277ebb27008ffad7e864d5dbc2cd17047273724734e75bc90f978aa813a5b38d

Analysis

max time kernel
137s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe
Size

136KB
MD5

a5af73cf53b0cf2129a8bf98310e65e2
SHA1

d14c816fff63e2c09d6351720686fb5754cb894f
SHA256

277ebb27008ffad7e864d5dbc2cd17047273724734e75bc90f978aa813a5b38d
SHA512

1a4c54ad2b4d2c95676d217b18cfdd3fca3fbaf4c3e4dbdeba3d45b9a47791ee1bf17c7bebaf94455dbadfc31eecbf133814f9b5335b5fedaed3acc6902c042e
SSDEEP

1536:XE9cNRdNldwSmHTqPkLsreer7rEbsc4jlSihSzkIvgiTjz0cZ44mjD9r823FQ75/:XE9cLUtADEb1mo6SjgiQi/mjRrz3OT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe

Executes dropped EXE 64 IoCs

pid	Process
4772	Fbioei32.exe
3176	Ficgacna.exe
1860	Fqkocpod.exe
2488	Fomonm32.exe
3456	Fjcclf32.exe
3180	Fmapha32.exe
4740	Fbnhphbp.exe
2504	Fjepaecb.exe
4136	Fmclmabe.exe
2420	Fflaff32.exe
4004	Fjhmgeao.exe
3436	Gcpapkgp.exe
1792	Gbcakg32.exe
2228	Gmhfhp32.exe
3908	Gcbnejem.exe
2912	Gfqjafdq.exe
2340	Gqfooodg.exe
1600	Gcekkjcj.exe
1296	Gmmocpjk.exe
2336	Gbjhlfhb.exe
2708	Gmoliohh.exe
3992	Gbldaffp.exe
3124	Gifmnpnl.exe
3096	Gppekj32.exe
4256	Hfjmgdlf.exe
2096	Hihicplj.exe
2892	Hcnnaikp.exe
1888	Hfljmdjc.exe
3428	Hpenfjad.exe
4484	Hcqjfh32.exe
4952	Hjjbcbqj.exe
2452	Hadkpm32.exe
1216	Hbeghene.exe
2660	Hjmoibog.exe
1476	Hmklen32.exe
4212	Haggelfd.exe
4708	Hbhdmd32.exe
680	Hjolnb32.exe
3648	Hibljoco.exe
772	Ipldfi32.exe
4692	Ibjqcd32.exe
3692	Ijaida32.exe
2320	Impepm32.exe
1584	Ipnalhii.exe
5092	Ibmmhdhm.exe
1648	Ijdeiaio.exe
1520	Imbaemhc.exe
4100	Ipqnahgf.exe
3136	Ibojncfj.exe
3304	Ijfboafl.exe
1616	Imdnklfp.exe
3784	Idofhfmm.exe
1744	Ijhodq32.exe
1176	Iabgaklg.exe
2796	Ipegmg32.exe
3920	Iinlemia.exe
3680	Jaedgjjd.exe
2996	Jdcpcf32.exe
2104	Jiphkm32.exe
3984	Jpjqhgol.exe
3944	Jjpeepnb.exe
3712	Jibeql32.exe
2236	Jplmmfmi.exe
3284	Jbkjjblm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6440	6328	WerFault.exe	241

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4772	4744	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe	84
PID 4744 wrote to memory of 4772	4744	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe	84
PID 4744 wrote to memory of 4772	4744	a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe	84
PID 4772 wrote to memory of 3176	4772	Fbioei32.exe	85
PID 4772 wrote to memory of 3176	4772	Fbioei32.exe	85
PID 4772 wrote to memory of 3176	4772	Fbioei32.exe	85
PID 3176 wrote to memory of 1860	3176	Ficgacna.exe	86
PID 3176 wrote to memory of 1860	3176	Ficgacna.exe	86
PID 3176 wrote to memory of 1860	3176	Ficgacna.exe	86
PID 1860 wrote to memory of 2488	1860	Fqkocpod.exe	87
PID 1860 wrote to memory of 2488	1860	Fqkocpod.exe	87
PID 1860 wrote to memory of 2488	1860	Fqkocpod.exe	87
PID 2488 wrote to memory of 3456	2488	Fomonm32.exe	88
PID 2488 wrote to memory of 3456	2488	Fomonm32.exe	88
PID 2488 wrote to memory of 3456	2488	Fomonm32.exe	88
PID 3456 wrote to memory of 3180	3456	Fjcclf32.exe	89
PID 3456 wrote to memory of 3180	3456	Fjcclf32.exe	89
PID 3456 wrote to memory of 3180	3456	Fjcclf32.exe	89
PID 3180 wrote to memory of 4740	3180	Fmapha32.exe	90
PID 3180 wrote to memory of 4740	3180	Fmapha32.exe	90
PID 3180 wrote to memory of 4740	3180	Fmapha32.exe	90
PID 4740 wrote to memory of 2504	4740	Fbnhphbp.exe	91
PID 4740 wrote to memory of 2504	4740	Fbnhphbp.exe	91
PID 4740 wrote to memory of 2504	4740	Fbnhphbp.exe	91
PID 2504 wrote to memory of 4136	2504	Fjepaecb.exe	92
PID 2504 wrote to memory of 4136	2504	Fjepaecb.exe	92
PID 2504 wrote to memory of 4136	2504	Fjepaecb.exe	92
PID 4136 wrote to memory of 2420	4136	Fmclmabe.exe	93
PID 4136 wrote to memory of 2420	4136	Fmclmabe.exe	93
PID 4136 wrote to memory of 2420	4136	Fmclmabe.exe	93
PID 2420 wrote to memory of 4004	2420	Fflaff32.exe	94
PID 2420 wrote to memory of 4004	2420	Fflaff32.exe	94
PID 2420 wrote to memory of 4004	2420	Fflaff32.exe	94
PID 4004 wrote to memory of 3436	4004	Fjhmgeao.exe	95
PID 4004 wrote to memory of 3436	4004	Fjhmgeao.exe	95
PID 4004 wrote to memory of 3436	4004	Fjhmgeao.exe	95
PID 3436 wrote to memory of 1792	3436	Gcpapkgp.exe	96
PID 3436 wrote to memory of 1792	3436	Gcpapkgp.exe	96
PID 3436 wrote to memory of 1792	3436	Gcpapkgp.exe	96
PID 1792 wrote to memory of 2228	1792	Gbcakg32.exe	97
PID 1792 wrote to memory of 2228	1792	Gbcakg32.exe	97
PID 1792 wrote to memory of 2228	1792	Gbcakg32.exe	97
PID 2228 wrote to memory of 3908	2228	Gmhfhp32.exe	98
PID 2228 wrote to memory of 3908	2228	Gmhfhp32.exe	98
PID 2228 wrote to memory of 3908	2228	Gmhfhp32.exe	98
PID 3908 wrote to memory of 2912	3908	Gcbnejem.exe	99
PID 3908 wrote to memory of 2912	3908	Gcbnejem.exe	99
PID 3908 wrote to memory of 2912	3908	Gcbnejem.exe	99
PID 2912 wrote to memory of 2340	2912	Gfqjafdq.exe	101
PID 2912 wrote to memory of 2340	2912	Gfqjafdq.exe	101
PID 2912 wrote to memory of 2340	2912	Gfqjafdq.exe	101
PID 2340 wrote to memory of 1600	2340	Gqfooodg.exe	102
PID 2340 wrote to memory of 1600	2340	Gqfooodg.exe	102
PID 2340 wrote to memory of 1600	2340	Gqfooodg.exe	102
PID 1600 wrote to memory of 1296	1600	Gcekkjcj.exe	103
PID 1600 wrote to memory of 1296	1600	Gcekkjcj.exe	103
PID 1600 wrote to memory of 1296	1600	Gcekkjcj.exe	103
PID 1296 wrote to memory of 2336	1296	Gmmocpjk.exe	105
PID 1296 wrote to memory of 2336	1296	Gmmocpjk.exe	105
PID 1296 wrote to memory of 2336	1296	Gmmocpjk.exe	105
PID 2336 wrote to memory of 2708	2336	Gbjhlfhb.exe	106
PID 2336 wrote to memory of 2708	2336	Gbjhlfhb.exe	106
PID 2336 wrote to memory of 2708	2336	Gbjhlfhb.exe	106
PID 2708 wrote to memory of 3992	2708	Gmoliohh.exe	107

C:\Users\Admin\AppData\Local\Temp\a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5af73cf53b0cf2129a8bf98310e65e2_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\Fbioei32.exe
  C:\Windows\system32\Fbioei32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\Ficgacna.exe
    C:\Windows\system32\Ficgacna.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\Fqkocpod.exe
      C:\Windows\system32\Fqkocpod.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        26⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        29⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        30⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        31⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        36⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        38⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        42⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        44⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        46⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        50⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        52⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        53⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        56⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        57⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        60⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        67⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        74⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        78⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        79⤵
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        85⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        88⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        89⤵
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        90⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        92⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        95⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        98⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        103⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        106⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        107⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        109⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        110⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        122⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        126⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        127⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        129⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        130⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        131⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        135⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        136⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        137⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        138⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        139⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        142⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        144⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        145⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        146⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        147⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        148⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        152⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        153⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 420
        154⤵
        Program crash
        
        PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6328 -ip 6328
1⤵
PID:6404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
136KB

MD5
241d90af7be682ab59aa7c37e6f1bf48

SHA1
e8c070f713da5dd0490029d66182e03c2a06a3e8

SHA256
6a788e2269c7229f1488d65fe3a6124fd98057ed16ed0ef18240024f98da16d9

SHA512
14c7f3a6db9aa93e5e000deb1a1c30ec5c10aee1e2669c1f8b401f7f79c0708a64667208d54decaee02e2e1f3f52d348b7cb6bbbb8d815bda9243e44f6aad73a

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
136KB

MD5
de61607d46f169ec887fd19ac6102c25

SHA1
a6ceef5796a2508187be63c60719e850780470ae

SHA256
82d8339c8f6e6f5657ce1e20a2844a800aab86047b6b153b1173c719966aef8e

SHA512
a84525300f79ebf1a5b3e5f8d91761e72331e68c2bad82ef30e44963d7e4668a448c615b97cbc2a411ea4af79e6dc3d71a1a7c396d0823112dd3744c6828f520

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
136KB

MD5
9b3ef639fe503a0db77a908eae9a4b34

SHA1
071d870671f212638b7b453cd8050fb67035b161

SHA256
6489dc8179a4d931c4a6985be420c740ce73c4fed8024bad64218d383f0824af

SHA512
0219908b255c3f833e64f3a3451b9887efb89361c70d218f879f1b9ef43f3479addda918d90b436dda25c932ade19eeb4bfaa46d07e40177556bf64d8a4f18ae

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
136KB

MD5
19ffe949702b6765e034b009bfbbd711

SHA1
5466c851b90b274f017844c2b7cc12ac1a3d547e

SHA256
69073873440bb2f767f5ad20b10799fa262fc6d9b1eb8964db96bf692d446bfe

SHA512
4f784c193d92ef7c0b9563686b2c6bea80037f4438c1b251b2007242309d6f0dff7c79e5295db66302cf804bec1866eb08f2a5f614f6541fc27f6340171ee489

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
136KB

MD5
f48a837386d06e511b3cd9a3f49793cc

SHA1
d8208feb10a7f872a28c5ec92d83110a23d7a2dc

SHA256
c9ac00d9e2a8dcca534638c35983ea7513e013d6e11c9262628f4ef91576f9f2

SHA512
6be79f51508af67be91ede83583abc9d160269b99fc8aeb112dcda003869d6bd324520c2e8e67f79f613b20500c5263a15bffb9ec52a228a85ff722fae2c25e1

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
136KB

MD5
321b71345f3264f9056a067ef4885441

SHA1
0e7667e91b81701d8c89e3b8a316da7f33309bd7

SHA256
a29b4152f3f2ce4405536e85864588dc3f0556e298709e0d095134f0119f5704

SHA512
676bfbda4c4d490fae76c080bfb04f08dce0e8c9bada27d084bfe5dfe120a85aeb45bac5838f74e66f43e0dacb3b1868d6bea8ab3be27b5f044c2c078be017cd

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
136KB

MD5
d6d05877b661a09af58ba78e26021917

SHA1
b3891f808c81e9b54a6b4ccfc2c2cb1358d4ca95

SHA256
4e14ca62d37a0a2306aa549c060d700511162dd8bc76f2f2f885082b0174f6ac

SHA512
4b760e20a8764564b3b4c7972c68b53672defee801f08a6f5e4fc710cf3bbf4d7decce8b066b8fb5428918f4bf7572eee74b6e447d7f99ad2fe07b8968788581

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
136KB

MD5
7036d9fee1bcba25bbcedd7291617b52

SHA1
d22506410f14eabc46fa99008d8f5ccdfde097a8

SHA256
00e80bf91c06bad0de5486e369d51b022d110e7b88e3f2dfbad739c1eb277017

SHA512
5375b1dc5161d71136a9700044964757489d574b3b90a9b81357c631227f3b004d0a0e93615a104028f01ca1b2a1f279ec416014c7cdb50b744fc122de828592

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
136KB

MD5
f873a3098ea5189f470165ed92aad183

SHA1
bd552ab450e05b18b32976340d809eb3720496af

SHA256
1b62b3865720b457b371e51acd5d2481e2e549823a91eecf6f3cc745ba932fc9

SHA512
4d656eced83d12409f5a819caa9e8874a017a7e3e5058d358b07e4e40bd793d2d945abd7d17cbea3c8256181c798e8e6e73a50984b1dd0f8625cb6b66d3c46bf

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
136KB

MD5
63de54738500d123215cf3b6439d23f1

SHA1
a4822f5a7a95997cd7c4904895096399b9f092a6

SHA256
ffe49b6a480093b3ba813baf047b0132ef40d54d7720951b9e95092cea798991

SHA512
cdbcedaaab9574602447cab0591744274fc6d5a60edfd596655aa53994a5206b5b0b6a241b33962f1f85ffd366f958d1c3ab4212c55eb35bc3e211fd95fc8379

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
136KB

MD5
406e6d0e11c697f2fd4c0169763b5ab5

SHA1
9640f6a5ca5ae8bc9a81d5880f3731555c3ff199

SHA256
8b2bea1a7265091c02a42381ec03246907ec12b614bdbc36270c8e9bf5357bd8

SHA512
5863f4a4b2ffd55f156035759a5c0637763d7a4d5f7054cede6439b2951ead3b27951b4763e7605391eb3b9e39d58fc68780dbdd784a0708b49ff9bba20c584a

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
136KB

MD5
a5440f82e4b646652701cf493bf8fb9a

SHA1
57fef571dad16618f40419add2a4f1a832a62290

SHA256
bd4bf366a0a763426635acb1a9522beb9994e6f2503a894696efd9fe4a851a59

SHA512
37233c6cc446d549b65ab9f66243e52784602e048eef88680d732bc5ad200138e82c03390380670a90c992788b9a4edcffedcee3859b6de8f8d9a092afe1d320

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
136KB

MD5
374183e88f431bdf4e545d37389215ea

SHA1
3f339bbe6bfc46a903be8ffcc66c9bb0b6e9185e

SHA256
694fa2a1721a43b6593eb840ca5e9223c59c776c9dae9311d90bff87272160e7

SHA512
d90cbc67a6c067e79d2073dd2032c5d691434bf9c2fe38ed9fd90d37533a7b535303770b082f1f6772da10d50390b9b82f16d076c5501b54af9a03a719995d4f

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
136KB

MD5
e072956fba71c7f31426c763a9d74083

SHA1
345fa26bfba8203f952d61a82270b81aed494b7c

SHA256
3003268a9637c7e617efb41bb1266dbb663c78f1bd5e412aad8018e42b94927a

SHA512
3c3901a906911806f8263e3cfae4be7cf49fbaff3aa3e80192b53cf292ccad679f5fe5ebf2684b2167f1b5fa53c0baf7c3bdfcaefad8c597dcab328ec5c69333

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
136KB

MD5
306cd7f356af0bc4136de5d211d85773

SHA1
3b4572b73c7fca1cfd33c4c77add0b5cea26d335

SHA256
4b5c81645d1cf3aea52a2c461a01ffca6a5dcd61c4021a7eba7b045c0b7ebaf8

SHA512
7ba3c296d9edf51ee9c2acea4066b4e8694ded1da2ec67ebeec9660c023fc9cbc20ca337bfd1ccf6e70d0baf6aba2a455e852c6ffa2c4d6f1501ed6d24aa39aa

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
136KB

MD5
581719b91ee9195da5f7ffd4ecaa0026

SHA1
6c8738ca1e8af495efd3fd1f36e42d0f59da4a9e

SHA256
e52a1f8addd50b15d68d9e017e354818002f0c7c89199fe2ca2b8f96082ac5a9

SHA512
7cbb4a7df359bda79b756185883fbc93546778ce58ee1b7647002a7251558e251fc020c126e926318f75e2bbd6ca814e2632cce8104a9d23dd1b70944f3d2cea

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
136KB

MD5
901d4ac7b60baa7172319454e724cf33

SHA1
5272ac8a1dc776b0094463cf7812715a692df542

SHA256
92d3f79028917c526d8299647f9d76adc4f8f8a1187c30556496a25695146c00

SHA512
965bb1be6074345d902bb211d7cee51d6e60db3daa67cf1d421d89d19a0422a929d09ef95e5018a021a5e3bb2554a6498ca6f2c34e58448b8c13aacdda093610

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
136KB

MD5
6b14aff3a28afdc4398092b089dfd427

SHA1
247dce562fbc37102784180adc3e1a8ddea20578

SHA256
3187d1205715048cb82056c72d0ec37970d3701f30911b7a1a6328791f60d15c

SHA512
32302433635b41fd7fb4f892fe9065de813391860e08bd5b3192f2b2765300627f1fd84ff1a29e950111e77213b49500b3914ef5e94f2610d8acf8d13dbb5432

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
136KB

MD5
eb4ed8d10758daa50b806f2dcd181b1a

SHA1
45ca386fe59f46db9d0103d66704b32e238741ad

SHA256
b2c5fa5716338d4d3aaf5cfdce73e4823fa223447e30b7482ef4193166debf53

SHA512
dac1899e9dd8be59cc4e66e401b4d2a59c4afed8e0cbed678bd4095d8182c22f20e9484243e5a5fc1b13d789898a186bc4c5cea1e1219e386d5915db0d2cafc3

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
136KB

MD5
c2f46cd55bddd015368cafc8cd83e2da

SHA1
bb0bd30d32981c3b2eeb9c4ff35c459dc751b041

SHA256
2d1551980add07ee4e97998c7ef6cfb706778dc8970370821864325aa4169e69

SHA512
67fd0c79643ca24283445b77caa8367ffc942c2078242a8876c209e15c167f010cd42bd63bb6505bc5e658f68f152a165810ffd5eef87cdfd2740cecd88483e1

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
136KB

MD5
935b288ba2bf91d10970fe1239fbf4d1

SHA1
f25f99d5ea127df37debbcf7960301e1687f4d00

SHA256
b8fbdf44da721245091a4a3cfbb3283d513d3f9ec7f0640e680664300bf1976b

SHA512
3570f9e7c41d05790814f0ee438c55fe67d5c1678f16068f6381763909134824b9c62816bf4fba761e8e4fd37f76e17f23bef0da298384e52944ba44fdf276e5

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
136KB

MD5
d32de7a479871dc1d83b7ba0dfa1a276

SHA1
f25f09df3aba4a8c4180916cf6f038bc82a03b01

SHA256
162844169bfa43645dbab305cd84c2e9af778b1c4e121b5d06a48a55f49ee8f1

SHA512
004d7974b44239d405e72ecca3f730468bb82ef2dd5b578ea6f4b33dde904e2cf09a4f32c2abef0cc68dfe3cdf24bcbd8587d835cd62d4885611ca2aedb5f375

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
136KB

MD5
7a071aee1d24cb6c042c5e39e046b758

SHA1
f29d6524da8897cbf5d9ad22f1067ed249da6a70

SHA256
aedc389a7f6d881e35c2fe5dcd991e2fdde46489a78189754bab3b290007c939

SHA512
c3dd8b495c805fb63334614ecd5270ebf773920352954d92f393cf177c244d504a4ec4f9f75c078c1aa2f04d66d644393cc1512e8b747b994c1506ecfcaffca1

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
136KB

MD5
d0dea21a4bd4f068aed4c4603cbff738

SHA1
95edaa22d552e886555a9ce9d848500f0d6a0782

SHA256
7e9a3eacfcbfa06fa5e43b079863bc1e2a8349b51cc2a31a3cf32ac1b8fa67b0

SHA512
5ad9c5e17ae42b83f827eb0961746f32f8bc41c2296c7892637cb8185c7b3f0143754a3e638a380f7a0c8d95083d89004380f4a79766b9eb2400d6ac519998d2

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
136KB

MD5
2fbcfc7c2261f587afbccfb9fade1ff7

SHA1
dae230914d555c65a475549adfd170d999bc8c99

SHA256
3350d4d7afb9c276d211443a01dfe3a7f5aa29037f9a6fb399d64e05de28af80

SHA512
5ca5d938c392da05ef96546e3d869d5ed9bf6148403f0f6be6435fb0398877b0717142a7e40cce67799c54bf9583f85ff98317a06c1a07a941f4f9d979f70bfd

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
136KB

MD5
a8ea5dac3f798624bb9bfb69d57435e9

SHA1
04fb3d850af0a2e1b4e35085ba1ccc8c137d7e4d

SHA256
d4779811f2e5fff6c2b85ca910d645a65c99d0b77de2a0d602458607ea2719f2

SHA512
e4a00c95e5362c0561299c8ec60a761bdd1160783c5b09c16508f1ce17d31d44980e85aebcfbdfed7c851dbe156d9e5ff799945b3254289995c57b208d05f6bf

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
136KB

MD5
6e4d9fbe916ab211b69350c8b5295226

SHA1
bc3755323cc7eb5c6bef202743045c551fc40d26

SHA256
cd701127df5cc952929d5cefc466ef626546584f651b4653642eeb66f894d7a7

SHA512
e895ee07985deea2658ebe094ac9a0c4ac537f645955659fae97c6f8742bd4d2dbcce0b6121bd43d3c568905be9df5459460fe4297a8d12365994866f6c97e65

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
136KB

MD5
6017519e39c25aadbf9351d20e1def2c

SHA1
e6ceb8ae95b5371064429a2d4d50df8264c3bac4

SHA256
5e1bd1fe96ba61c5a447422ed137ab7349cdb63a482e1635d2a69717b4b1eead

SHA512
01b578d143ffeb606c713dec352bd4932095656bda898e0f03a13ef80e4cad45d73833ecb31bb5c004eeb3897804481313248ce813f2b24a78e4ecc65e43dd0c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
136KB

MD5
a599693b069e0b26f6c6ef1617f6296a

SHA1
36369d46d0a0919d38825f96207f780b5e16dbd2

SHA256
95354d23b7ebe0d64dd1f387d4e7e92d392c4a3cdbee2d82f69e015b041ae396

SHA512
95fdc640c3a85ed89e1ed386e88e969728af79d675392cfc47f908069394657154a4e9aaddb9873fe7ca2bd67a3ee8f5e41d2fe12eeb6fdaf1ea34708c390ed9

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
136KB

MD5
5f8c5f7186b230771899124366aec71b

SHA1
6dbfda899dcb1d171db3cb6f64c7879aa53547d4

SHA256
92d76d355f9eccf07fc42981093ec0198ab84f0afd3272194af52884d3f0b21f

SHA512
1a2e212a0b747b0065b9ed3725286e14a1381bea5435f04df146a35524a5f296feeab67f95a8176bfedd2dd6e70a8cf3fe91eb715da4464911c5158620ce8dcf

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
136KB

MD5
910d756304005d2873e4c1720c8d7ce4

SHA1
f12b06717746f0846483f690a4fca384421f1ae7

SHA256
231e9c7b36f2c269b30692499f7b9573aa15142c440672d92badf2e27fdc2972

SHA512
f30c047539513e1783b000b8e0f0678cd6d550a9c0da06be5adc9678a02fcaca38e1794cab0686d5abb88690fa06782f3ae9e5d44765560876d3b18d91412897

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
136KB

MD5
6472172f2aae29ccea904f468b2f6b8f

SHA1
bc48850e57a736254922a5d636a987e1c83530b0

SHA256
f01319abf64ae301670fa0e804041f229b5325e628df62881f3fc4aa9d71f28a

SHA512
9df5c7a70d19ce5deaa58fadf0d29a23fa56c7bf3f56195f7bd553890489f2b71ab168e0dba91335ac6b8426397fde024e498e14affd30570d3cff95f728bf4b

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
136KB

MD5
fb877594d4221fc762b0c828b9dd054e

SHA1
0087f046f278304c7a7926908e2ab3115bf1107d

SHA256
42d737b76bd1320bcbcc20f4b718547ec7c89dfcc7782565322e3c2d20abb008

SHA512
af919b24a7979946b12c2662a4c721f82dee0a1ba4bc60d4a504e49570b0e58ed6e19b1f822c2d90956cab8d5c1e86d00596237ca9e705a3accc909f18ecb607

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
136KB

MD5
bce13ee90704da112e4a37463fdc96a6

SHA1
c52f3b334daf8e905fc512f39de8738a8753f67b

SHA256
27b86795ca89e242cd7f8aa0a01fc066db6bcfdec1f74fccaffd76959cf9b7cd

SHA512
cfeb343a25dd8d11927023b60eb20be289480a748a96e9362cd756c4206177e3d34257d9fed979c41a0592590c911c4c5668e8acfe614e316a5aa6ad5ce2648a

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
136KB

MD5
2c7d700fcb088e1744507dde4c953f57

SHA1
fb3833af13508bd0d8c6f7db2b93423d0cda9d0f

SHA256
e1ca14d0b0b40fadcfbb5301627dee2c1ad9a3a42d17fd81073dc1ae9b854ba3

SHA512
524fbed2a33b33d63d56b197bce11d9d71b092346c66c4ed81d1749a25ede407cb662c39002ea38c9e0b65401ff774cef7a3c4799a8720879a6181dfd5fbb788

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
136KB

MD5
8adf9c16b63d52012c7cbca8c465d3e6

SHA1
29c8fd009c6b998137b40633d37da766cda32cef

SHA256
9dde42e7592515b84ac059ed04e72e5cdedde69416fab742060d79702e3468d5

SHA512
ea30bbfcd3900b3b93a58725f1d1832426324aabbaf1fd96dab1f2b156940ea527749e03e3543e21b206930c629b0882540342e3ef85bebfbb2b944140ed7ee3

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
136KB

MD5
9e5038da1b98b98406a95c0c1156fcee

SHA1
c0dda1bc3c1f11da8d57d2e9b445f1687fd6f998

SHA256
283e5981336de94b5d5f026f782e9357607a8bdd4ec0b9a7db281836d6f14cbb

SHA512
950d75dcb02b0c7ab45bfdb4a2f02117e72e7fd6d8afffca57ce11be863f75f2a6240de352a753da8d522bb5b3d12528b83faab7e6f6c7bf861700b612765d8d

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
136KB

MD5
81dfd6ffef6c038e003b8f536fb1b0a7

SHA1
732529eb9a1ac8541cb68a6129f9e4d5f11631e5

SHA256
682ce722120024eade2d454074118d3a95e32740579e7fe38540b80fc456125d

SHA512
e41167712e498b9a43a22d149511efcd6b975ce0e5339bc5653f403926fa3fe25390801665c0d01c045e5124d66d83e30d33ba42cd3a7538b93ce20fce27d2da

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
136KB

MD5
cb831fee345391f0df68eefb5d6c7b2a

SHA1
714f3fd8d9b5850f737608c2aeb22dd63ddfad35

SHA256
24d213a1661526f6f81aff1fc0da1f1101277f6f9b6f312f2808c5350b533258

SHA512
1594e19dcfdbf4f248aec1df68d6c4260356221d29e486a0c2ae9febca91060adae7f3196c7b395f3c438deb5129f63588f8e75e34db5878315a3636d51cbb0f

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
136KB

MD5
4b12b24fea45caecff6be3154b866705

SHA1
608d96fc93abd6666b9aac54e675cffcebac8d55

SHA256
46f0c32a5af8d15c43f4323d25d6f2a6c22dad1785aa690c88fa5d5c53be53a1

SHA512
5bbd02716cfd2b1458edb63092364b624683cd7a19dec9253996b6972058f5729f384e53eb83ea218398beb8fea72194d02fd085ece566a7fa0674d6bef62074

Download Submit
C:\Windows\SysWOW64\Qfiapa32.dll

Filesize
7KB

MD5
f02137bc2ed4c19e9ec3fedd0a269250

SHA1
50540f1a26473d9866bf2b3fac8fceb32d15ad4e

SHA256
84aba4bebd3ae17dc459ee6a8749cf4d001f4faa01cdfd42a557ab0d3fb1b064

SHA512
1c6f702e32070361233516f7c47736a39b8caa581a58e2dee01753ba11a7878d3eb17b03afaaa0a4803c342bdb19d754a547df4f66880953f054f734c3ae440b

Download Submit
memory/680-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5240-1128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-1126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5812-1109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-1075-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads