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/640-422-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/624-421-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4944-413-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4124-403-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4868-385-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023482-432.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/64-453-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3568-481-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2112-488-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2152-499-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002348c-464.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3124-463-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0005000000022ac6-447.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4184-528-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1616-537-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3912-535-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3584-532-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3004-527-0x0000000000400000-0x000000000049D000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 64 IoCs

pid	Process
388	Ipqnahgf.exe
3176	Imdnklfp.exe
4208	Idofhfmm.exe
1268	Ijhodq32.exe
4320	Ipegmg32.exe
4668	Imihfl32.exe
2988	Jdcpcf32.exe
1112	Jfaloa32.exe
2196	Jbkjjblm.exe
2468	Jjbako32.exe
1864	Jbmfoa32.exe
4064	Jangmibi.exe
1804	Jdmcidam.exe
2176	Jfkoeppq.exe
1448	Kbapjafe.exe
1352	Kkihknfg.exe
4968	Kacphh32.exe
1284	Kphmie32.exe
4440	Kipabjil.exe
1680	Kagichjo.exe
4328	Kkpnlm32.exe
2172	Kmnjhioc.exe
3636	Kpmfddnf.exe
5092	Kckbqpnj.exe
4472	Kkbkamnl.exe
4484	Lmqgnhmp.exe
3296	Ldkojb32.exe
5044	Lcmofolg.exe
4336	Lgikfn32.exe
4868	Lkdggmlj.exe
4660	Lmccchkn.exe
4404	Laopdgcg.exe
3940	Lpappc32.exe
432	Ldmlpbbj.exe
752	Lcpllo32.exe
920	Lgkhlnbn.exe
1560	Lijdhiaa.exe
3196	Lnepih32.exe
2532	Laalifad.exe
1236	Lpcmec32.exe
5060	Ldohebqh.exe
4124	Lgneampk.exe
3444	Lkiqbl32.exe
1044	Lilanioo.exe
2368	Lnhmng32.exe
3388	Laciofpa.exe
2120	Ldaeka32.exe
536	Lcdegnep.exe
3048	Lgpagm32.exe
4944	Lklnhlfb.exe
4808	Ljnnch32.exe
2256	Laefdf32.exe
4620	Lphfpbdi.exe
4408	Lddbqa32.exe
3900	Lcgblncm.exe
3840	Lknjmkdo.exe
624	Mjqjih32.exe
640	Mnlfigcc.exe
1616	Mahbje32.exe
3912	Mdfofakp.exe
2652	Mkpgck32.exe
3584	Mnocof32.exe
4688	Mpmokb32.exe
3004	Mgghhlhq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jfkoeppq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4776	1996	WerFault.exe	161

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 388	4296	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe	82
PID 4296 wrote to memory of 388	4296	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe	82
PID 4296 wrote to memory of 388	4296	a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe	82
PID 388 wrote to memory of 3176	388	Ipqnahgf.exe	83
PID 388 wrote to memory of 3176	388	Ipqnahgf.exe	83
PID 388 wrote to memory of 3176	388	Ipqnahgf.exe	83
PID 3176 wrote to memory of 4208	3176	Imdnklfp.exe	84
PID 3176 wrote to memory of 4208	3176	Imdnklfp.exe	84
PID 3176 wrote to memory of 4208	3176	Imdnklfp.exe	84
PID 4208 wrote to memory of 1268	4208	Idofhfmm.exe	86
PID 4208 wrote to memory of 1268	4208	Idofhfmm.exe	86
PID 4208 wrote to memory of 1268	4208	Idofhfmm.exe	86
PID 1268 wrote to memory of 4320	1268	Ijhodq32.exe	88
PID 1268 wrote to memory of 4320	1268	Ijhodq32.exe	88
PID 1268 wrote to memory of 4320	1268	Ijhodq32.exe	88
PID 4320 wrote to memory of 4668	4320	Ipegmg32.exe	90
PID 4320 wrote to memory of 4668	4320	Ipegmg32.exe	90
PID 4320 wrote to memory of 4668	4320	Ipegmg32.exe	90
PID 4668 wrote to memory of 2988	4668	Imihfl32.exe	91
PID 4668 wrote to memory of 2988	4668	Imihfl32.exe	91
PID 4668 wrote to memory of 2988	4668	Imihfl32.exe	91
PID 2988 wrote to memory of 1112	2988	Jdcpcf32.exe	92
PID 2988 wrote to memory of 1112	2988	Jdcpcf32.exe	92
PID 2988 wrote to memory of 1112	2988	Jdcpcf32.exe	92
PID 1112 wrote to memory of 2196	1112	Jfaloa32.exe	93
PID 1112 wrote to memory of 2196	1112	Jfaloa32.exe	93
PID 1112 wrote to memory of 2196	1112	Jfaloa32.exe	93
PID 2196 wrote to memory of 2468	2196	Jbkjjblm.exe	94
PID 2196 wrote to memory of 2468	2196	Jbkjjblm.exe	94
PID 2196 wrote to memory of 2468	2196	Jbkjjblm.exe	94
PID 2468 wrote to memory of 1864	2468	Jjbako32.exe	95
PID 2468 wrote to memory of 1864	2468	Jjbako32.exe	95
PID 2468 wrote to memory of 1864	2468	Jjbako32.exe	95
PID 1864 wrote to memory of 4064	1864	Jbmfoa32.exe	96
PID 1864 wrote to memory of 4064	1864	Jbmfoa32.exe	96
PID 1864 wrote to memory of 4064	1864	Jbmfoa32.exe	96
PID 4064 wrote to memory of 1804	4064	Jangmibi.exe	97
PID 4064 wrote to memory of 1804	4064	Jangmibi.exe	97
PID 4064 wrote to memory of 1804	4064	Jangmibi.exe	97
PID 1804 wrote to memory of 2176	1804	Jdmcidam.exe	98
PID 1804 wrote to memory of 2176	1804	Jdmcidam.exe	98
PID 1804 wrote to memory of 2176	1804	Jdmcidam.exe	98
PID 2176 wrote to memory of 1448	2176	Jfkoeppq.exe	99
PID 2176 wrote to memory of 1448	2176	Jfkoeppq.exe	99
PID 2176 wrote to memory of 1448	2176	Jfkoeppq.exe	99
PID 1448 wrote to memory of 1352	1448	Kbapjafe.exe	100
PID 1448 wrote to memory of 1352	1448	Kbapjafe.exe	100
PID 1448 wrote to memory of 1352	1448	Kbapjafe.exe	100
PID 1352 wrote to memory of 4968	1352	Kkihknfg.exe	101
PID 1352 wrote to memory of 4968	1352	Kkihknfg.exe	101
PID 1352 wrote to memory of 4968	1352	Kkihknfg.exe	101
PID 4968 wrote to memory of 1284	4968	Kacphh32.exe	102
PID 4968 wrote to memory of 1284	4968	Kacphh32.exe	102
PID 4968 wrote to memory of 1284	4968	Kacphh32.exe	102
PID 1284 wrote to memory of 4440	1284	Kphmie32.exe	103
PID 1284 wrote to memory of 4440	1284	Kphmie32.exe	103
PID 1284 wrote to memory of 4440	1284	Kphmie32.exe	103
PID 4440 wrote to memory of 1680	4440	Kipabjil.exe	104
PID 4440 wrote to memory of 1680	4440	Kipabjil.exe	104
PID 4440 wrote to memory of 1680	4440	Kipabjil.exe	104
PID 1680 wrote to memory of 4328	1680	Kagichjo.exe	105
PID 1680 wrote to memory of 4328	1680	Kagichjo.exe	105
PID 1680 wrote to memory of 4328	1680	Kagichjo.exe	105
PID 4328 wrote to memory of 2172	4328	Kkpnlm32.exe	106

C:\Users\Admin\AppData\Local\Temp\a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe
"C:\Users\Admin\AppData\Local\Temp\a872f5e48ec03e561c3dd9756cac851f1dc96bfc76cc0e3def1eb64c6c76ae9e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\Ipqnahgf.exe
  C:\Windows\system32\Ipqnahgf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\Imdnklfp.exe
    C:\Windows\system32\Imdnklfp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\Idofhfmm.exe
      C:\Windows\system32\Idofhfmm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        32⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        37⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        46⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        47⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        62⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        68⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2860
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        72⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3568
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        76⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        77⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 236
        79⤵
        Program crash
        
        PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
464KB

MD5
2522ce1c4d299d456442067929761a47

SHA1
196b3b27788339885eddd01f310e03a1785aae0c

SHA256
9446f95253fc5e086208a3fe6409958b49f006bc0a93cf4bbeb21b6f359a65bf

SHA512
371554e3570dc8b82054ba1f980014b27f5eb96128c2cf9899d4a45d84fe55edbd81daf3942776172f8fd5496cd2a16ea985076db87bd7b69054182d3e101166

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
464KB

MD5
1db56eaa0b6da6914e4b050fb97b922a

SHA1
10904f0bd45ea4812415c6868ab8610711e5b22d

SHA256
c192e0501f3b2a3554a0802c2a4de7459da3b13459437e16b0c1b0b28555345d

SHA512
b6c804902e1a04608f4c4c5e776ce0c99bb916c7e2ff3d1e839b4f555fd24edc7949bf6093b2996867ba90ffc7ddb950aecf2bd6aabea9357d42ae7a6ba94c49

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
464KB

MD5
8901f3d1ca659aad260eb3e4dd7f21a9

SHA1
17bd372d7615d262ecf2667b812feeaaf26a92d6

SHA256
6519a5b3d1b7f6790c119d3d568ce0300f1a0d0cd6c55b32307a5be609aa517b

SHA512
dc0e6fcf2fde84a4dff3864ac486519049e87fb0e1f8f3a8693bfdc3216662db8e3b188855227a5be34c1617598e3758de61eba1b7ddf722645ff953de4b08d5

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
464KB

MD5
aa3dc08b735ddbae5dcc8d6247c27af4

SHA1
a158c5698192b9e7735af7663dc53472d918bee9

SHA256
9a557230ec080bac5b2aaf7cd5191fd1bab5226c4f30384dfe23ed091f7159ed

SHA512
ab36189ae37e1977b7280c6568fa947269fc7fb977b7ee0f1cbc90e8657fed14d055c5722aa0cc12bd57ee79bebaa45081e2b0902d207976fe92c84225832951

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
464KB

MD5
6ff7b0448ab6b6458b1bb33abbaf65fa

SHA1
cab54a0cfaa66cd3689bc5e416629ab704ff5326

SHA256
31242a3c666ccd775091ca824f63022e98ac557d0fdf67c7fda3bc19aff771b8

SHA512
4ebe7fba5c047762a60d46f823e6442f51dc050d017103db5e51306402f611b5352218f57ce8e0b26ceeb8537d9c91138517b9e4f2f06a775b1e87a2b1be1844

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
464KB

MD5
c996756e0f167661312c0278015c2181

SHA1
d7748028fd4b2b51248f795a8c316b1737e67599

SHA256
7330a71c1133deae85f896a11a315832d629ff0ee2aceffaa3c5a51a121d30d5

SHA512
70e35e88a5645c46aa2d505d79ad6d6c5d3ae266b1e02636a5d1ef23768173e94cc3ae2d4f40824452aa259092a57e43758da9e199618ab68396d4a2aee4934f

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
464KB

MD5
a3a61046d2bc4dff843cd479a596d727

SHA1
189f4925a8fc717a29cebaa40184ada2fff44132

SHA256
3507c6eb482d54cca2fa45d14f931d0774bff1299c60fdbb48b1121f60a1f9de

SHA512
2887343fe012d7f71fe306ada50a0d16ecab4dcb5b89e1967601fc773d311d954906391a3c08c12277d0520d8dad92b96f26488dcf9d9a786145d32caac63eec

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
464KB

MD5
19cda3bbc42b7c737b0d424a4d51fd08

SHA1
4e26fc9e2402067728d4244c61fcf9dc66df2ac2

SHA256
63b16c2152ce4c233f85dd905f31c54d26e939ef1df788add4fcd9ac7d771a6b

SHA512
2dae1ed72d57cf27f09939f0493b98d3489372058c8a4edcae4ad730a2e69a1990eabfd7782a1bdb427ba9bf9bc7d93036d36399853e9d88e3deb1c5ee8a5679

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
464KB

MD5
f2c3f8fdfb2d8248f484b66b7115e128

SHA1
78216829f1c9dcd38d9ce1d923202358941c1235

SHA256
e08c7581768f2c94f9837412d03032959944730d80e08ebbd994619cf6ae2715

SHA512
65a9ba740d7ec4b6774948eed1d39ecdb5ac4c6ffef575908bea08ba90aa8b36aaa1b2961d361a0fae66f97c4c116280c5eab041191956985ef3f721fa574b49

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
464KB

MD5
35c9f97670642cce249294fd6761a368

SHA1
029db40a24360be99268325b580385a0745c3910

SHA256
44e1cad60a82ee0f270fd77c98bcc14a501ca3c88664ac6854bc4bcea40d1ab4

SHA512
4697e337590e7d731b7671a45461f3f53e5e5d371fb7f1b14346a0aab48b2e57b388dc883ff1eb4052774f554c4627f52c4602c286c55ec86c588bb6340908c1

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
464KB

MD5
6a5ef9180826ab8b4c840ee8c15c56ab

SHA1
5c3c1e7cbffebf27bd8bf1bc6fae5eca6e2122f9

SHA256
0da56b758bd30969b3deda7da2c1153ecdaaa6d81bced07975929c7d9a2d9d46

SHA512
66265501d8cce03d8a2c0b5f226a07067daaa49558b20c053b4fac82d497d94d1fda1ccd10fdb35484c03c42db5e3bb0c1f353b699b5f966c132a3646c1bcf8e

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
464KB

MD5
24e32b2da82236fd360ba60d7c3e8ac8

SHA1
0620572b798552ff60bfc09658571ef1cac5ec18

SHA256
a19ea79b4c4bbf482b15d51d956f30282ff3a4bf60fffffc6d70d4811a4d9390

SHA512
fa7a9d61c55253488ede1473884b6537fe0bc5e6c37d7a6dcd8da658554a97e8c92ae24957912c6ae017f3e16992e12f2a0ffb78125c8ab95dc422acfa787f19

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
464KB

MD5
44af50634e77510bc4925edfb0d2f8e7

SHA1
642ded9d900435122e045ede79c769def377d28d

SHA256
f02dfe7a19511e4e3cfb69a5477f5f77c4271e555149840676fa68c3a70b0ef6

SHA512
241a0bd06c59eccffcbce147717bef1d1ea47ba66ecf74c9d493803ebbfea1237056d234fa48f8fcf00436ec4b5e3bd6673d01d4bc10366f3dbad20eccf9012d

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
464KB

MD5
a1eda3a353a87e5d501ec3007239c100

SHA1
e2239034888cbba59810578978b9e197893dd24d

SHA256
a9e7bf6e6777f0e9e1b1f25cbf8cdfa984ce5c7f1eaecebcf82f0d27764019cb

SHA512
acf4ca1907b4f70bf3a77a25b29187c4081b93de95f4991aef51fa86cd96bc1b7b1150e948acacc1a40226d5ebebd77384915d3cb395d622b7b1c80a24b2feae

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
464KB

MD5
080d50d1b91ab1cffb973182bc605046

SHA1
3996a5ccae3f4f1abb2c4d90298fa9d85b2c2b5f

SHA256
5887f87e6c551188fa870e4cc085cd739cd29fd83669d5117e714f0945c01a65

SHA512
349b8bfc55db8b050c17618b576a8b417287d1b70e5820ddc6f5909c30152058f3162afd77785b5da6709b6ece16e51421b114b0cd667d9f9cce254485c60af6

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
464KB

MD5
de631c3437efb0142674d070da90b9de

SHA1
0eacecfe5455bbf1e87d79997e2591725f324277

SHA256
8ab02d273bac2b82259e6b2abd3dd8be8aa6cd3942ee8dc558aa58389a4709f3

SHA512
e1b7db2a0d83c498ff497d9331503234f1d476461331e32c9d4f51e299afe13c7f0d131c430a4ac19a7a6961de1ae8b784e1ec9c309a3bc3f59ae197265327ac

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
464KB

MD5
1559f5c1f289baeb1767de57fce36d63

SHA1
ee5b9ccdd1c2af0a97f09305e5bee26cd2010901

SHA256
8d25830524bde50279c0cf470097c8e8ecca7f55ef63d52f235fc2634fa73323

SHA512
d41a2a13307a1aa6f714fbd897c0c85c41fe3d97e5262352445e4b483d3a852120f819ad7e26783aeea7347a36692f81e8abc32e9ff6f3cef6e3867a6a27f7f0

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
464KB

MD5
71630f24fc28de138e36c06e9bbcce87

SHA1
2a7147e78c8bd45040155e4c106fe70f20000d21

SHA256
e256b752ea5897bcdc82303febfc64f47bc6cdbb469dc972259fbef2ed979807

SHA512
3a304add11ce63a25a1f9e5cd1b26d885c86bae80fe0e7a5bea0cf47797bf827dddfad6e13ba65af5ca8af0e2dc5e6617dd71dd17c4db768bb576a5c823579ea

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
464KB

MD5
3d13a8c090e835539905bac1680f4965

SHA1
bfafc6efc21b819b97b178155368a90d0dea4140

SHA256
1b989d3c0c60893b44c9111c7bb3fc0f53f4720b474da469487aa3c0e2b20980

SHA512
c82372b3f09df9c59611bda4fd6b6c8c14eba61f4ba6cb02250df05fd9e1248070bbb2582b2d2198c01ca411de96179cafef10421bf8324f941fc2055ea3344c

Download Submit
C:\Windows\SysWOW64\Kflflhfg.dll

Filesize
7KB

MD5
7daf540780466f1337494457ae75f303

SHA1
a75d6f08607e816d3faa9da823b7dd081f183eb8

SHA256
f8314dfd5d88b5a0765f097267d5aa56d23a6e80c0037a6c0a9872c3339a7a25

SHA512
58162e3b8b7cdb40e16a994d33db4584086de891fa49d53fc3eea9a9a78fed022327b31c7ce920cef26a9518c9ba660c92ce08a4201661812416a25e06fb040d

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
464KB

MD5
35cad6082cc55c1b7d51787e4e978897

SHA1
44ba1caa4bd65b60520deb4dbec2a2a7a6d30db5

SHA256
9cee8c912aa39f999e198a7b74e440a22c36c85559582260c199944674aa40fd

SHA512
b5050e90674040b0f0311d40b18a381a8e0f1aea48ef559783bb6d10fe2f984c2719c14800d0f97e22140a68d03bee8a49ee26dcf05f15afc86cced2ccdd007a

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
464KB

MD5
18f03195988c944a74e3ee84587e5aa5

SHA1
69076a47993e2ada1181f3dc067642374aeed749

SHA256
3237a5448af1671f503bd913983f2d8c5e227710fbccb262e9c9cb0eac666c5e

SHA512
b19011f97f378a5dcf3c909d9beba882f0a5581029f50f38da0bba33ed1eb43d2616db6fed0bb55e1b816988450a35c2746f39514dfcb080d44fd8068b5eae4a

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
464KB

MD5
c3dd56882c45bc20b88429c5d1fc6e2e

SHA1
af192da5f829daa0667b5add0bbb7957c614aceb

SHA256
ea43ad05e364c07199555f0f94b1a72b4d412925e20d2d72675f0ab394e0bb9f

SHA512
ae808edb900f6f23d9dbc18407aed17e8106a3e5967a0ccf8ca1ecca3cbbf74698fcb5d33e712b43f01b25aa9e233f7feff83abad89a092569a5cbb94b317a09

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
464KB

MD5
dc7e8bfd374c6a9d4dc616e065f7bd7a

SHA1
7741d97e1eb5fc836b21c2f71504af79e2fcf495

SHA256
18aacf3b5aec3c3af6be5881aab73cea19a2f8d7e5516d0b2f7eb85e8a516ccf

SHA512
26cb03712a15615dc72abde19735eebec6ae573382f2ce678911174b4427d5d4b4926621d0854bbb5fd958f4063b522da50138d572e720c12a2ff886d0491ebf

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
464KB

MD5
ebebfac3cbf754b8d16b5ff0b10c545f

SHA1
6bcc90f8c0916c800c28b05726c13ec8f589087c

SHA256
384fb069f27e0daa93529b0364b971c223f6951554dde1c374d43fc0e5fcea49

SHA512
8f7f2a1cd9fc632e5066f8394999559b89d71bbb949867829932b1112e47925f58af194bbe629ac427a2fec083ee1e73fd2c916024e1bff92e8af1daf3a8af23

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
464KB

MD5
13623e0890d3eb12f663faf6edb37251

SHA1
c81940429cec0f0b296fb97989a437191f2ef692

SHA256
db2cd90d74c2518d7f2a5f5ac7267c35bc2b6ed0c9b344b178d041bf2310d473

SHA512
534107de1f760f0df4ba4c98744448bb54880a690c98b714656094ff941e47311fa2f31c92f9c0a7b0973eccc69bf2e50ea44f96a4658bb13220d0917a8d442b

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
464KB

MD5
b5dd824750286026ddaf1646825ccc18

SHA1
c22b2958452c9e0e73750a24f33b1025d00d2935

SHA256
0219b8e18d4780eeeed04ddd0a6d3bc91fd88a9fffe1c4e2e6cfe967c7bdaf11

SHA512
d908c16f9f612a0665441b01304c1e091f244a2f43e5b51a81cfba0c040d8736b8662bdbf2ad3c32743ba13cad93f8c95eb1f0d02bde4f8d2a6c092b383ad67e

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
464KB

MD5
e02cf279be4a1b82fe35a8830448ab60

SHA1
a14c05741be8014bb9bbc55b1ac60ec32fd4b463

SHA256
a8d52f7e7a81579580a62553df42a4e273f3a51029e349ef517d21d79f13957f

SHA512
4a3c543cc5693306ca27be1e2ddb35e708a404301b72a3f007d5624d0380c3765354193961d9cc441e54059ae0fd5c2182aa5134a5ffe3a0b88359899e7aedce

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
464KB

MD5
55280ba04c3fe2b10572783477bfd8c6

SHA1
bbd357d31e41587bd21a05c752fa3759703e3e61

SHA256
e3cd092acd400162f5d889bbf472a64c64c526b4254d238cd42ac41c7d6680e0

SHA512
3d52b50b012e5dd7bea5cdda9ffc75fbab989f34ac737a4bc6054f8e7d1ae64dd49b7f71f0bbb555622ab901b35342a19214288130a0b609201a0b980064e6de

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
464KB

MD5
258e94e7685088a107ec9b8fcfe737b3

SHA1
9dc41c955804544bbb066f1f76e4deec6a1a98d2

SHA256
a7a7069d9cb0f90047b28d1d10c1eca82a7c4c4c5dc7ff846753f730df74d127

SHA512
c34ecc4ccd29e3e1c5a7933c893e792818704b69c9f0b5ff587a753c0ac801a20fca96209cb5f0285e53e5a00f3891cf5025102e9a36b27953c6a6d7a6b69164

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
464KB

MD5
ac6839073aa514b3df0e5016efffe2f5

SHA1
2c4da783bcd08e039234311583f04d1f7dc99284

SHA256
b59a1e91668b752ff4382a6341db0b1287f22b15b57ddc951d112455b7088b43

SHA512
bfb6ea8640435af3272f81b49e2aaffc308bcd9cec5ae3a51277f3ffd5857135fa4e1528c429ceac7424c98561dfc0d026aa9b5f5be0e2a973e9adbc61f7dded

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
464KB

MD5
c9cf2ca29e993d5f5928ae8fd9613d8d

SHA1
a74b113db6210ea921811ff1f93fa5d06711dc83

SHA256
a08f7269b6373e8bc747acbfc61bb2591301350e661491f912b5e47d8cbe2f9e

SHA512
e2b7349e499f32355608b89dcf2b821571b40b504b29ccbe90b0292b26f81e7f3f4efbb699081e3b3ec0934a83ca671b00e56f8cbe33eacaf801311ed2849c93

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
464KB

MD5
fafdc83055409c3c344aff9b24d1b961

SHA1
bb77b17c4a9db7d9c4930fcb2e2711e2d38ca662

SHA256
ccc31c4a68502ed4b7cf31dcfadcd5fe66d0e41ce22ac63e7fea5d80a6dd9bae

SHA512
2568d1f4ce7c95a957f22ed6bdd2b8eb09791d9e8e98da97b6b555a3e445652a97457915955e67233cd5008cdef6ca49a2fed3a49ccc5ef68caf7a7d13ccdb1a

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
464KB

MD5
c2f36f93860de2f59d6ebb6aa333a7be

SHA1
fbad8664964f5da6b5b16bf7af2ee4638b24ea06

SHA256
29f97b336866b596ac7a92c6500b49906729b91712088ac43cc435d8d76eb292

SHA512
18a2f67ca0038d62ba7f69d1deead428a0c6392bb3abcd1739f313d844a2a2051a30be5ad6e1bda7fb52dc695020bb7f1325f8e6fa4b27c176207e1c0ee48b10

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
464KB

MD5
d4e972dbbf0126093a00cfe9e51e941c

SHA1
58034a7f53673e5285973a1b9b67f313e95a0e4d

SHA256
a5c037b132d764ba4745108c3fa70756e092d4eef2c69cc3f1b8e8d4b91beab4

SHA512
0a6b87c2cbe4e117af97a1e46cfea32c95dfe0c6be102b43d3940d08c340a555a2d378c621159f7ca85e5d7f18ea6e2f617239fc9d2bac2f21d55eadecae87a0

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
464KB

MD5
378d3ac2cc2b1d6a3ec4d8ae63639bfa

SHA1
04a8cb004b47ea64810d660c85444e4c6efef39f

SHA256
382e21ead497c6d109095b769aa6e4cf7f0bad35119e22689e7a53506c377ee4

SHA512
54205ea97f01d4aed5460b90ec64545681afad83a7044650a00dba9e93563a647647cc8c79d8f2d2764c947d0acea40e862d6758c9fe5dfda31a90f297b3d9e2

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
464KB

MD5
539312f132f563a6a27ac1343a16eacc

SHA1
2051dd70c72188ab61ecef3bb3d62c224d982e32

SHA256
6f4741b69a2e1dfa8b62502e2ff3faf28a6d8e2e2f558013ef671739cb0a6807

SHA512
f34909e2b61ee46b28d2a90e32763d38a319b345e817988146d4d863cc7251f536dfdd8b5c30dcf0ca053a18b7e5520cb0fc95a1b221dc47ef5fbad65c0057f7

Download Submit
memory/64-453-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/64-521-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/388-8-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/432-393-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/536-560-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/536-406-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/624-421-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/624-542-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/640-540-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/640-422-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/920-395-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1044-568-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1060-522-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1112-64-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1236-397-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1236-576-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1268-32-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1284-144-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1352-132-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1448-120-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1616-424-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1616-537-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1680-160-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1804-104-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1864-88-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1996-503-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1996-500-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2112-488-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2112-507-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2120-562-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2120-405-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2152-504-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2152-499-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2176-112-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2196-76-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2256-552-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2356-508-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2356-482-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2368-566-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2468-79-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-396-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-578-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2652-538-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2860-519-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2988-56-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3004-527-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3004-431-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3048-558-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3048-411-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3124-463-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3124-517-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3176-16-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3356-524-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3388-564-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3400-515-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3400-469-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3444-570-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3568-481-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3568-510-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3584-532-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3840-416-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3840-544-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3900-415-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3900-546-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3912-535-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3940-392-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4064-100-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4124-572-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4124-403-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4184-528-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4208-24-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4296-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4320-40-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4328-172-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4336-383-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4404-387-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4408-548-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4408-414-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4440-152-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4472-202-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4484-206-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4620-550-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4660-386-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4668-48-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4688-530-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4688-425-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4712-513-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4712-479-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4808-554-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4868-385-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4944-556-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4944-413-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4968-136-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5060-574-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5060-400-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/5092-190-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads