4cfaf1aa400d87a5b891502c7e94b691ccf7d448b96e9ba32407cf39f2556b2f

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe
Size

72KB
MD5

dd159317647a0250063d0efbb653e3a1
SHA1

5d85530aefbd0ec54aac7dd849b17b2a6aacfd5a
SHA256

4cfaf1aa400d87a5b891502c7e94b691ccf7d448b96e9ba32407cf39f2556b2f
SHA512

2d969b7a0841691f6df05ba0d3f011d2abf596e8a6d9af8c201056019f62da45b141aca1a19640fa0659e531a3aaf9986ebf858fab3b7f7c4e79c1ba38023eb6
SSDEEP

1536:fBD2YrOU7okDvKq0EDPBmTHqaCRHcME94HOXGKd:ZKOOU7okDvKq0MPQTHqaCR8MEgOXGKd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe

Executes dropped EXE 64 IoCs

pid	Process
4488	Fcgoilpj.exe
2464	Fjqgff32.exe
4560	Fmocba32.exe
2324	Fomonm32.exe
4212	Ffggkgmk.exe
4836	Fifdgblo.exe
2888	Fckhdk32.exe
5112	Ffjdqg32.exe
1732	Fihqmb32.exe
4280	Fcnejk32.exe
1648	Fjhmgeao.exe
4236	Fqaeco32.exe
3016	Gbcakg32.exe
944	Gimjhafg.exe
2376	Gogbdl32.exe
2536	Gjlfbd32.exe
3408	Gmkbnp32.exe
1528	Gcekkjcj.exe
2364	Gfcgge32.exe
4328	Gqikdn32.exe
4532	Gpklpkio.exe
3764	Gjapmdid.exe
3628	Gqkhjn32.exe
1728	Gcidfi32.exe
3028	Gifmnpnl.exe
1900	Gppekj32.exe
1800	Hboagf32.exe
2920	Hihicplj.exe
2772	Hapaemll.exe
116	Hfljmdjc.exe
4284	Hmfbjnbp.exe
3720	Hbckbepg.exe
4636	Hjjbcbqj.exe
2968	Hpgkkioa.exe
4812	Hfachc32.exe
3272	Hmklen32.exe
1580	Hpihai32.exe
4772	Hfcpncdk.exe
3260	Hibljoco.exe
5012	Haidklda.exe
4660	Icgqggce.exe
2752	Ibjqcd32.exe
4804	Iidipnal.exe
1072	Ipnalhii.exe
1788	Ibmmhdhm.exe
4596	Iiffen32.exe
3276	Ipqnahgf.exe
2576	Ibojncfj.exe
712	Ifjfnb32.exe
3828	Iiibkn32.exe
2220	Iapjlk32.exe
1988	Ibagcc32.exe
4760	Ijhodq32.exe
736	Imgkql32.exe
5060	Iabgaklg.exe
872	Idacmfkj.exe
2544	Ijkljp32.exe
1516	Imihfl32.exe
2080	Jpgdbg32.exe
1576	Jbfpobpb.exe
5052	Jjmhppqd.exe
1956	Jdemhe32.exe
4728	Jbhmdbnp.exe
3148	Jibeql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5928	6040	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4488	5108	dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe	84
PID 5108 wrote to memory of 4488	5108	dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe	84
PID 5108 wrote to memory of 4488	5108	dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe	84
PID 4488 wrote to memory of 2464	4488	Fcgoilpj.exe	85
PID 4488 wrote to memory of 2464	4488	Fcgoilpj.exe	85
PID 4488 wrote to memory of 2464	4488	Fcgoilpj.exe	85
PID 2464 wrote to memory of 4560	2464	Fjqgff32.exe	86
PID 2464 wrote to memory of 4560	2464	Fjqgff32.exe	86
PID 2464 wrote to memory of 4560	2464	Fjqgff32.exe	86
PID 4560 wrote to memory of 2324	4560	Fmocba32.exe	87
PID 4560 wrote to memory of 2324	4560	Fmocba32.exe	87
PID 4560 wrote to memory of 2324	4560	Fmocba32.exe	87
PID 2324 wrote to memory of 4212	2324	Fomonm32.exe	88
PID 2324 wrote to memory of 4212	2324	Fomonm32.exe	88
PID 2324 wrote to memory of 4212	2324	Fomonm32.exe	88
PID 4212 wrote to memory of 4836	4212	Ffggkgmk.exe	89
PID 4212 wrote to memory of 4836	4212	Ffggkgmk.exe	89
PID 4212 wrote to memory of 4836	4212	Ffggkgmk.exe	89
PID 4836 wrote to memory of 2888	4836	Fifdgblo.exe	90
PID 4836 wrote to memory of 2888	4836	Fifdgblo.exe	90
PID 4836 wrote to memory of 2888	4836	Fifdgblo.exe	90
PID 2888 wrote to memory of 5112	2888	Fckhdk32.exe	91
PID 2888 wrote to memory of 5112	2888	Fckhdk32.exe	91
PID 2888 wrote to memory of 5112	2888	Fckhdk32.exe	91
PID 5112 wrote to memory of 1732	5112	Ffjdqg32.exe	92
PID 5112 wrote to memory of 1732	5112	Ffjdqg32.exe	92
PID 5112 wrote to memory of 1732	5112	Ffjdqg32.exe	92
PID 1732 wrote to memory of 4280	1732	Fihqmb32.exe	93
PID 1732 wrote to memory of 4280	1732	Fihqmb32.exe	93
PID 1732 wrote to memory of 4280	1732	Fihqmb32.exe	93
PID 4280 wrote to memory of 1648	4280	Fcnejk32.exe	95
PID 4280 wrote to memory of 1648	4280	Fcnejk32.exe	95
PID 4280 wrote to memory of 1648	4280	Fcnejk32.exe	95
PID 1648 wrote to memory of 4236	1648	Fjhmgeao.exe	96
PID 1648 wrote to memory of 4236	1648	Fjhmgeao.exe	96
PID 1648 wrote to memory of 4236	1648	Fjhmgeao.exe	96
PID 4236 wrote to memory of 3016	4236	Fqaeco32.exe	97
PID 4236 wrote to memory of 3016	4236	Fqaeco32.exe	97
PID 4236 wrote to memory of 3016	4236	Fqaeco32.exe	97
PID 3016 wrote to memory of 944	3016	Gbcakg32.exe	98
PID 3016 wrote to memory of 944	3016	Gbcakg32.exe	98
PID 3016 wrote to memory of 944	3016	Gbcakg32.exe	98
PID 944 wrote to memory of 2376	944	Gimjhafg.exe	99
PID 944 wrote to memory of 2376	944	Gimjhafg.exe	99
PID 944 wrote to memory of 2376	944	Gimjhafg.exe	99
PID 2376 wrote to memory of 2536	2376	Gogbdl32.exe	100
PID 2376 wrote to memory of 2536	2376	Gogbdl32.exe	100
PID 2376 wrote to memory of 2536	2376	Gogbdl32.exe	100
PID 2536 wrote to memory of 3408	2536	Gjlfbd32.exe	101
PID 2536 wrote to memory of 3408	2536	Gjlfbd32.exe	101
PID 2536 wrote to memory of 3408	2536	Gjlfbd32.exe	101
PID 3408 wrote to memory of 1528	3408	Gmkbnp32.exe	103
PID 3408 wrote to memory of 1528	3408	Gmkbnp32.exe	103
PID 3408 wrote to memory of 1528	3408	Gmkbnp32.exe	103
PID 1528 wrote to memory of 2364	1528	Gcekkjcj.exe	104
PID 1528 wrote to memory of 2364	1528	Gcekkjcj.exe	104
PID 1528 wrote to memory of 2364	1528	Gcekkjcj.exe	104
PID 2364 wrote to memory of 4328	2364	Gfcgge32.exe	105
PID 2364 wrote to memory of 4328	2364	Gfcgge32.exe	105
PID 2364 wrote to memory of 4328	2364	Gfcgge32.exe	105
PID 4328 wrote to memory of 4532	4328	Gqikdn32.exe	106
PID 4328 wrote to memory of 4532	4328	Gqikdn32.exe	106
PID 4328 wrote to memory of 4532	4328	Gqikdn32.exe	106
PID 4532 wrote to memory of 3764	4532	Gpklpkio.exe	107

C:\Users\Admin\AppData\Local\Temp\dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd159317647a0250063d0efbb653e3a1_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Fcgoilpj.exe
  C:\Windows\system32\Fcgoilpj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\Fjqgff32.exe
    C:\Windows\system32\Fjqgff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\Fmocba32.exe
      C:\Windows\system32\Fmocba32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        31⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        33⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        35⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        38⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        39⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        41⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        42⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        43⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        50⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        51⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        53⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        66⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1544
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        69⤵
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2052
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        72⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        74⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        75⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        76⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1500
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        79⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        80⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        81⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:664
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4012
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        89⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        90⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        92⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        93⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        96⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        99⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        100⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        101⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        102⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        103⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        104⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        106⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        107⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        109⤵
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        110⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        120⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        122⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        129⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        133⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        138⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 392
        139⤵
        Program crash
        
        PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6040 -ip 6040
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
72KB

MD5
e32955d581a923b28d115d74346d9e17

SHA1
b263e0916eb7a9af515d03f03fdca8b1cdbfc201

SHA256
10de9a8d53079f7a7b46c12f745e236dff949c02f3a778f23d977f2426989373

SHA512
bbd238058f8592570b7901da7c81667aabc8b7b439f2d3ba25cf111458d2749362369cf28067e4d0c487377f97564b66f63e91e482042b73c01d5b9e83d46168

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
72KB

MD5
328b53904a36438784f7476b4c5b915f

SHA1
98d5efb61df2675b18f25874701239ce48fa5b90

SHA256
d0639fdc44b83f0c8dcde631b2c06c09074e4215a56d5d284be5bfb0b6d8eaa5

SHA512
ad0a51304229aa165c9037a9e73401f6cb5c7249390296d2a1f2292d0ff8df889d49e9f0a1ad637491e76c852c74c18dd2282b7a86608e0a0b33e7c96d2f2055

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
72KB

MD5
0aa06ae353f5e8cc0a7e9f80af9bb093

SHA1
501d44edb0935e9ffc8636df6443aabbedd9173c

SHA256
853fdb95b64dfc839a7bc304da04de27adb00e33701b0594005f88264d8e8668

SHA512
316e0eea80feb388e84218c8d9e21666ea2249137936e72953fef86e41a3cc3430e2dc57e0278be138e7f976901f753365dbf0e81e1430cacfc9042f16f3158a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
72KB

MD5
6d1973b5419127015bb3c72288453166

SHA1
e2157ee1eb674ea1aecc71819ff598fbf591b56f

SHA256
2177f3ad4c7cdf8fa8f73b1c733c363d96f8ca0c8d4a4c4902f854958bb0dec9

SHA512
51f7b80a4dcb5c3c39f2551da975c80a53a4cd16f9fc52c6b2650bb81f18b9543d17381e235d18252020e19bb2eceb73c0fbef2c066133d180f7dabba26e36be

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
72KB

MD5
561cb1520ea938cfe13af84e6207b722

SHA1
51372bb1384eb8d008746697c72a23d8935a5fcd

SHA256
4bba2a47589a0b7e4128abefe75a2b12caaa776291fad012a59f3eba9da3ff1e

SHA512
410520ed70a88e6c159c91c8c7af065d5e5e8718c747bc14880e9e94d3ee8aee201cdde67f2c3cd16a20a73efe8a563275df9cf15dba4a8aff49589b0c39278b

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
72KB

MD5
e662a8446433aadc3b05fa3012a0ca81

SHA1
3f9d6c9aca9d871d08f25a4aeeec85180be9add6

SHA256
527694f6928a82c7259b5cb25bf82dc09cde7a1338ec9acf68de537a397171f5

SHA512
f6b7cd97fa572a866e6a9d7cda8e4283a20c4fa5e679b26192d87fe96af0f0eb8d1ad4ccc58d95c187eae96d80aa34da12709ca87c6259983b0551ccb5a087c2

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
72KB

MD5
aa6997e50fba7b00fe6b534b92bfaa10

SHA1
a6d7b6afecc61d1e681fb0748e3fb6a8856627a3

SHA256
8ecdc052998d7591342aa2ec995a7a8401b3d0796e675a3baaba25831e73e67e

SHA512
6c0b0ff0120c0b7f63a094f60c03e86dcdd96948dd1211ebdd539ef32544339d94adce8168eed469e99d136add8d437fd304e5a00df65c19a5d97d460c7ea5e8

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
72KB

MD5
4ede3250b994a7187750ac6ea74fd732

SHA1
47423a64a40cb89ae912c3d9180712ca6bc8c8e6

SHA256
a30bb4f0a73c4a79dd5bd3524a941666e55483bc157fafdb5b2c2c067f968849

SHA512
7ed737dc557f7e2eb88ad06907b23297687257bf645331d780dff864799749bd832ff3019cc0e79c86fad403d161fd895c4aa1e9eb4e99576d1f750c6a3ba2c8

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
72KB

MD5
ec71ab0095d7825830fc994af84d2ac9

SHA1
20e6d093c9c92bfd7c7cc09582c68c07c02584d1

SHA256
112e9d4e223bba262744fc576b1daa181a30cc60f368cf9721cf74538141f2be

SHA512
058d2f1ab534bdd151fa7be1f22daa9be7ad76e165d1db6e839947c21bffc40a19dc2ffdf310c33b853aed68d34b9d62974a8aa977858ab5f517b66376b640ae

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
72KB

MD5
dac79126d2e8b644a16f0676df0ef672

SHA1
8aa4b23a055c23ba88724946fe674875db43cb75

SHA256
ebbcd505396291ec5b3ff8066abbcdc95ab9b54bbbb212d7404cdfca82753f55

SHA512
12e637aa1dc052f29b8dbd5bf57e331f0fcaf18258d6e7a831e3be9c6e0877daf8c15907ef330590fa41015e64561f614eafd59bda8a92a7e9b237d7bb9478d2

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
72KB

MD5
bb83f7f87756e81008495229e30c5784

SHA1
0302dc8cdf20c02877710e7cc76a9d01eff9fbce

SHA256
b522bedad86cfc7ceeb1f07606e704686b63a2e844ba1bc44c22033efd1c20f5

SHA512
b0fa2f6899db1ca238bdeef98a9b8cf250913e4b24460eb28555adb37839599e7d60acbbb65f0333d43100fd0813a40faf33b3f9e1bf7da122b66c5e2eaf7dd5

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
72KB

MD5
188db0f63981009e1929ae384d73fd8b

SHA1
ce39459b270bce9b85924533856fa7850870ec0f

SHA256
837cc04de273f24b3218d3cd7be2708853786bb97060ef908a1007fda86be5e7

SHA512
08e8700b30b32712ba6831e1fe6f81b035c73d38512109e46fc8c4c79c295e7b085ff7f7cea86b37f802c40f711eac7aec3e0165d38fc37518b0ca8731f26659

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
72KB

MD5
0b516b6a07f66873ee5d00bc41e97059

SHA1
98068a9168ff435e3bd962d04c2a5eab67701891

SHA256
2b3c22ed17916091429df1b2a9768bdfd39d60eed4e5804c8b6471b0068caae8

SHA512
02ddc087db25c3ffbc4149f4b68bce23ab767813e80c88e2bccc747368c74df3d578fcbae29ac2d4ff926912e75ed03c957f25fe61017be822ce101f125745e9

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
72KB

MD5
28af92115429e2da866fd0bba8684e0c

SHA1
967ad460bac4aea30004785addf12ffdd5b8521b

SHA256
4050d893e2b75d34368e8f6d323f3f8d2a0ea2263920b9b316d810d79ca09f9a

SHA512
bcf0d8959b7213d50c14893ef7a8c7a40061583d9fd357e0c2cc17b01c08b3aa95a86792c634c503e811509ed9c1c7c16ad69be0ba2cf93bbcbb29e0ff345487

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
72KB

MD5
91964118c009907772d9279b4ae14452

SHA1
b077173a7039085576df15af8e582c1593bfe499

SHA256
b98352bb9af1b932373161e90f06a0fed7265d80c6463db1d2a10455d9f707df

SHA512
62d23dfa034836e714c32baa97e86e82b1897a934f8d7c8cfa2375553943376465a379581928c2144b24bf9bcbc4bc2b7d0d8693e321fc9f14771d6fdea9d6f7

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
72KB

MD5
b44ca875c980fe8cd1a377c911413eac

SHA1
72580021f813c86d1639ee7a51767dc072079096

SHA256
e94a0a775ff7d620c56af301e7379e285a05913a55d5259abd3578ab8e86c028

SHA512
c3427bb4cb486019c45eba665ba2fdbd9c7d43b8000c15f121d5f0ec666105441a19fb7a69e930c09a79b0b36afe0b46301358f9fa6ddb61c730c2155570582a

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
72KB

MD5
fe72fbb521787ca9edc201e2786f4dd2

SHA1
f2783aed127fe229da94ac1b4643839a02146834

SHA256
2b2bd6aedcdd698ae3de2b5189acd620bf1b6eb31a964bae904a55e6aa10e055

SHA512
43d2e693e36f2108f65f5a2d35127790ecece944d08ebb058bba45b181a09bc230b35b9dbaed0bf6300d9cb38b765035363681815c8cb68ba6a3127b2e1a7683

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
72KB

MD5
9ff69777d2dacfa942092814cfac2270

SHA1
9c39036bdfdddb30701472750d5e419ce356bc5f

SHA256
703669f2426fa0a933d4bc23832c2c6fadbf05c5fb2d7f8a000883cc525c7f72

SHA512
950586e8d8ab78db8daf9fec6834d7cb6de5262e1702c412ded6f1eec09e4820e5d2f16fc597ee5b7c86203626df0f5f2ae4132c7673e2f7e1601a5fd14f098c

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
72KB

MD5
f83ddf02ee7cbe05be98458bda29ade9

SHA1
9d27f0248f2db1667729103a840f9eeec0522d2d

SHA256
a737abddf77961c89cc012dcbb4b20146bbd4ab34ce5239554ef0676903e9794

SHA512
7b99e5ece0497668a6cc77090e600c5d7ca3d150299df931d1eaeb75e28bc99a2451fb4aa10624716aeeecdd4e8b5586981e677648626d989b03a464df3a6077

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
72KB

MD5
0f730dfb5c5ccefe04472095461fe49e

SHA1
06933025ea480e69e839ca34d2fa2760c3c97cb9

SHA256
a9cd1d799884a96214b6d69cc6baf75eb3158ab8c58a76e507a0307de9fa0312

SHA512
543e2d7e0ac7707584cc9165b9ac1b8933d29185e9c433b886a58b22fe059c1fbc89373662606588967d2db47fa61d672a9386a5d3f705be8afcd31fd9b57f3c

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
72KB

MD5
3bb2ebda1d4f4253dfb1e9771b3fad2a

SHA1
099999497c271f82fd5cf8c8d5cff681cfd56d0c

SHA256
e0fc3a50db43675be63ffee44263803c3e03136c6b672fecd4214a11daabfd9d

SHA512
f7851478631a925980a08670bb5d80ebab13f05560306436a1af32236577b3a23ee3d3246eb78767a43de6639f26ef5d3d771a2b199ae055a500ddbb1150d52e

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
72KB

MD5
5fea6ccfc37233b46dfc48157d01d7d7

SHA1
759c2d3da567fa78897a04fb9639c9ed7762e21e

SHA256
4023fe28ebe351dbe1eb6a5cbb599323435dd486861270476f33274416561f7b

SHA512
308b975f14fa0f18884b1cb46ba70c31ba2b23ba80ab3aa153e37adcbabbec6c453fa4baae1afce714844ebbcb04cdc275b5a12f89c5b8694c84aea19be06d80

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
72KB

MD5
fb955c8f96487115f8dcc70bfebfdb38

SHA1
4b9768b24b2a647f84c9d9b6364b1d4aa0170e8f

SHA256
fde0fa353a05cee3ecfeb28fa4fd29a5c79a9c146dbb09ddb9b89495c3356b82

SHA512
96a8c6e07906aed9f1ec7c46f9f250be819d4694c046c50c1bd33ebda2152bc553bcd9635bd8c4c6fcf9dcd93f6a35ff68baca369fc6e9be546b1b86c010fb2f

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
72KB

MD5
791e7ce3d6cd23931c4ea5b47b3e83c9

SHA1
441798afb1e9ca6c7ec29580d72a1ddca98a8131

SHA256
3cf1b7756706a1a69e96b2d4e2ab715f2b93dcfff6653c17fe95ea4e452598ea

SHA512
d20f7172477002899ef3b6bd4aa51ead223747cd831382365bc669ec4a64c7672d3f0aa32137efe7b0f1015e50e27e87ac1edb11b195823fd8c189a18877f7ed

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
72KB

MD5
e92ddcaead2c1fd8dfb2e1f6dbc6863a

SHA1
abe49b85f16cc87db50817b938abefb4cfce362e

SHA256
1436e64f734efd334aed8659f43c07c970d123e588724f1e66f43b4e53a90276

SHA512
b3056dd66fe510edaf46396994bb5446f76122859e8811c86a26685dd7391c7c369064bb5e5d63a9086116dee7033ee94158c1119b63aa2ab314d2d839fe765d

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
72KB

MD5
f055975792f02ae1fc51a9e5abd91511

SHA1
0e5468501806bc8d9cb3a741e56d17f8182655c9

SHA256
f8e64093925298c9d6b8486700f6340aff90a97a9c58c01c04728db268c00e54

SHA512
1554072e1c227832deb46bf660afb3e63db01e39128ab9858f2e021180aac33240ec14a7d55a8c8c3b59f2c6e16fa35f15babeb66a97b71f2f533e906d1d1109

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
72KB

MD5
0b580e4ff665ab72353a543274f1261a

SHA1
b39f49a288c94fdfe0781f2552de2d7b53f0983d

SHA256
36811f04748e3e1e736de5ba8c09ba1271406e71076b30bd6ac370bb1cb34cd7

SHA512
0cf90e9296966548716debf2681142a70e6c2b712f778421d9b84de6fcd00a033398642b37a9ffbbe8ced9df6adb766f3883eae2481550726e9c9b3e3a73bd3f

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
72KB

MD5
8234a367ff54e635807fe677e6866a33

SHA1
88933aa5cad440cf5064550e7a75044edf380cca

SHA256
4b921b29e719db7837b6efaaa0eb188ef229d328585d8a30a1315495cb571ca0

SHA512
4144fbcbc233dd0e72fa182347b6680d02f9de75b1c21dc5e090737795331c8cc4426754de23555b002d4cd23bac67b0a9c73c3ada370cc048fbabba9344dd66

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
72KB

MD5
c7715786d8436413c1492e1dae24c5a4

SHA1
240a478315cef305ad5b93d8b39554d41f0bec44

SHA256
3575fe2abc704b186063d5d2e692e631e193300c952694cbb588e34e3aef80b9

SHA512
372173f496d5cbd419474921d7d828147748a816dec4f8de21bbfc9da4ac3eee75bed2262b76ec6277d71e177c048629eb2426586cb34bb381f8e47c549a929e

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
72KB

MD5
1b2ad5445cf8b98970dc6a8274d8bae5

SHA1
56e1c86370cfd685f1c530da2e7a6ed220c15820

SHA256
a8da9481af5471db1649ed7030637471002cdfdff879d4dcb8705111e2479e23

SHA512
8f3862cf3cfaccc20fa20064bf3e57cc836ad45eb5dc8f40f78e0b3c449795b4e88429793c00b37a7890d78fd4fd3ca902cafd764680bf06d5cfe75e87182cb6

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
72KB

MD5
09e3ddfd658b52d99cd854705b85c64a

SHA1
1b38581aa5e6558fe4344f6de1df0f00b2253548

SHA256
a447e6f119306bd58ad0ca9d6ff8081fa141de5056256cb754f8b42f90bbf25e

SHA512
945d08535936c60d5118f5c3443d7915b126bfbe00e73f6ec069f83014ae09a09a3b905a3027ad570ca066076cf02164aa0795ecff5bb9146eae4104cff03bf9

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
72KB

MD5
c190cbbd4fc22ca3305a6427460b3191

SHA1
5210ed58af885fee304fee8febf681fc061c0085

SHA256
5995b001ed24831a34b7bbc8ff22107a0f3f87bfb545b249772a459033de2a0b

SHA512
03279e5102ff81f97efc6ef7a48f19295175ee17951b2240fc57b8c8a7d9ad4f13507fb6b4b5642ef2ef21cb54feba2e6e5949dc157c4be5de7a806f68ad8a0e

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
72KB

MD5
de08cf3c5cb5dbb122045833df09e523

SHA1
55c2a17e669dc41f14d2ec03ffeaa2a53e66cd6c

SHA256
071f838a06aa6f8d41e0f4601e9b3b6fa4ba71fc25e82e898707f89d65365747

SHA512
9aa6d719b6241357ea14992026214c29a230204f64069de0e8bae10e410585b6bab7f500f5c160bb259c95d3285ae3d0072fc46c8157b7d3af3712b3070c40f7

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
72KB

MD5
311388a944391f23e1880537608a38e0

SHA1
7cf31c456427cfd6ff4fa766242bcad2c5e23785

SHA256
4254dea86d220886dcfa8bbd413f607b905c98d4d04f03ab5517e331fce9a035

SHA512
1530f81107fb6643750a43eebbe4c909dd115cbb40fe310562b99031abc2ab99b6ec1f1459413fdd4825c76cb8e8f54382af16d35179adb4f496aa8b8206d970

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
72KB

MD5
0dc2b62d539d4976e5bf466e8e217b09

SHA1
c7e7c3c440012eab33f79bea74d3ae602ba8c2c2

SHA256
0c94d242a57d6d3ad1db8a003b6e8cb2003f10a6c8b1f64e73126cfeb149800f

SHA512
791fd2d1bf86da90c1431f1d70bf1bd21246c0c3f6c7329c7531363048c43b63e1222268493995f2fa6eab4531f741cd04908666627f8f48c7516938029ae7a1

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
72KB

MD5
c55ed9dacb3170e5f01b8d844c65af95

SHA1
20d5a8a9d4128d3e512081eff28293c7586df800

SHA256
e2c3a9806fa96d2f46c07760d94bcee790e54bd6adc7235661551a21f4b332e6

SHA512
e3bc4c55c086ba4cf07d319dc94915b8c538ec039d744ad01e4d77c7b07c1d22f3d632be5593c35522fd1da193bf51aac64819a8d557d55766978511c7f7c63d

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
72KB

MD5
ffd1a81725ab804b16323c6e2eb2def9

SHA1
c6bd1166b2cea9516a6b97288e86a0e5af3e4659

SHA256
5c48444a0fbb9a073f1a32a05e1a8db263b85214800a0557aa795b2c662d74e3

SHA512
a6f00f4f388e02d7a13b09017f585f881e2c67671509b0e60d2a217f551fe1112fbb8f44f1f4feaf6812692ac4ba1e3ea621f00ad75f962d51296200e7d73032

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
72KB

MD5
236f587823b6f2d23b475d98e31795aa

SHA1
1856deaa38c65031116cd36950c4a6cc403d42ce

SHA256
44135aa3f155218f46f9ea973932b48b0d0e63151903d5a4882e9350e1f94472

SHA512
98fb6bfe5c28fc2b0fedd346f0e2140a3f74a5628457c9785cb7b979f24f35225bf42627c20cd3cdefb2f7f2f659f2b15de47a2de3a3c9c0b601fe373163e880

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
72KB

MD5
8b911cc46e60613cc0b1e755f9bd69a4

SHA1
168392003ce3b8467c6b9fdb7bd53c86e0d300e2

SHA256
05a6e4faecc0fa41c318a4336dc79f82891c3a5b303dbe38e7931804327cb310

SHA512
60350890f8746bc28cc37fb9bce9fae3533d032bdd5215432fa69d302ce5b16413b9456446556ff4ca8ca82e9c7e9ec591779c91f63bb2663345641a53ed303d

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
72KB

MD5
0df47e38af2cc01d6bcf1d4210e520c9

SHA1
9100165026dcf60981a61ee4631d7abe9580fff8

SHA256
59127eec2262cc17c5cd99d8f9d754dc1a68f8525a38a7a536adffd2817597d7

SHA512
5d5e387a67bb206112b23c61ab2b36c0175e7e3b10167d5f47eae5073908c443484fb15e45b86f4d3864d969145475719d6981713cbe5f3d634dcb2f9424fbb6

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
72KB

MD5
87cf1659836a3a918c6ec186c6ec175d

SHA1
646caafb35b0f579dd6d62788678b8a5e8103386

SHA256
cc0178a74488af7985e2d0b91452ed65d0797e154a68c7d5e7b4a11d07b6218a

SHA512
3eb1370fd5047b43ced9e08aadfba8a212637fae5bd4d7021254ee1727a233dd48e14ecc933ea1bfdb2b3ca5ea5a85a1e911a96d6d1e666e7fe417e477e9e2a6

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
72KB

MD5
aa3f08d6e7dfa509cd6ef5ad5027c404

SHA1
f78c4c5eb4901328e2af3ddd7772c099d33d6e19

SHA256
823ad0a32b88370d9e2dd4d3b13abee5e587b61c50777882a1b286fdc6b11544

SHA512
4dffc8ca31824c27b8b876c5b0ec90ce9d108b2d7b6433f70fa280191eb8f073c964fc76245f35d02d64bd88e206ac496219a87dc17fa684918ee11a9d3234b1

Download Submit
memory/116-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-1012-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-4-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5112-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-1011-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5600-936-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5944-950-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6040-935-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6068-961-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6136-960-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads