2c2816fe1cdcd090cc84e3e21cffda5e1f8e090c6e6fd7cba2e83f5097275753

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe
Size

128KB
MD5

0efc4f6de93b6d15c3eb57ead30fcba3
SHA1

be22397c8c48199c848ccbb881bc6d13068a41da
SHA256

2c2816fe1cdcd090cc84e3e21cffda5e1f8e090c6e6fd7cba2e83f5097275753
SHA512

54598a7da5dc2b3709abb89ff1a025bbaebd4053d5f342dfd02aafcf1b8db18330a2344590d20dc3b298159cf42b594ff7efed7640b31f15606be5b9f3084db2
SSDEEP

3072:OnmyKFicAnjruh5v2y/BCGU2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:OBiV8b4BhHmNEcYj9nhV8NCU

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/1540-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023b36-7.dat	family_berbew
behavioral2/memory/1196-8-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b96-15.dat	family_berbew
behavioral2/memory/1504-21-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b98-23.dat	family_berbew
behavioral2/memory/3676-25-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9a-31.dat	family_berbew
behavioral2/memory/4920-37-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9c-39.dat	family_berbew
behavioral2/memory/2500-40-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9e-47.dat	family_berbew
behavioral2/memory/5420-48-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba0-55.dat	family_berbew
behavioral2/memory/4788-57-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba2-63.dat	family_berbew
behavioral2/memory/3628-65-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba4-71.dat	family_berbew
behavioral2/memory/1432-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba6-79.dat	family_berbew
behavioral2/memory/3872-80-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba8-87.dat	family_berbew
behavioral2/memory/1888-93-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023baa-95.dat	family_berbew
behavioral2/memory/2136-96-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bac-103.dat	family_berbew
behavioral2/memory/1008-105-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bae-106.dat	family_berbew
behavioral2/memory/3388-113-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb0-119.dat	family_berbew
behavioral2/memory/5524-120-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb2-127.dat	family_berbew
behavioral2/memory/2584-128-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb4-136.dat	family_berbew
behavioral2/memory/3860-141-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bb6-143.dat	family_berbew
behavioral2/files/0x000a000000023bb9-151.dat	family_berbew
behavioral2/memory/4768-150-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/6140-153-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbb-159.dat	family_berbew
behavioral2/memory/5480-160-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbd-168.dat	family_berbew
behavioral2/memory/384-173-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbf-175.dat	family_berbew
behavioral2/memory/2484-177-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000b000000023b92-183.dat	family_berbew
behavioral2/memory/1296-185-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc2-192.dat	family_berbew
behavioral2/memory/5124-198-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1028-200-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc4-199.dat	family_berbew
behavioral2/files/0x000a000000023bc6-207.dat	family_berbew
behavioral2/memory/4100-209-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc8-210.dat	family_berbew
behavioral2/memory/5292-221-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bca-224.dat	family_berbew
behavioral2/memory/4212-225-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcc-231.dat	family_berbew
behavioral2/memory/1900-233-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3688-241-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd0-247.dat	family_berbew
behavioral2/memory/1688-249-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd2-256.dat	family_berbew
behavioral2/memory/2728-257-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1196	Gbgkfg32.exe
1504	Gmmocpjk.exe
3676	Gcggpj32.exe
4920	Gjapmdid.exe
2500	Gmoliohh.exe
5420	Gbldaffp.exe
4788	Gmaioo32.exe
3628	Hclakimb.exe
1432	Hihicplj.exe
3872	Hpbaqj32.exe
1888	Hbanme32.exe
2136	Hjhfnccl.exe
1008	Habnjm32.exe
3388	Hbckbepg.exe
5524	Hjjbcbqj.exe
2584	Hpgkkioa.exe
3860	Hfachc32.exe
4768	Hippdo32.exe
6140	Haggelfd.exe
5480	Hfcpncdk.exe
384	Hmmhjm32.exe
2484	Ipldfi32.exe
1296	Iffmccbi.exe
5124	Iidipnal.exe
1028	Ipnalhii.exe
4100	Imbaemhc.exe
5292	Ipqnahgf.exe
4212	Ijfboafl.exe
1900	Iapjlk32.exe
3688	Idofhfmm.exe
1688	Ifmcdblq.exe
2728	Iikopmkd.exe
5080	Idacmfkj.exe
692	Ijkljp32.exe
3036	Iinlemia.exe
2524	Jaedgjjd.exe
4680	Jbfpobpb.exe
3996	Jfaloa32.exe
4908	Jiphkm32.exe
964	Jagqlj32.exe
5372	Jdemhe32.exe
428	Jfdida32.exe
536	Jibeql32.exe
3724	Jaimbj32.exe
4948	Jdhine32.exe
460	Jjbako32.exe
216	Jidbflcj.exe
1988	Jaljgidl.exe
5668	Jdjfcecp.exe
3092	Jkdnpo32.exe
4036	Jmbklj32.exe
4288	Jangmibi.exe
5572	Jdmcidam.exe
4384	Jfkoeppq.exe
1484	Kmegbjgn.exe
4792	Kaqcbi32.exe
6044	Kdopod32.exe
372	Kbapjafe.exe
4572	Kkihknfg.exe
1288	Kacphh32.exe
2632	Kdaldd32.exe
3976	Kgphpo32.exe
1908	Kmjqmi32.exe
3580	Kdcijcke.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3632	4956	WerFault.exe	224

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1196	1540	0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe	83
PID 1540 wrote to memory of 1196	1540	0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe	83
PID 1540 wrote to memory of 1196	1540	0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe	83
PID 1196 wrote to memory of 1504	1196	Gbgkfg32.exe	84
PID 1196 wrote to memory of 1504	1196	Gbgkfg32.exe	84
PID 1196 wrote to memory of 1504	1196	Gbgkfg32.exe	84
PID 1504 wrote to memory of 3676	1504	Gmmocpjk.exe	85
PID 1504 wrote to memory of 3676	1504	Gmmocpjk.exe	85
PID 1504 wrote to memory of 3676	1504	Gmmocpjk.exe	85
PID 3676 wrote to memory of 4920	3676	Gcggpj32.exe	86
PID 3676 wrote to memory of 4920	3676	Gcggpj32.exe	86
PID 3676 wrote to memory of 4920	3676	Gcggpj32.exe	86
PID 4920 wrote to memory of 2500	4920	Gjapmdid.exe	87
PID 4920 wrote to memory of 2500	4920	Gjapmdid.exe	87
PID 4920 wrote to memory of 2500	4920	Gjapmdid.exe	87
PID 2500 wrote to memory of 5420	2500	Gmoliohh.exe	88
PID 2500 wrote to memory of 5420	2500	Gmoliohh.exe	88
PID 2500 wrote to memory of 5420	2500	Gmoliohh.exe	88
PID 5420 wrote to memory of 4788	5420	Gbldaffp.exe	89
PID 5420 wrote to memory of 4788	5420	Gbldaffp.exe	89
PID 5420 wrote to memory of 4788	5420	Gbldaffp.exe	89
PID 4788 wrote to memory of 3628	4788	Gmaioo32.exe	90
PID 4788 wrote to memory of 3628	4788	Gmaioo32.exe	90
PID 4788 wrote to memory of 3628	4788	Gmaioo32.exe	90
PID 3628 wrote to memory of 1432	3628	Hclakimb.exe	91
PID 3628 wrote to memory of 1432	3628	Hclakimb.exe	91
PID 3628 wrote to memory of 1432	3628	Hclakimb.exe	91
PID 1432 wrote to memory of 3872	1432	Hihicplj.exe	92
PID 1432 wrote to memory of 3872	1432	Hihicplj.exe	92
PID 1432 wrote to memory of 3872	1432	Hihicplj.exe	92
PID 3872 wrote to memory of 1888	3872	Hpbaqj32.exe	93
PID 3872 wrote to memory of 1888	3872	Hpbaqj32.exe	93
PID 3872 wrote to memory of 1888	3872	Hpbaqj32.exe	93
PID 1888 wrote to memory of 2136	1888	Hbanme32.exe	95
PID 1888 wrote to memory of 2136	1888	Hbanme32.exe	95
PID 1888 wrote to memory of 2136	1888	Hbanme32.exe	95
PID 2136 wrote to memory of 1008	2136	Hjhfnccl.exe	96
PID 2136 wrote to memory of 1008	2136	Hjhfnccl.exe	96
PID 2136 wrote to memory of 1008	2136	Hjhfnccl.exe	96
PID 1008 wrote to memory of 3388	1008	Habnjm32.exe	97
PID 1008 wrote to memory of 3388	1008	Habnjm32.exe	97
PID 1008 wrote to memory of 3388	1008	Habnjm32.exe	97
PID 3388 wrote to memory of 5524	3388	Hbckbepg.exe	98
PID 3388 wrote to memory of 5524	3388	Hbckbepg.exe	98
PID 3388 wrote to memory of 5524	3388	Hbckbepg.exe	98
PID 5524 wrote to memory of 2584	5524	Hjjbcbqj.exe	99
PID 5524 wrote to memory of 2584	5524	Hjjbcbqj.exe	99
PID 5524 wrote to memory of 2584	5524	Hjjbcbqj.exe	99
PID 2584 wrote to memory of 3860	2584	Hpgkkioa.exe	100
PID 2584 wrote to memory of 3860	2584	Hpgkkioa.exe	100
PID 2584 wrote to memory of 3860	2584	Hpgkkioa.exe	100
PID 3860 wrote to memory of 4768	3860	Hfachc32.exe	101
PID 3860 wrote to memory of 4768	3860	Hfachc32.exe	101
PID 3860 wrote to memory of 4768	3860	Hfachc32.exe	101
PID 4768 wrote to memory of 6140	4768	Hippdo32.exe	102
PID 4768 wrote to memory of 6140	4768	Hippdo32.exe	102
PID 4768 wrote to memory of 6140	4768	Hippdo32.exe	102
PID 6140 wrote to memory of 5480	6140	Haggelfd.exe	103
PID 6140 wrote to memory of 5480	6140	Haggelfd.exe	103
PID 6140 wrote to memory of 5480	6140	Haggelfd.exe	103
PID 5480 wrote to memory of 384	5480	Hfcpncdk.exe	105
PID 5480 wrote to memory of 384	5480	Hfcpncdk.exe	105
PID 5480 wrote to memory of 384	5480	Hfcpncdk.exe	105
PID 384 wrote to memory of 2484	384	Hmmhjm32.exe	106

C:\Users\Admin\AppData\Local\Temp\0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0efc4f6de93b6d15c3eb57ead30fcba3.jaffacakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\Gbgkfg32.exe
  C:\Windows\system32\Gbgkfg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\Gmmocpjk.exe
    C:\Windows\system32\Gmmocpjk.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\Gcggpj32.exe
      C:\Windows\system32\Gcggpj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5524
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6140
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5480
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        32⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        41⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        44⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        46⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        48⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        51⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        65⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2496
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        68⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        69⤵
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        70⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4648
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        73⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        75⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        77⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        79⤵
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        80⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        81⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        83⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        85⤵
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        87⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        88⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        89⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        90⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        91⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3256
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        95⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        96⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1916
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        103⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        104⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        105⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        106⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        108⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2996
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3612
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        112⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        115⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        117⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1460
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        120⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3400
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        124⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        125⤵
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        127⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        128⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        129⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        131⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        133⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4928
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 408
        137⤵
        Program crash
        
        PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4956 -ip 4956
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
128KB

MD5
90de3c8e7a02603771190a27670ad68b

SHA1
723b9af62923577f2be61d60a85b625b52ae329e

SHA256
f1e6e058e2fca3544eb0dbc8fa93e1298cb8faafc9816ff72f047f9ea5bffc05

SHA512
1ce37c13de49594db9f40e283f0ff3f0f3cd6d54fe28971f53ca8d85d74bd6ed4c54100f2c868038907607f275c777fa258d8d3fa6959a643544fe4eeed1c820

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
128KB

MD5
5ebb036e8e257ca836cc6ce1378e5e11

SHA1
6f9662fae4d701696393946e04afea94f4297e2c

SHA256
e26190b5ca35a61d93e37f10c229abdba1a542072da12fb096051b270d08bacc

SHA512
35283a6f0d758bde85cac3bdabc1eb9ace2e6974045796aaf7fb2dfba7a7bf46dfb28041e70f94afe12444d878b0ab41adb517477455715642341610b9d28c44

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
128KB

MD5
c56a417f25e47ba9345920ce0f9318b4

SHA1
2797697831d7504db0f3f5b3b1047086a7ce6710

SHA256
7cc8fe9abf756b65fee79c325c5745ff2e63c5cb6508a36e9e1111c2810f7006

SHA512
d89d3c0c8e690083626e9a9b2e18f843e1ac3dcbf21de693287880a3344a89ac3d1ff38bbba599d0c80b861876b75c751b9245b870bde68bf790529d25dcfa84

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
128KB

MD5
e1341b2dda1032d95b5317a2b3f2653e

SHA1
6903d4eb0aad38db84c91f466e191530d490e688

SHA256
eb0ac9a40a41fc47464e8528b1b7b599fb8fce96083a6e95c850d95c54f70cfa

SHA512
420aed3cbdb3b846673ab151f360b7e7431345e82d2c4b58b3c8a14931271c1d52a7e952835c55d6b3a649805161cfe9b1741201470949ae8d4cc35ef160eb00

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
128KB

MD5
468f7e43880fe692f9c3157e8a33c325

SHA1
ae68a1c19de4e28c8bdf98d96e5d0f35c71653b3

SHA256
edbadadd3535bd07618405282849ab6e0daeb6e750fa048b2dc5131fcda352c7

SHA512
a13d20e2f4c2346cb6d805202986766b8cccf5cde101e34afc8abbb2a2c9def02c74422a83f69d3ff584dc542bc3d172b996a5374966cb0256171f3d2027e5ee

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
128KB

MD5
d1636324a857f9c4896d1239a0ce5e88

SHA1
7ff4f50c8b0d8f631c552b32a3f763a1598a180c

SHA256
c802d81a35dc362545f960474f58fc6ccc7dfa8f461f8c12efff2e93bc15407e

SHA512
a8da7c7a3b3a9854216923050039e82ed6ec1875f20b2f58ffee7165b114ad9dcb37375b06d319e6e5c4b1cfed8a0362545726211e7bc8d58959dccea3f8b75c

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
128KB

MD5
ed6052c945a04354f433372deefd46ac

SHA1
78c882ca934343e70517446da6d9ee1f8d01bcb9

SHA256
d361731a6a02cf16f603784e92b73f13a1cea87ed09a7a6de7b223359ab11e42

SHA512
f65b65f87b2315638f80960750a622ea7528a4f708bb55b4131361caed9fc61056bae88e4e3d70689eeccaee1f507942e412eb7bcffaf4b82dea56dcd60ff711

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
128KB

MD5
57625bfdf49b20dcc0683b468c5f8a62

SHA1
f6fb7533c6a5b7bbaeed9e96724cdd626e5f20c6

SHA256
4e0c756b3c9bd204bb451942c04c9d1b4cd7a2289dfc03ad8a5577c080ff9d40

SHA512
17caa36015955329e68f52c05623bf6203143e4694914fd9076471387f31ece604d6b449499b01dc6671b06acfad7a51f43a0d5c4253f2ee3e07016bafcc387d

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
128KB

MD5
07ec3c4cacb171085da0c523bd4f577d

SHA1
e2c071c8aa8d376476ebb41efb38fa8d1a7b6f5b

SHA256
2f143e5405b9ab0d42c3734289fa293cb25286efbe8ffd6b16b14b131b98e76b

SHA512
54f3853e7ea448f8e1c2284c33c67c8c1d002dad2f4364dfc97fe763226559ca73a13ac412eb0314a8c3d9271d892e19fe94e34e03e07107b2d111611cbf0023

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
128KB

MD5
b3dae30c8fcf2cb6cb0cecfe4800fab1

SHA1
01970652d736c3f81379cf4b7cb37e7192e057e1

SHA256
a5cf6e7ab7d3302ef238f8eb22f628780b10629d64d2a156e5f6db24e6269667

SHA512
678f3f32bbcd7afd6a29950f91760fd12ce314f2015425c03d09f1582b35eea618a62b9e0ebf2324a9572c41417f89aa012efa9954d85827d05fe879b5b92163

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
128KB

MD5
6fb3077e129af02939054d7ca490b392

SHA1
c743d44b44a55761e2af9f9434adecce653032bf

SHA256
1b2785785ee3356531f9f08bcd203542118234ab5785d3dc945972b92a1ed45d

SHA512
edf017eca75890500e588cfaaaec58ab9d37566ced136b8e6bff9de5b0d46f3fa6e8c188160fcf5a355aa4bf21225b6802f17ef021f004507c554e8ab4d5316f

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
128KB

MD5
7b72df646e520da0890119514e59b3c7

SHA1
5313985aa2e0f55b6d3592460a0d02bfbf5dd239

SHA256
87856899ec8fc621db1e1b020a1fa2434e92aa424c4710b84f459bad926832ca

SHA512
65d0afdd6333fdc8ef51f5f51ad043f4109316603b8b61b29026fd1b9cf72e4bf60d3c46e147b685c9fc91c7182d92e89394d59a24c7e2d7accd78a336e0c9ce

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
128KB

MD5
0598fe82d377e9f2ab1ff61cceb3926c

SHA1
793b6bb7391697deeb400b6651cb5050431140a5

SHA256
01ff4fb2ef8b8f9d12820e5fcbe5d3501057683107129149fd442c807c2c9074

SHA512
88bdf01c1f31bd4f12ce23426a8f43ca8b02fece16dc6f08828797a4961b9d12c9f79a45451bac6d056425e6073928b5f36e8fa509c3ec1445590d6d86550c00

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
128KB

MD5
1f182e76a24e841baf7fe23494d8b412

SHA1
2f5c6e824683278aa96b29c3fcacbb1dc9d4d0cd

SHA256
277c5dd8f876a165e3d42abf0f5ac4d0a305cacb153dbd6322f70c136807b078

SHA512
c5122112973cc308e2f6745e2a87b5cc1fc043f3031a212a2201070800662a905d5ae923a7f9839b12b13de9f46596c387ee00f1a355b3da0d020799d305a35d

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
128KB

MD5
9ecf904ce70df29173ac968ca7832175

SHA1
38b512085aecafbc6a5bf18a7c35972bca91402e

SHA256
46970ded563ae05bfc3824560aaf0bbee5acd4665d8fde4503177a1ac367ac24

SHA512
0d6f8c9f2f16e546b4b115fde5459865c2812b0d5100a1d04bced4390ca9e56ceb3d7cc80b0076d1e919cb1a4d972143ca61090e45722723c1e9e51325ba9e58

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
128KB

MD5
a8978bd10d81b7b0dc6544c49443308e

SHA1
75b52fc6660d28e258caea70a2c6cfdacbca7b8e

SHA256
35255017f8dae275e44a3ddc46da1804555568901a74f22dc269283cc43f4fe4

SHA512
1a8deaf1c8b9c9032cdc2e26b1e4bcb4d7770cdfc272d87e6a91e194c8b9ff90945cb8a584c3de86cd34513f8c29a9cd8d8f50966461b051eb8a31d1ecbd415f

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
128KB

MD5
219b01f71ded321efeed2240f3a0b026

SHA1
5a486e29a83949478fc4908a12a5f7e5bff08dfd

SHA256
a99e6a5ffa738b90ae2c8ad2822298fe34583ee0f66fb742e8295c89cd798d68

SHA512
b8b5267c5db89ca7c1407f8747143d3cea351c36426a8c3667a884cf5eeda0eff442237e208f82979d626ff15b585b5526eca95c8a27f67dde57bfa6889a9d9b

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
128KB

MD5
54208f1da12508591e809d8c2ba85d0c

SHA1
44fed978e9601dce91c8c8ee3db084f67fa16d4d

SHA256
63a12439e6c6c676d6a14bacdc66ebaba491e9cd6358d8641836daa7fdc9e779

SHA512
a5b113fb63abc41b6c49da75ecb5708cf98707685a34b5fdcdc40653d5a44962e74240149f29a148e06c4366e9e79dcf11edb94a504615e623be325c1911647e

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
128KB

MD5
63865a4ac42147bdcb1f436d496737c8

SHA1
9c7632f9e1ca1ba14c4c1d6b06a58a16904f0db2

SHA256
fcb5b9a5b5ed35fbab7ac8227e50cdb229ac13529f2a2c93910b7afaaa842272

SHA512
a91e6f0ec91ce05320c1a7716ab58a034d86ed4dc2f157bd85519ead640f0b64fc3ef4658b1692a0acc1b50f8745d40d1958de9c7e412bc0832e648ba8ce9ac3

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
128KB

MD5
874dac4489d27ee894a0128a9848e9b0

SHA1
66cd7df660e3fd5c1665d66ded91f56299946476

SHA256
1001dd2727f6b5ca9b837d32ef4972399ad372b4fd8b175e9c7712a2a7c3078c

SHA512
b111200b67515f5e50832713a56fa300d398e1994b4d54fc423503412174c5b34d0bf6d2498f383c38ce36e9a64abc5ec0649eb18f58183e6dc24fe01ac07cbe

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
128KB

MD5
01adacf9ac6a6cf7a8186cad6ad15f50

SHA1
cf9e03f37cf43412c22ecf0501bf4845c9009a14

SHA256
86085426fae54afb38cdff27d481baac89a0481f75ac83cbff311a8d56eb6fe7

SHA512
0fbc125681ca47af9ed592c541b774716caa4297e4742a4f7a4a2c6df2ee751429e4b548c2db35259de61660dfdf41d1027bd892e63bf7ae99b7888d5f684597

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
157a11c4a3d304aa995afca8f35867bf

SHA1
ce9cf4eab0a04443390e069692d06aa7cd898d21

SHA256
13df2bf1a7becf3607d466e2f6e919a1cb8ecbc2606e7e4be9ac4ed5c0f26ac3

SHA512
48e7b52125670f52651fd8b1695f2aa3821825ce54b67744da290832e62a52a34cb675e518522f62eb5629854e95563427c58e89f507edbf47c2edbf0a0b8ca5

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
128KB

MD5
d8920a816416e14cdb4fce4393c1cc07

SHA1
72607c31c76864a917602ea4f04cd087da0ae28d

SHA256
c1121e12b0a3d1ad36cd5c77afdd8a0ab2bd224656ab1237c1086f2aff6fe1e8

SHA512
8dda088e7b573f0b9a5cd02ff42d5fe4fe90140475ab5c6045b986422eaea9c690e70f9308fd0d3c8a7c4785cce672436e9246aa6169b5931bfaf57c56a4eef9

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
128KB

MD5
e33dc9fe0bac39ac81110818d516a7bf

SHA1
a6cee13e47d2ea3ea31aad8c6d9c39cc6df2497f

SHA256
7b78df764ddd31841f7efe82e2c831e00c5351d102f8b6b1d2748b9a5edca2bb

SHA512
052dbcca04935438182ebca25ab82923bf4df9a83416e686e52a348089a06c2a5a2bc3343f293b4312b3cde5b47827de659b8fa23a974dc0df97e3a6a0c23c31

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
128KB

MD5
0b0d2df8d7d01d3489cc029a7ee12f32

SHA1
17ecef4248421505c08428aecab3b5b7806c5168

SHA256
b7a5af480a3391b90357fe321191d66637165ae2701071c7964f7167a2940e4d

SHA512
1d603d6a4858ca9eca1c9fea269e716058706dccb4df5808015d7ef143491097d3e73e119d5bb689df4d9ea9009a4058b3ec0270c35c736d4f43fea575bd8e14

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
128KB

MD5
55254f9ed5d355ebc077136c68c293b8

SHA1
1cd5c86c2e4552c4c3bf1f683baeeba5f58f48b4

SHA256
859c65f51685db91fe784967ad75fb305c093a39b8dc88d4199642b3a04b5732

SHA512
600e22931cfbe1559993a0854dc57d06bcf74ab8ee807a2eead4007e33049074d6a4e608b2d38229467acfb8f6fdf62d5bf9a7d6b419bb5a0fd19659ff6cd438

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
128KB

MD5
eb33f4dca2a41d0fe2b6bb7b19c564ea

SHA1
6ac630f03068e2dac05a1dfdbddd0ef13733188b

SHA256
7ed7ac8d1a3c1ef9b526519110933d21503a33da6d521b09271f33aa5f875b47

SHA512
2920ea26824aefe1e918972be00edea73453a4ab2a2fa3d26ffa0f3282fc210a490cc1e984a7b1096265feef2d35dc10c9e1bede618a9ef30abe462d9281e7ef

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
128KB

MD5
479ccaa7afaa5d20e51280c943c11cc0

SHA1
92232e5b9e60eb729776f07ba646f23a3113fb85

SHA256
8e8c03ea7e312387922c925722f7d401c60acb44ed24018736b79efb79374e64

SHA512
e0b566a70a46965c3dcc6c3690099e9c4b77b8275e466c51e9e0a026be737553f175643c7c8dc2ffde43b408bcaca7a860eccc5e82448230f41a5f784d3ebb02

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
128KB

MD5
2220e014cc90d725100b9e8d5a7f31d3

SHA1
d35f7072329a008970a3ef6cf67db6a249d7d0ba

SHA256
639f61f1bac494edc2e8d3a6d705b06434b3018dd26323816ca529c7f2b95e71

SHA512
5aa7b5776ec0fe60b677728ca026ffae631adc230e7f95e05a1071dac0aaaabe5be91b731e4d7eb9ff114e0d02cefef1ddff85c25200b1111f26232f55e4367a

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
128KB

MD5
89ffc4489e4223c7b7e7fba5c880729b

SHA1
3766eb92f4b527f326170151a2a1dea1a3f41230

SHA256
de7d39ba4c287bfde7e6c67f03ac695bd4817faa15ce2e893fa71d8366c0f7db

SHA512
b27f715c58cbefb1fb31d6cbc8827a0df148f80cfbf090ab3d1dc8cb5aec6fe3b3e5ff9f2e550a94350e600a919b6196790b15780d93c67ab69f86aa480651e2

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
128KB

MD5
2c4bb7aa7a42fa992d0abc7cecba9610

SHA1
b426284978e8eaa2c97258d913ae30339a268182

SHA256
55a066f5ea2f3ed8ea44878a8f983ce189fe3df436178bd46b1356c2a9ce8a3e

SHA512
80a278a7e2814fea7f9cbe3a5432297ec457563abb903c628359ad90337132979367cefc40f4031c762739edbe8d87e11f7e8167929518c6be6207c6dc9ceeeb

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
3a89afc27423379f003984de3114dc62

SHA1
00524e61cc41ddef39a1065e806752667f975bf4

SHA256
e88ea471766a3fb76dc41e82fb5290dffb6d1a28142fa82804bc8c40255cee23

SHA512
7d7728fda992ea1cde2c1f82c161bd063b1e99db4084f293a9a1dfd2450dd6014e1517d0fb303dae0d65fddeb98db4b43c6188f1d053305e5a39613772d18f5b

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
128KB

MD5
2629cec495e75f9c46d6231549e762bd

SHA1
8eb2504e0e86df9e5fc8efd6fa6894288adbc044

SHA256
ebba8b57b506b2e127afd2f565bfa42080b45464d82dc314a941f1d21c5cfe20

SHA512
12c8cda8a7e9d99bd9c66260bcadf52787f7672aebc73b48046b3ddffc600e65b491fa19a2e6e83f05ec9f12017962b16370a1bf1653c6d86a3169f3b34889af

Download Submit
memory/216-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/372-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/384-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/692-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1196-556-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1196-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-507-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1540-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-534-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-598-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3628-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3776-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3872-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4100-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4680-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5124-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5292-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5372-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5420-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5420-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5460-468-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5480-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5496-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5524-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5528-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5572-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5668-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5680-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6044-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6140-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads