a9432e488fb8ef9ddf7122d1067cd31c633153a086eb869c898568d96c7ad430

Analysis

max time kernel
139s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe
Size

376KB
MD5

11450cc061253c0d8d1bd283c247a501
SHA1

b8975c7b8fe847959339f96a8cedbd5b71cf8974
SHA256

a9432e488fb8ef9ddf7122d1067cd31c633153a086eb869c898568d96c7ad430
SHA512

796757349d635e7e8c9374e5d007647b0e99d6bb5b7896711e07b2c3579a2abf907a97ed1ddb3254520b9b957f6c84633797e16c0e8f80653e07152517daf6a1
SSDEEP

6144:U1I3pf0RVbaPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m30gsbi:RaquqFHRFbeE8m5se

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe

Executes dropped EXE 64 IoCs

pid	Process
3260	Ffjdqg32.exe
1256	Fihqmb32.exe
3968	Fbqefhpm.exe
3276	Gfnnlffc.exe
400	Gqdbiofi.exe
2932	Giofnacd.exe
8	Gcekkjcj.exe
1988	Gqikdn32.exe
4228	Gcggpj32.exe
3932	Gfedle32.exe
836	Gmoliohh.exe
5044	Gqkhjn32.exe
1324	Gpnhekgl.exe
4840	Gbldaffp.exe
3200	Gifmnpnl.exe
3548	Gmaioo32.exe
2324	Gameonno.exe
3216	Hclakimb.exe
4632	Hboagf32.exe
1280	Hjfihc32.exe
4324	Hihicplj.exe
3660	Hmdedo32.exe
1020	Hapaemll.exe
3568	Hpbaqj32.exe
4132	Hcnnaikp.exe
2092	Hbanme32.exe
4384	Hfljmdjc.exe
2248	Hjhfnccl.exe
3692	Hmfbjnbp.exe
2396	Habnjm32.exe
4808	Hpenfjad.exe
1388	Hcqjfh32.exe
3980	Hbckbepg.exe
4720	Hfofbd32.exe
3736	Hjjbcbqj.exe
708	Himcoo32.exe
2456	Hmioonpn.exe
3436	Hadkpm32.exe
3252	Hccglh32.exe
4600	Hbeghene.exe
1948	Hfachc32.exe
4992	Hjmoibog.exe
4116	Hippdo32.exe
3884	Haggelfd.exe
4656	Hpihai32.exe
2124	Hcedaheh.exe
4880	Hbhdmd32.exe
3976	Hjolnb32.exe
1344	Hibljoco.exe
2700	Hmmhjm32.exe
3192	Haidklda.exe
1304	Icgqggce.exe
4548	Ibjqcd32.exe
3220	Iffmccbi.exe
1404	Ijaida32.exe
4112	Iakaql32.exe
3860	Ipnalhii.exe
868	Ibmmhdhm.exe
2208	Ifhiib32.exe
624	Ijdeiaio.exe
2852	Iiffen32.exe
3704	Imbaemhc.exe
1068	Iannfk32.exe
2976	Icljbg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ibmmhdhm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6456	6308	WerFault.exe	246

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3260	1452	11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe	83
PID 1452 wrote to memory of 3260	1452	11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe	83
PID 1452 wrote to memory of 3260	1452	11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe	83
PID 3260 wrote to memory of 1256	3260	Ffjdqg32.exe	84
PID 3260 wrote to memory of 1256	3260	Ffjdqg32.exe	84
PID 3260 wrote to memory of 1256	3260	Ffjdqg32.exe	84
PID 1256 wrote to memory of 3968	1256	Fihqmb32.exe	85
PID 1256 wrote to memory of 3968	1256	Fihqmb32.exe	85
PID 1256 wrote to memory of 3968	1256	Fihqmb32.exe	85
PID 3968 wrote to memory of 3276	3968	Fbqefhpm.exe	86
PID 3968 wrote to memory of 3276	3968	Fbqefhpm.exe	86
PID 3968 wrote to memory of 3276	3968	Fbqefhpm.exe	86
PID 3276 wrote to memory of 400	3276	Gfnnlffc.exe	87
PID 3276 wrote to memory of 400	3276	Gfnnlffc.exe	87
PID 3276 wrote to memory of 400	3276	Gfnnlffc.exe	87
PID 400 wrote to memory of 2932	400	Gqdbiofi.exe	88
PID 400 wrote to memory of 2932	400	Gqdbiofi.exe	88
PID 400 wrote to memory of 2932	400	Gqdbiofi.exe	88
PID 2932 wrote to memory of 8	2932	Giofnacd.exe	89
PID 2932 wrote to memory of 8	2932	Giofnacd.exe	89
PID 2932 wrote to memory of 8	2932	Giofnacd.exe	89
PID 8 wrote to memory of 1988	8	Gcekkjcj.exe	90
PID 8 wrote to memory of 1988	8	Gcekkjcj.exe	90
PID 8 wrote to memory of 1988	8	Gcekkjcj.exe	90
PID 1988 wrote to memory of 4228	1988	Gqikdn32.exe	91
PID 1988 wrote to memory of 4228	1988	Gqikdn32.exe	91
PID 1988 wrote to memory of 4228	1988	Gqikdn32.exe	91
PID 4228 wrote to memory of 3932	4228	Gcggpj32.exe	93
PID 4228 wrote to memory of 3932	4228	Gcggpj32.exe	93
PID 4228 wrote to memory of 3932	4228	Gcggpj32.exe	93
PID 3932 wrote to memory of 836	3932	Gfedle32.exe	94
PID 3932 wrote to memory of 836	3932	Gfedle32.exe	94
PID 3932 wrote to memory of 836	3932	Gfedle32.exe	94
PID 836 wrote to memory of 5044	836	Gmoliohh.exe	95
PID 836 wrote to memory of 5044	836	Gmoliohh.exe	95
PID 836 wrote to memory of 5044	836	Gmoliohh.exe	95
PID 5044 wrote to memory of 1324	5044	Gqkhjn32.exe	96
PID 5044 wrote to memory of 1324	5044	Gqkhjn32.exe	96
PID 5044 wrote to memory of 1324	5044	Gqkhjn32.exe	96
PID 1324 wrote to memory of 4840	1324	Gpnhekgl.exe	97
PID 1324 wrote to memory of 4840	1324	Gpnhekgl.exe	97
PID 1324 wrote to memory of 4840	1324	Gpnhekgl.exe	97
PID 4840 wrote to memory of 3200	4840	Gbldaffp.exe	98
PID 4840 wrote to memory of 3200	4840	Gbldaffp.exe	98
PID 4840 wrote to memory of 3200	4840	Gbldaffp.exe	98
PID 3200 wrote to memory of 3548	3200	Gifmnpnl.exe	99
PID 3200 wrote to memory of 3548	3200	Gifmnpnl.exe	99
PID 3200 wrote to memory of 3548	3200	Gifmnpnl.exe	99
PID 3548 wrote to memory of 2324	3548	Gmaioo32.exe	100
PID 3548 wrote to memory of 2324	3548	Gmaioo32.exe	100
PID 3548 wrote to memory of 2324	3548	Gmaioo32.exe	100
PID 2324 wrote to memory of 3216	2324	Gameonno.exe	101
PID 2324 wrote to memory of 3216	2324	Gameonno.exe	101
PID 2324 wrote to memory of 3216	2324	Gameonno.exe	101
PID 3216 wrote to memory of 4632	3216	Hclakimb.exe	102
PID 3216 wrote to memory of 4632	3216	Hclakimb.exe	102
PID 3216 wrote to memory of 4632	3216	Hclakimb.exe	102
PID 4632 wrote to memory of 1280	4632	Hboagf32.exe	103
PID 4632 wrote to memory of 1280	4632	Hboagf32.exe	103
PID 4632 wrote to memory of 1280	4632	Hboagf32.exe	103
PID 1280 wrote to memory of 4324	1280	Hjfihc32.exe	104
PID 1280 wrote to memory of 4324	1280	Hjfihc32.exe	104
PID 1280 wrote to memory of 4324	1280	Hjfihc32.exe	104
PID 4324 wrote to memory of 3660	4324	Hihicplj.exe	105

C:\Users\Admin\AppData\Local\Temp\11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11450cc061253c0d8d1bd283c247a501.jaffacakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\Ffjdqg32.exe
  C:\Windows\system32\Ffjdqg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\Fihqmb32.exe
    C:\Windows\system32\Fihqmb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\Fbqefhpm.exe
      C:\Windows\system32\Fbqefhpm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        25⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        28⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        30⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        37⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        39⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        49⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        52⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        54⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        56⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        57⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        64⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        66⤵
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        68⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        69⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        71⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        74⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        75⤵
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        77⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        80⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        81⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        82⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        83⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        84⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        85⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        89⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        90⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        92⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        95⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        96⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        100⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        104⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        107⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1296
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        109⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        111⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        112⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3592
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        114⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        116⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        117⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        118⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        119⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        120⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        127⤵
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5040
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        135⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        136⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        137⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        138⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        140⤵
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        141⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        142⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        144⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        148⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        153⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        154⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        155⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        156⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        157⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        159⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        162⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6308 -s 404
        163⤵
        Program crash
        
        PID:6456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6308 -ip 6308
1⤵
PID:6424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
376KB

MD5
43499bbc45cc0a01a1411a86f30c0ef7

SHA1
22895cac0e1a42fb7f3ed680b4ad6628aac18e3a

SHA256
3a9bc52c117f0f50a1b49d0750b7a5f78c3624ca6610bc9047c547853d0a96db

SHA512
3b0cd7077434800f1d77d9c33bca1cfce8568f810f86c4821fc9948f424cfe18023c93c2de50f7a23850dfc21d196ec9aa1022cd6d98130a70e4ec43f005a637

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
376KB

MD5
48d4fc7e0c83fe662bfaeb8518d57489

SHA1
608e9e3abb8cefbf478f73d02adc36f5ed543fb6

SHA256
212c94e409c70bf4930c1579ed9e5424652292fdb493400f4b8a379d6f032577

SHA512
4540edd5d32ce25853b6b25ccf545eca9e3099b37f018987f789f0b76659d55e7229686062c51f6fb58f2adfe5dfba0184e1719231930310d0c3b5438d06e570

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
376KB

MD5
ba8b9873abaa1bebaceb1db061b2f8e3

SHA1
d9d2509d6ee071a1f5b8ad557a76640da2a6f39d

SHA256
222173e7d5cbb6b647a67644f0ccedc21c0585f2ea7ddad543cbf4df3c3d28c3

SHA512
2080f4ecaa2311a81baf1a88b296547ee263b2956cc2200fb1d65921cdd63aeed3a779b2447e39bff2d833e149d238979522aa9d5e255dc48cb4333adbdf3691

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
376KB

MD5
85132a6d0cc43a9a29404e2834ddf1c5

SHA1
4b086f1b195a704042871bfbe96beff7d6b9040b

SHA256
c6e1cf3e814d9d180c6e9473188da2dd6559a55c464aa6bdfa57ef6572bb5747

SHA512
040d2a1e6c6f597b2a7298fe15a15ddbb34115385d0c49a4ac52e6fee7f2247b2a893c416f525c259075a035b6403b0c04b8571f3389cef89e6e4efb2acd27ca

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
376KB

MD5
8e6fbd13edd07a5229b0871c737b8a83

SHA1
6100d137a8d47dc56d17003490710084088f1fb9

SHA256
4192dcdc00bf80c04be20eef0f37e861a65a806de29fa27a6e17acbaf4c98621

SHA512
dee4a7bc600b513186ea5460f873412e55fdbe7f75dbe7a36ca43cbecaab1d46e4add6b2ed7336e9c5f1a1c62d7052af63f68584f7690cf5a4eecfc3178378bb

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
376KB

MD5
e3e1d163dee084967625a90f137a2435

SHA1
1e9d54e085eb898b75f8a433fc7395daaa822eb8

SHA256
69e8616a8b090ec7c5b3c58da6e53439c381dbbe31e05e68f63d930c063bce05

SHA512
50639d809f65204a404aa25e9cb66b45035330569aa5df8d94bd54eff5d81725daae9d32c14584b38e160b1f74ebba330a7b489c034a8d07535f178e667a800a

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
376KB

MD5
30189e806ec78051b0bc4dc63247a128

SHA1
8a590efb8dd3a7b96d9c60276a26862c61e30fc0

SHA256
8ec43fc5f87b5e5364257080e38b20fe772b460e48888b8bab8ba227a340b4b4

SHA512
263b2937cf6d142bc541ab35aed959a00d94efba92944b76a882faffb33ccc2813466b6a5985cb90d0f1f839c833069c08c924449b2ef6a6e8ccb42d212ebf34

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
376KB

MD5
7465ab013e7a31bf484493cc5aa9a547

SHA1
818fb86734db8672c61f0d07667cd80fe5210675

SHA256
2cf83d07916ebaf8d1960411a4518333f0acdd05495fac9d8a7b3fa59720f96d

SHA512
bee4f9496030311ed970eabaecb97275a60c06b4a20bd862b83250a49040747ca8858834aaf18fb3ab5b49b8a8cd9c1c679b3b899f1db831ed9e1d969b0c1aa6

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
376KB

MD5
42d1eb36f6e984aa1cf726379656ade4

SHA1
d193c53dfe55a1cb475ca1d901100d79e4665a9f

SHA256
415764a018287d114cd41b92236ef76582ab62024e00dd94c78f6fdb62149c55

SHA512
f8626d3c7a1b49b71a8dddb7011cc730bc9e0789cbeba4a61af3c86ee987aabb1a20af15292586f894738630ae4ef13b7a116a16308ad1ae7810fca1ca576ae0

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
376KB

MD5
553af3dec1f579546e76ffe2f7ba913f

SHA1
9191775c04add1a3c637d4e1758110bb922d8cd3

SHA256
0e430f09c62e728930cd62c9bb485b8dace040623da8b84c026915282a850735

SHA512
693476cdd470b414074ca2c5030c55afc944186b080ad2114a65a1a13c736072bd83a7d2cc9343674dd702e6e03e1651b91b03489019e4881c7733321ab77bfe

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
376KB

MD5
85555134feca4600e011c2986f8125d0

SHA1
821220955086012992e695fd7c7eac4f6b37b1b1

SHA256
db8c96794ac6d46932dd9e2bad387046961fc58a8b894dfe9a69ee6c8a40b09c

SHA512
335d718d50dcd5af2a5f4646957e45ca1aa8d2c186dd68ea4f91210d2d0911a9834c58f7a16b3c4f545e02ced5ee19a66bdcbe676d7539e4a4b163bbd527d37e

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
376KB

MD5
4790ea21b3b5bc14887aa78a342fc528

SHA1
4219bb88e522dd32c891e7c458176e68aec967de

SHA256
23bcf1a2b8dae5747affbeea42df5b830ac3c9268ccd9e92ba83590d54e3cd7f

SHA512
0694d7d5aa3874f1279599f008de00ddb150eb8f2239050eb19492a82486e606ce8d9c25d431e7151812126c4e518a1e7388b4dde21006f700a4966eeb41c0ac

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
376KB

MD5
a5488d42a8b91de41e546985ea503bc3

SHA1
6ba7494be8d098984d06c22055065bb9a5bed888

SHA256
95c6031c5e7d50f75f1356591025bbaefb432c4c6d47b5fcd9c74932712b4bec

SHA512
43b93e19fd15409e0881c7b7a55980cfb3e45c2e76bea5d9c0d2c241add643c0c5b773e316a11cc93c37257d1faa54bbb4f8fedbee87ef38678470970ca4fda3

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
376KB

MD5
84ac4937a223373f56f445c9e85f8a84

SHA1
ebe67c2fbbc9dd28250ff6133bbd5b4136d19446

SHA256
764df2c7ba8e7915e07da69fdec50f0c7487e21a7aa49ffc66d4d162a1a021d9

SHA512
9db63a401d44487de89df8c1593b8635a9e94d9c75cc4dd10d7bc7314d9093522f59f394a9b42f556333208b3a7f47f582e423958fbafe0b5e999b0a6e81bf52

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
376KB

MD5
99d3c034979099245be029d6a14ed6b7

SHA1
0d45db2e84baddc9163e56b041239d89331d7395

SHA256
3ec53491d90cb1d9484fe1655ed235741b20755bf4354f017243157ce67634a2

SHA512
2008232466344b85a3fa73caefad8847ae3e262dd0f58ca6134e3e905be9d57d16afbb7c2037e412e7c50526ca9fdbe937bb92f3dea55a05e0258b8e4611ebc1

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
376KB

MD5
bc0a109fac6393a4f0be517bbdfe8ca3

SHA1
379ce799a01996edf82d7cc196bb8040261ddf17

SHA256
5bc9fc49ca12be40451f1884d1231153708c527348c93cb4d4818f8e84be57b7

SHA512
c6c0190ba9f714e7413a270c9798e015b4297230f3283ce713dbe9868f5bec37d16ce0947880fba9eebdd262b144d0345d40eea4736ea4e64ce01b522e49b529

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
376KB

MD5
717b7fc811f0cbc799836d48b744dde6

SHA1
8faa9e66b189929a2b3fc30564c166ff6266ad20

SHA256
baea87f0d3821cbc7a37b0f80d52720759d1fdf549c88bc0434140fb970f4e5f

SHA512
43ad31538277a340dbdab3e87b0f49450b3e25db2b469f61afbd7ac88279d7550141f6b1b3ec711319788ab335f5a6489c9d6b3b892b5cf22614f4346f11ef38

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
376KB

MD5
bb81b810e7bbc37832e8cb094f18f7bb

SHA1
fc701dd211cda8d0986c64a6f11aab3d21514575

SHA256
a41129db70831d75b5ef25e32e163dc73f4505dbd7699d2bdcba4c7b3030fc6d

SHA512
824c3457c4a2ba9c2630520ab514b51b82778a7a32db4f11aa3e160be230c5b7394421fb6efd695e19d8499b7d8f1ead0367e2702f267f8e65367e8784b5eeff

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
376KB

MD5
250d45bbc4a0914c72226349910f4bf9

SHA1
d941b8a3fd0a905ffc562eedfe0ce3df2b8da194

SHA256
9aea95b8bb304517f1bb1fc8d7f4106d42868670b57e5f1312e61ea1781cecbc

SHA512
984425016fb192a12c6b166a1ddc14b8227c618a2ab6eb1358b8fe2cb642b6c33df12c1ae9df6cd8aced9b04bd76d162f79039a0d58c29159b1fca1b55445012

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
376KB

MD5
d0e889dd8fd82816bf7f1d296d2f443e

SHA1
dbbef9244b1d10a8b133b0ee95e77e784908763d

SHA256
a9bc913021720a1c2af77a1f94a8a62bf05a48a91ae64c2d3e7acf94b61c7520

SHA512
12f00eda46bff85ae71dedde5bcd12f328fc5f53411a470246b2d64bb172f7eccc6c75d9ccd92330995e8e1420a834d5103895a23e613925923475fd3af8f125

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
376KB

MD5
bdb4c9f6f4c6a6e7a043c9de8731f317

SHA1
a873fa7575ce664cb2740dd7b1a79ab8ab08db3a

SHA256
5f9583f8847314e34c7ed3bbe9e5d23ec082fc3a74edaf5b6f7f8f28afc64c0a

SHA512
6e452109475c0e13ba3623ae690275b0248fa436d56707f884dd18ab4518cd969bd12de321c08170c279fd10cbd14f8b558cb38ef16a79a84058c0fdd7b833cf

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
376KB

MD5
c2f1a962aa8170ec804959b60c95e545

SHA1
21b66cb8653ff9cd3aabfec806e504d394152c91

SHA256
82d7633bce69e6501ed7890ce7b4f8b6d32bcc9671258cc3cc4cbd2ab6af8e5a

SHA512
ac788407557ea4af0c59c93e63cf42449b348ba7a6a1ccf79279148d0d9fecbf3e30a8620844d0b7e318a4653216c25ceb78087238d95285b39f3458e0779255

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
376KB

MD5
f9a0bf1fbf32284547fed5f62d22faac

SHA1
80be28f301804e40261b6e2ec6d52fb87030d6b0

SHA256
e972f1dc75b8ba33428a1e55eca7280059e46e25d1f9b995ca61cfa65d489010

SHA512
88efdaeb3fa40f5ddd51a3a169bb2e7d1a043da22840cc6dd379c4ad2f32fe9e73efd3269f5ff31e0a53a0d126f5d1fa61658aef5a7eae45279f6696d7307b89

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
376KB

MD5
5586cf53b286544131c693a5495f7f9c

SHA1
b3922b0a9d6548d2c8c3c203cd9d29424860d6b1

SHA256
98c95f1c7d0a16369e03f0077c2b268468a7d98be2fa2791ccbfdb7adee8455d

SHA512
3bd510a2546f21eaddf9f5f569f05993ac4b061f8058a12e307ab21c3b628d872cff5615f0f86aa4b3ffb79b47889dbe8698a0ebee82187dc3983057572e05f9

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
376KB

MD5
9ec54cc8f869752debd3692a25b41a77

SHA1
a06980fb4f1107533e1fa6c184523e5f8cd86b8b

SHA256
586894cbce67e50959a31e280b21f702c56e97ab0cba7033f438e7dcfecb357d

SHA512
d45569ed866a5415fe606fb09e8c6aed9533165de5cc4f740dcd4bbeb5265ad637ab63555fc31de540627c82ba6e374d6c79de680c52e85d22cae6e860e52202

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
376KB

MD5
45787727f00c601d4793a9fbe68f9623

SHA1
3c9e804297abf3b7661c8b86971ba0e927b21290

SHA256
8f2da7681144fc1eb14b6a26eb49afe7957b089cc61bb5edf688de35f2d105a9

SHA512
26bc6868b7d7107bb2c1a3cff70af9d294a7d02fbe920925e0c52b324a84f49559b91558b651aa9f13a08568ed8fddba11566ed02ba1674eb0391f3f1e52038b

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
376KB

MD5
c317516e9d58eb8d59a52cf195ea6b23

SHA1
16f580b2c5321f661a0d97701fa23489397784ee

SHA256
9dc11e90cd7bbef9e8b9770d354b9fe79dc48398886931bdb47b26dfd8dd4cb6

SHA512
0f108aca760ee2955e1036a618aae796213ddc8fae3aac3b34acb1867bc7ac650f696ea73fce7117b670eb8f0016cd46d87fb873c18b5496e1a4a755d3cb41df

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
376KB

MD5
0ab90ddd16a953fc635dc39f6539cdee

SHA1
3e4a60b1b107053f1c341248cb32b8c9112f4f0f

SHA256
c5c5fe153e43430ba50c5493ed490635a47afb046227dc25c943ac1688e3ca8b

SHA512
9a576ca468842a16f3d2f46259d650cf84e0ff889bebb4eb08f77f4e3e40e2f73713096dcdc26884fdff264500062c50adc2ba290373e6d88a070a9addf09fd0

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
376KB

MD5
5676d047529cb83fe1cc61ce7ee752a1

SHA1
e40832f02783e9454f87e72ffa67bd611d766629

SHA256
e0cff2f13f379a992e66a45813d61baf7bba7d8d0777c62b207a1866c1615c3e

SHA512
ec2d5a3e9dc4f801a47f9eb88bef01cb266af109fb47cc384748eadc3c93ba1248936cf0aa03c1738bd1c24bbdcecf526ae2aa154cb05c42feb720e3b256805a

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
376KB

MD5
cdef9a48b2c226bde77262ba7f96b03f

SHA1
ed4ce41f746b9c26bab6008fa91b62ff66d13e78

SHA256
d338f41262c037e5e8f69f35a48076a2cd18d9ddea20a5bb04931a224ca21ccb

SHA512
cc41fe90097c3a4fa4f6e617f01b1030bc44f52900639b2580ce70aea8c039b03f8e4c2149fbc8f9220f9d8f09ebaaf484c0190a338334fb966010088a2f9187

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
376KB

MD5
695f780d0edb8bc5eb25e1c5875a6a37

SHA1
fd68094b59ac3ec8ca1e6df2e9516b71547fef9a

SHA256
76d05d309c1a80d6b052c48dc33ec83ced55ee9d414c57400e902380d1a2a2dd

SHA512
ac70a4ae703bf19d8b1d4e647fcd3058e53a476072a690f6e75d8f56e3cc778a82c916608c93429c7b4b28472ae9b22c67c0cdabdba2f75bd268dfc157891e9c

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
376KB

MD5
f22f2cde456a582b0e5f5038cdf842ea

SHA1
07657f68ded9c9e2bfcfcf2b2695373171cee86c

SHA256
71a6f80cb2924e344bfe6652f582acefd9a5af5922bbadc6a331543f17d0e2a6

SHA512
7dba7870b7e89fc0cff92c6368dbda1de300165c8a2b1bbb9629beeac186d1644e7693e099a1b6b370465e27b2d250895028ca82cb46e4cb8b258ff6a15a7ae9

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
376KB

MD5
168eb515448bc36f2410e019f7c271f7

SHA1
395e422c7632768fea695780ea8dc0905d4d97a3

SHA256
749f2a2860eda2e4c0926b50fb8b8bc25b535c07e74fdce92ecb0353ef15d063

SHA512
16a7887e00792d640f70f2b493d98840f3de391f5cad7de6263c859e78a1b663d94e1b8dbd683f90cfd9905283d37a549aec58eb9f37956440a1e77a45835841

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
376KB

MD5
9161eb8aa027948eb2f228455c55545d

SHA1
5c85a627cd54532bb7e85a501eb69e7e403e0c86

SHA256
40529113efb0be06dc6260338ae295d346c5b7e0ba30be3da23740bb4cbbb447

SHA512
bb0382165c652b19f3898c39b69703e612e8f67affb5155c452229ba4d4f0e5fcc96e43b9c68fe8e4527cb0a5bb917f613cd4d97c395fbe9e13d565e204de698

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
376KB

MD5
6f188ef75a4b64e880dab8882c15bc2a

SHA1
929eb03ccd9621623d2d991aec511dfd0433b1d0

SHA256
bc8a6f47df6e4162b0781b7edd6d35ae59d6513ce734bcc00f8a4cedc141f219

SHA512
fa7e4291014274ec34608d85ac4615180fb2219baa9887dc2ad539c0892f6acf0fcb96558355a1256c8f7152314082e6e4a7eabe8be237cd8f6d60eed2b2e1d7

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
376KB

MD5
b8db0bf0096f25d4a1573d2776037489

SHA1
ac103ae9aa602350b4e3e52d40ebb4e5fff0a951

SHA256
ef82c2f93677dbf0cbc873d4e8be40a41f0ba66c18c8bbee24630c451f6e3706

SHA512
2f1a90232bc966d5646cdcb4f9af8342fc677e42a4a35370a2940ddfb3c9891bc7471b51e68caddd945a5cf5933fdf749677de77bb1e3bcf06bf3870d899718e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
376KB

MD5
b9836b39688b721b35acc8e724c88276

SHA1
29157bec73fce5387c849072018401dd58dc61c2

SHA256
8a943eba9a0b5c51da01aea007eb5e84e6f2996b83198ababc3c448767c7509b

SHA512
109fe8630f791518c245e9e9fbf0116e93bbe96236864ee1084b1e8d2f31eb1e839dab120694ac1bf01ec96221d9259dfe444fec25fd39c6158fc738767f2f27

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
376KB

MD5
58f27e424834b42478dd9d2e5623e824

SHA1
34554ede2626e6f9d2a87c3d304b31c260521582

SHA256
29c49f4b6a4f57ab6d8b221c88c48d9a7b2d8affbebea363052312fb629cafcd

SHA512
81e7d435845d11eb8d42ad7ea8f19c91654cd4e6ba773ad312f00f70f1fcb6e0b729a28a082dad2d2a6899b76ac649987943778901cab546f9eed9afea2b53cf

Download Submit
memory/8-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/708-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-629-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/836-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1256-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-631-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1484-640-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-628-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-630-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-638-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3568-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-636-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-627-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-626-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-639-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-641-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-642-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5212-643-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5244-644-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5284-645-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5320-646-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5356-647-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5388-648-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5428-653-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5464-654-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5496-655-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5536-657-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5568-658-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5612-659-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads