e4754a850e88395056493d13b8af02a47b8998abfe1aa1b1fb46cc6cea85ccea

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe
Size

192KB
MD5

a69f42d00f22e98a52272ce8f3d26828
SHA1

caf1b88788d6e9b6ee1b00e32bad275e47f24e36
SHA256

e4754a850e88395056493d13b8af02a47b8998abfe1aa1b1fb46cc6cea85ccea
SHA512

438b6b74dd687758c9d356ce5f5b0c32212dd4354f61be2eed557146a724e3f6d6bac1d11e99ba1e8c158256bba32606522b635131a3a20fc9a5c11fc555846b
SSDEEP

3072:dmzPhtX/mMCra0YNclZlIfceHdeRr2qOQpq3HNr5GnV54c4NthaeKU3d5vEiLqsx:ahJ/rgUfiRCqO+uNk54t3haeTFLel6ZX

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe

Malware Dropper & Backdoor - Berbew 42 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0009000000023297-6.dat	family_berbew
behavioral2/files/0x0007000000023425-14.dat	family_berbew
behavioral2/files/0x0007000000023427-23.dat	family_berbew
behavioral2/files/0x0007000000023429-30.dat	family_berbew
behavioral2/files/0x000700000002342b-38.dat	family_berbew
behavioral2/files/0x000700000002342e-46.dat	family_berbew
behavioral2/files/0x0007000000023430-54.dat	family_berbew
behavioral2/files/0x0007000000023432-62.dat	family_berbew
behavioral2/files/0x0007000000023434-70.dat	family_berbew
behavioral2/files/0x0007000000023436-79.dat	family_berbew
behavioral2/files/0x0007000000023438-87.dat	family_berbew
behavioral2/files/0x000700000002343a-96.dat	family_berbew
behavioral2/files/0x000700000002343c-105.dat	family_berbew
behavioral2/files/0x000700000002343e-114.dat	family_berbew
behavioral2/files/0x0007000000023440-123.dat	family_berbew
behavioral2/files/0x0007000000023442-131.dat	family_berbew
behavioral2/files/0x0007000000023444-142.dat	family_berbew
behavioral2/files/0x0007000000023446-150.dat	family_berbew
behavioral2/files/0x0007000000023448-162.dat	family_berbew
behavioral2/files/0x000700000002344a-168.dat	family_berbew
behavioral2/files/0x000700000002344c-177.dat	family_berbew
behavioral2/files/0x000700000002344e-186.dat	family_berbew
behavioral2/files/0x0007000000023450-193.dat	family_berbew
behavioral2/files/0x0007000000023452-202.dat	family_berbew
behavioral2/files/0x0008000000023422-210.dat	family_berbew
behavioral2/files/0x0007000000023456-219.dat	family_berbew
behavioral2/files/0x0007000000023458-229.dat	family_berbew
behavioral2/files/0x000700000002345a-237.dat	family_berbew
behavioral2/files/0x000700000002345e-255.dat	family_berbew
behavioral2/files/0x0007000000023460-262.dat	family_berbew
behavioral2/files/0x0007000000023462-269.dat	family_berbew
behavioral2/files/0x0007000000023474-324.dat	family_berbew
behavioral2/files/0x0007000000023470-310.dat	family_berbew
behavioral2/files/0x00080000000233ae-522.dat	family_berbew
behavioral2/files/0x000700000002345c-246.dat	family_berbew
behavioral2/files/0x00080000000233b6-535.dat	family_berbew
behavioral2/files/0x00070000000234c0-639.dat	family_berbew
behavioral2/files/0x00070000000234c8-666.dat	family_berbew
behavioral2/files/0x00070000000234ce-685.dat	family_berbew
behavioral2/files/0x00070000000234d6-713.dat	family_berbew
behavioral2/files/0x00070000000234e0-748.dat	family_berbew
behavioral2/files/0x00070000000234e6-769.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3496	Hfofbd32.exe
4380	Hmioonpn.exe
2992	Hccglh32.exe
4500	Hippdo32.exe
5492	Haggelfd.exe
2456	Hbhdmd32.exe
4588	Hjolnb32.exe
5292	Hmmhjm32.exe
4948	Ipldfi32.exe
4992	Ibjqcd32.exe
4760	Iidipnal.exe
4784	Iakaql32.exe
2788	Iiffen32.exe
3804	Iannfk32.exe
3996	Icljbg32.exe
3632	Ijfboafl.exe
5660	Iiibkn32.exe
4896	Iapjlk32.exe
2760	Imgkql32.exe
2376	Ipegmg32.exe
3652	Idacmfkj.exe
1208	Ifopiajn.exe
5636	Iinlemia.exe
4100	Jdcpcf32.exe
1580	Jiphkm32.exe
3140	Jdemhe32.exe
2264	Jjpeepnb.exe
2280	Jmnaakne.exe
1680	Jplmmfmi.exe
6016	Jbkjjblm.exe
964	Jfffjqdf.exe
2700	Jjbako32.exe
3524	Jidbflcj.exe
4444	Jmpngk32.exe
4360	Jpojcf32.exe
1876	Jbmfoa32.exe
5336	Jfhbppbc.exe
776	Jmbklj32.exe
5632	Jangmibi.exe
3784	Jdmcidam.exe
5000	Jbocea32.exe
2508	Jkfkfohj.exe
2884	Kpccnefa.exe
2664	Kgmlkp32.exe
1916	Kkihknfg.exe
3452	Kmgdgjek.exe
5140	Kacphh32.exe
3792	Kdaldd32.exe
3916	Kbdmpqcb.exe
1532	Kgphpo32.exe
4412	Kmjqmi32.exe
3620	Kaemnhla.exe
2360	Kdcijcke.exe
1316	Kgbefoji.exe
3788	Kknafn32.exe
5788	Kipabjil.exe
5064	Kagichjo.exe
2332	Kdffocib.exe
3172	Kgdbkohf.exe
5792	Kmnjhioc.exe
5604	Kajfig32.exe
3656	Kdhbec32.exe
4092	Kgfoan32.exe
5184	Liekmj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5692	1176	WerFault.exe	195

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3496	2876	a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe	83
PID 2876 wrote to memory of 3496	2876	a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe	83
PID 2876 wrote to memory of 3496	2876	a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe	83
PID 3496 wrote to memory of 4380	3496	Hfofbd32.exe	84
PID 3496 wrote to memory of 4380	3496	Hfofbd32.exe	84
PID 3496 wrote to memory of 4380	3496	Hfofbd32.exe	84
PID 4380 wrote to memory of 2992	4380	Hmioonpn.exe	85
PID 4380 wrote to memory of 2992	4380	Hmioonpn.exe	85
PID 4380 wrote to memory of 2992	4380	Hmioonpn.exe	85
PID 2992 wrote to memory of 4500	2992	Hccglh32.exe	86
PID 2992 wrote to memory of 4500	2992	Hccglh32.exe	86
PID 2992 wrote to memory of 4500	2992	Hccglh32.exe	86
PID 4500 wrote to memory of 5492	4500	Hippdo32.exe	87
PID 4500 wrote to memory of 5492	4500	Hippdo32.exe	87
PID 4500 wrote to memory of 5492	4500	Hippdo32.exe	87
PID 5492 wrote to memory of 2456	5492	Haggelfd.exe	88
PID 5492 wrote to memory of 2456	5492	Haggelfd.exe	88
PID 5492 wrote to memory of 2456	5492	Haggelfd.exe	88
PID 2456 wrote to memory of 4588	2456	Hbhdmd32.exe	89
PID 2456 wrote to memory of 4588	2456	Hbhdmd32.exe	89
PID 2456 wrote to memory of 4588	2456	Hbhdmd32.exe	89
PID 4588 wrote to memory of 5292	4588	Hjolnb32.exe	90
PID 4588 wrote to memory of 5292	4588	Hjolnb32.exe	90
PID 4588 wrote to memory of 5292	4588	Hjolnb32.exe	90
PID 5292 wrote to memory of 4948	5292	Hmmhjm32.exe	91
PID 5292 wrote to memory of 4948	5292	Hmmhjm32.exe	91
PID 5292 wrote to memory of 4948	5292	Hmmhjm32.exe	91
PID 4948 wrote to memory of 4992	4948	Ipldfi32.exe	92
PID 4948 wrote to memory of 4992	4948	Ipldfi32.exe	92
PID 4948 wrote to memory of 4992	4948	Ipldfi32.exe	92
PID 4992 wrote to memory of 4760	4992	Ibjqcd32.exe	93
PID 4992 wrote to memory of 4760	4992	Ibjqcd32.exe	93
PID 4992 wrote to memory of 4760	4992	Ibjqcd32.exe	93
PID 4760 wrote to memory of 4784	4760	Iidipnal.exe	94
PID 4760 wrote to memory of 4784	4760	Iidipnal.exe	94
PID 4760 wrote to memory of 4784	4760	Iidipnal.exe	94
PID 4784 wrote to memory of 2788	4784	Iakaql32.exe	95
PID 4784 wrote to memory of 2788	4784	Iakaql32.exe	95
PID 4784 wrote to memory of 2788	4784	Iakaql32.exe	95
PID 2788 wrote to memory of 3804	2788	Iiffen32.exe	96
PID 2788 wrote to memory of 3804	2788	Iiffen32.exe	96
PID 2788 wrote to memory of 3804	2788	Iiffen32.exe	96
PID 3804 wrote to memory of 3996	3804	Iannfk32.exe	97
PID 3804 wrote to memory of 3996	3804	Iannfk32.exe	97
PID 3804 wrote to memory of 3996	3804	Iannfk32.exe	97
PID 3996 wrote to memory of 3632	3996	Icljbg32.exe	98
PID 3996 wrote to memory of 3632	3996	Icljbg32.exe	98
PID 3996 wrote to memory of 3632	3996	Icljbg32.exe	98
PID 3632 wrote to memory of 5660	3632	Ijfboafl.exe	99
PID 3632 wrote to memory of 5660	3632	Ijfboafl.exe	99
PID 3632 wrote to memory of 5660	3632	Ijfboafl.exe	99
PID 5660 wrote to memory of 4896	5660	Iiibkn32.exe	100
PID 5660 wrote to memory of 4896	5660	Iiibkn32.exe	100
PID 5660 wrote to memory of 4896	5660	Iiibkn32.exe	100
PID 4896 wrote to memory of 2760	4896	Iapjlk32.exe	102
PID 4896 wrote to memory of 2760	4896	Iapjlk32.exe	102
PID 4896 wrote to memory of 2760	4896	Iapjlk32.exe	102
PID 2760 wrote to memory of 2376	2760	Imgkql32.exe	103
PID 2760 wrote to memory of 2376	2760	Imgkql32.exe	103
PID 2760 wrote to memory of 2376	2760	Imgkql32.exe	103
PID 2376 wrote to memory of 3652	2376	Ipegmg32.exe	104
PID 2376 wrote to memory of 3652	2376	Ipegmg32.exe	104
PID 2376 wrote to memory of 3652	2376	Ipegmg32.exe	104
PID 3652 wrote to memory of 1208	3652	Idacmfkj.exe	105

C:\Users\Admin\AppData\Local\Temp\a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a69f42d00f22e98a52272ce8f3d26828_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Hfofbd32.exe
  C:\Windows\system32\Hfofbd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\Hmioonpn.exe
    C:\Windows\system32\Hmioonpn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\Hccglh32.exe
      C:\Windows\system32\Hccglh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5492
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5292
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5660
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        27⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6016
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        38⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        39⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        40⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        41⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        42⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        46⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        52⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        59⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5604
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        64⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        65⤵
        Executes dropped EXE
        
        PID:5184
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        66⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        68⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        69⤵
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        72⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        74⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        76⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        78⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3516
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1008
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        85⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        87⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        91⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3380
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        103⤵
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        109⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 420
        110⤵
        Program crash
        
        PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1176 -ip 1176
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceaklo32.dll

Filesize
7KB

MD5
958bb3fb06e269c9465578fe1c8f4ef9

SHA1
d7179e0923188c335e1ff48dfce413c35f216d98

SHA256
fccbde16147b9e884df77d1ccfe61a575eba0ecda7e89e5618b79dae00e4fa99

SHA512
28716b0c2c6517f9cd0f426ff464c22dc1e9785afe83d10f373914e574a16d7309632de6c0e97fad5acd409d577adacf9db3427283ab4b396befdcd3a593812c

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
192KB

MD5
ac1c19992026bb4000f993d74ffaba36

SHA1
48bc234547360394d1daddace3eac0fc5a03c50d

SHA256
27b5105720dda269091c5c6c425ad53410b379916dbee2b3d677569b23252362

SHA512
dc9896cc23836012e972083c954982ecca6b16f43378467aedb3514380b223862d198eeacda7a92b563835d252e4ecbeace405dcf4330744bad81c1a9dd847b1

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
192KB

MD5
31450ed57de16d32392b5878d3a8a2da

SHA1
c584e2ddbef27adc27d5e43e846665a08b63871b

SHA256
de80cbf5ab04198475bd0fd406f0b9c79b33ea6ab2e9e821530e6e0f90d349de

SHA512
63116cd174d347ecab34223a997cbdb1bb3fb10e3b6946fa997a6d8c30b9f2bb5965ea7ae5530f480b87e7f7c4285aeba346d79ee53943e0d6140cd3db889b8a

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
192KB

MD5
92e4688302dcfca52866258992a34025

SHA1
f61ab082b4b7a2ea14504c39ab82c0e4e1cd3271

SHA256
316146be18b9fb5a7a23101e3bc4354aee5d43c8e3d2fd81c1a0d04880fbcd63

SHA512
859d80bdbfa2f5a6d9427707fc6cb0ea18a643dae4d515bc3d7d1e986045c28aff2496b11301e536534921591121947dac21b4f2e17d435ecf2aa4b1f915e33d

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
192KB

MD5
d852931cb6eb0f499af7a7ec73e7b087

SHA1
4bb972b830f44153fb27afbc6c5d9ce3b9eb4100

SHA256
a34d4e09631bf7377bb657bf0998bd3f4618b87fd2df9507005c2ffd75c48aff

SHA512
d1040f333c07d6c750909d6ce75d87eb7dd4e1593cccbe3d3e0a0b53030d087742252b92bc0a7e6d95694a523aca30655bccfeb87f0efae98beeb4dbf592222c

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
192KB

MD5
8c5918b0d59229be40e44ebb779b19b6

SHA1
0a34d84797e0d1b3692f5b2c417a909cf00e1366

SHA256
ecb83fd65317273365794499899de406e12207199ace719b68fa64d46059896a

SHA512
b025a413e1f8704a0b3303d6f8c5f957b2a79209569ef3f5a718ce7d5ba36258611e8249ba8f1dce5a50e2af099960f9c48540985124fb3c175aed548e262114

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
192KB

MD5
bd414b4ab9f5aa7a3529254b131d2ba0

SHA1
ff75b5d2e85db1b04db5544ce136a8b8cf4b74bb

SHA256
90316019a0c36c4d46854cbaa0bbe3fe2a1f363b530780e72138bf21e48e3804

SHA512
25f98a45eea48b1c67007f62c96c103c9503966d732e0eb57b8784c1ac924d3c7d4433420e5d70aaccabe5157a8cc146efdf04a1f360c9854c3720b88c4d813c

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
192KB

MD5
90f6d51791e3a129c24bb1d27e98740e

SHA1
60e5b5f1bc07da6119037b27af420d270dcb971d

SHA256
77cde00a5dda6c6cd2189aa9f0e73fd547cb64b1eb92a3cbef018116c11d8b2e

SHA512
63aff9f5afb94005bef2c841fa5e595e4d21a8fdcc81859969ae7ca8fce111bcf8d78140d3f2ea964cfd6759bda31ef4aea10f71fe9ad5217ef1238771fd8be3

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
192KB

MD5
ed4a4e8da89c72b3f495fe73c9a25c9a

SHA1
df740851450563c15dd6e4f35dce33b692a6170c

SHA256
c96ed8477833c6397b7eccbafd03966821155c55785768905bbb0ebcf537bc99

SHA512
81cb96c3ee2e22f151d8410dfb5cc39ed187f8ae8d3612c056fd98658d4bb34a8e45cfd6732548fe1d1a34f5df8e47e03e42b556ed3396f93e01e8b8e20f6b5c

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
192KB

MD5
26f94c3b140f9cd58392b43c5f236405

SHA1
3eb4d56deda8bff4884dc2f1e5d9ca0ed0daa2fe

SHA256
1fcf8e1cd2190080fd3ac9b05f97c3025d6ba96e1bdd67dd81e205f68c4e1671

SHA512
e3f33ac43187fa4ae1167987dbf8534d8386ffccdcd5ca390c256c6d65f5cf4e15d4bf5d1d6f6a628b9654a17d4888bc22821310482c461b2bc04e98f0efe339

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
192KB

MD5
46bda285774bae0eb8571ea6c171e6c2

SHA1
69933d2ebb387ee321519df2c219acafc96df4e6

SHA256
c66a74a5010d04517e5c321d926378fbf3885a4a36a2cfede3812ec1d8c24cb9

SHA512
91852341f2af597db33ee5616fb5a6cc7bf70039786b3fb30a95d2b70f34e27520772e0b06d4d6ed4c1ea66477d9f8368a8f4e17687869a52d8b7f09a2f78128

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
192KB

MD5
684f048ea0c4e677e52d5f660edbb8e6

SHA1
a243d7744ecd199abe9d7b897911b36775cad647

SHA256
3d0c1d6c8c01ae557b2024970032413e2c47300fbd8da170f513b0a5a3f83a71

SHA512
318079b635f28c04e84fe2049c1805b58b94d1298f6ae6b537466698a434383c558cdfce1f1eaed581a5ea65f8d4983ac6955815c1908fc681f3e8d58f59de43

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
192KB

MD5
9d1a6e513d617b9fbfe4eb34b23c7549

SHA1
abd63586ccab820575f32922ba235d64af7bee46

SHA256
4fbe8821a59135e96062d428c00b9ea382f8c607d836cd6c04deffbd62e8f128

SHA512
47db40c95aaa8c87c0d86ae4690e8c31dab80645564dd46823b2532e3716934f59841d36529e9d1c30ad41fad59bcebc29979778b39259f8d111860ff79002ac

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
192KB

MD5
07242990046cff6c180148131eb1f28b

SHA1
d87da22840cfe7b90cc14132869e8fae841b0ba0

SHA256
2518db964c8aae818f92c9e6868d870531cef2546594265e93699c42f7f51764

SHA512
22b0601ced73b8088d669b04413d0a2ccb8ff149d5d5c4652db81f0f84e5ce82760398da2971b61809d95e8e9bbc72672b66ae27d95ae4e8c6db4643a464b8f9

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
192KB

MD5
30cf599fbd76c7df0313de70634afca1

SHA1
2ae9134b2ed783225d133fc16969339893385a70

SHA256
c812c0151fb4f88893518db850cf92d3af2e5e3d6d9fb4912a3771973f4b9519

SHA512
2710e53d71c2be0b0b8855a23f468711d7ea135a838cc8bd9384e7493f58a03886e601ca491690e3843c8da0c3d96ff101f94c68593ae8f7143cd869625bf959

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
192KB

MD5
0603359013440989304b5f582be0cf6e

SHA1
45992ef7b675945fee2312ebcab82dc46f0b0681

SHA256
10dc0c9d7e6861832a9b14cf360b8d962757ff55215fa54b3638705630829975

SHA512
a0ef60bff1f8aa6faf7381a27ae55d4a2ee0ca26ce88900016f5565d3a3f32e70c7ff27b4ad2cafde24e66bfad41e10c8a33f24e18d2041881a2f3c5e7ce8e4b

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
192KB

MD5
9d020e672a1457a63ab637189d7667a6

SHA1
79844b13a35bb7de7066230bdc3f67cc62f941fc

SHA256
cdeba4377d31a75399669d6b5fbb3f12b81a7ae2a4d1882a7a66c40a4cba698e

SHA512
f91943693741e2f62b93ca7fa6d1caecc5007e03c34d41d5d751906d1878aac6ab5e63c7677de0b64973823a237e7b7009a793181da8b48dba652816cb5c91bc

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
192KB

MD5
292ebd9a1021c673fdbbd3373e10cc1f

SHA1
93c1d5969e2f1214abb40ba84aeb8dc6a525acb8

SHA256
0204d7d3343f062287a1ee79693a4150216de0e343ae616e7182f5c6814b4632

SHA512
5ae4221415ef5b0ff96dbd3e392c714666f6b46d347e2adef48ebdaa12f15507bf72b4b3ab1da32906d138fe7b2acca246de329c8e5e544773fb02bc7e5dd654

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
192KB

MD5
e9297d4c56372219af16540e6ff931a2

SHA1
3eeaafc62aa52e7ec3cfa7af6b1e42b1db739928

SHA256
48a167245a3d2dc537133c8235188613b6f300b76ecfadb1b6d9f41810c94741

SHA512
248f92676eb2931e5f5a607cdf113f50295fec511c3bffe26464ccd34740a9d537f21bc6875c2f369e3c73869c2b7955e9170b8f46e36859375cdc098bf1ccc8

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
192KB

MD5
79d2b07b6215a593d729a68db24705e5

SHA1
364727ba67665e59bd5588e81b5fb0e9ef985470

SHA256
5d6c252b884b66dc9c061df82965c262ebc3e9d05efdbf856ddc07c793a00404

SHA512
32b7011d8fae6b8d515edca3fe4368823709ba317bffe1f3a886eee219e94a63e57e834bcca7e3a7d121fae7f6a396f6cef4281283e9675f7ba09c382b3f3388

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
192KB

MD5
50eecfd997110c168f729f579dc64e56

SHA1
dd14a8041d7d4cb053edbacd4be1f870645e5952

SHA256
81a1f6c126d22ac98c09d32b5f0a7f1951907cf4ee632084719db7aa0a78893e

SHA512
b760de2b94e1dd1210fde3c1b9765338082f04483e36557d53888d39d526f1d63c68533cb56ddd10403eb8738b68bfe9e4ccd709b4a1124e00b5fe00481f5eb2

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
192KB

MD5
2056804b761ee1f8902a6d34c1d1cc82

SHA1
d88eb222efb4c6c56c68d347636cfad84bf8a18f

SHA256
c3b8805e35bba7815f6ead47347bf3e1df0eb00f6e8ea6876157131049b44290

SHA512
a14bd519322c045891a54d84163cc7a7c216f81aee52057bcb86fe7cc57621f77681ae8e183d6d3a3b8898af7e544230efbeaa0834c0cb3e5771771d1255b5be

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
192KB

MD5
53df0c1d2a7332002d45ffe899dd6470

SHA1
30145d86d5755bdd52a7b89f0bb718378cbd7b48

SHA256
e8051bf95fe34b5a48a0dffb99f210fb67958134546853cbb90bf7de25385d75

SHA512
99d8a9cbf058e6a1fbd093c0678d4bbb00c46608ee59643859c206291aa0e330a51980847d72dea4f3e04ba0266ababd6c2bd20c574d3e22af10d45b784cc52d

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
192KB

MD5
f938c852989959ce9bfeb1733374436f

SHA1
5b08331e451efd08e98bdd2d7dd53ea4765bcf4e

SHA256
b806e8fe4a8172a36bd76c61543ba0b06624ee04b52ba7999fd2dad07af349f9

SHA512
183be36c0e1ab064d4fc6e3ba1cd1d29ae8d3f9070556abed07866970d17e86db222dd19e332d683a5a41e64e7f9d472c3e5f5697d3949a880ad2a06464b28b5

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
192KB

MD5
f1419427cf904ebcefd1e6dad87a5a7b

SHA1
a4e9bcf31250370bddab5b812032352250b08413

SHA256
fb79e26859b81f7c0c02199078ee539e153337d25a3fd1e035ec8c1aed4a72a5

SHA512
bf60804f582a4ee2d33a1d8d63cf0d285ecb8da903a2f6ed746b756adf4ad3c602eed5c36f2f2b7914da7b1d8cbae3cbd569539889e56c4873166ce7acc2a615

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
192KB

MD5
3005dc80cc45932f79ca9994873c8260

SHA1
f08c88e695d3b638bb9bd0652a1f5633eaa2491e

SHA256
97b8df5f626d836ad2a835446cc923fa7152956421eea63912f5c06f44820f6b

SHA512
63b194a6e7ab6fc309f40b8a6f2df81eddeaef7e58a215d84e9c23182487658db2c87c07137c7e8ac9a25aab3a11f9b2df5edcb6d9cd7dccd427f5aafb02f796

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
192KB

MD5
a4236554fa643646ba1bb8a520256408

SHA1
3559ef6a41bf72f8c092f02d639ec5970469f1e5

SHA256
77c2424f10fcceffe9708d81703b8f2ba0433e2b9625c0e772fb1f06bc6649fc

SHA512
0bc9e8375c6cf52a3ffe2aecbeac02978b6dce9a22ad43854532362e1a5e63d8d74b2408b5a8c65b1ef36c0ab138b15b8ce8e9ebe41d16b2989bb50717634cf7

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
192KB

MD5
fdaf30c78b767dfc75198eb2acd6ad79

SHA1
cbb07719792d16836dcf95dd167cd6ff8acdd044

SHA256
28c3128d52b72096eddae97a587e88a41c8db607d44ce293990734dc8382be46

SHA512
1f31c2be667ce8417c22aab0ab5bd874363d018caa9552e4d3766451adbe76bc39a42e6412ec2992d0f4358359653ed4ecdc7603a4ce9fa231a1196c87df5b62

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
192KB

MD5
e50e2ebeded5b03a801f24bc622c79dc

SHA1
5b6dd33e3b73e76c35aa98629e4bf03d302ecf64

SHA256
0485526f1eb5bf61ffc59bf5b99269c1b9aa5acd113d14a0903bef516c7310a0

SHA512
7bf5c0782316cef5092d2f1c54316c1afb18414f7dfa08439e65e4765416e8de9c6f77c7abd7469d13d1185323661754b9bc1ba245e6b1d8b85992cf9a1d9d6f

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
192KB

MD5
04e95785d652c57b8cd03d37382cfbe6

SHA1
925ffcaff198ee882f1c6f699f72d35b66e36711

SHA256
7a504da135cc9533d31d10460e798db9df521952affe0e1f26f9f04d39067d39

SHA512
95273f1cc08dda9f4db15cbd98069903a54e5ef7d2f550f0e7eb7c65876204444c599ee44ffb621d7c770b2e135f3f30c9d01554a031bb0d3f735e2c0f6596af

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
192KB

MD5
fd7a821d6371e7d91c3f04f275e3af24

SHA1
b5aa074f951eac88866df1f3b20e1ba62671f02f

SHA256
f33f90578d0f6b35cfa72206544fb7282340ceee40561805ad1c3853bd784a60

SHA512
380691d21d7da1410a8465e2aaa9de95399fd7b0dc3dd5c000f83ffc3a665f95c990430ced6608a14d9c8141ed142f95e3ac3ca913e785606348823d6a86d7a9

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
192KB

MD5
fd7d75b7d26caec68389c1c260e8dfe2

SHA1
1bad1d696ecccf0efff933d5c783e06122813263

SHA256
3833c5fd572bc670fcf1894bdd51710666618298ea360904b67753f580ccd29c

SHA512
e892771d1eb4ab3001d046dadef81c41e60d0baefde618ff67d3014445cb7379641c504b4a87e166f579a740be3fcd32083f6f5fe41c2904f17405d21245919e

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
192KB

MD5
e423f6e3af0f1848c443c98c54d263f8

SHA1
84304d279c8474bd6c36b778a08455b324ca510f

SHA256
62fbbb15e7282c265e3bf46ff133d6e5bace0701021b34f7de0d4401129e4ed0

SHA512
0956362280e97057cac59585e5c3d62502edb0fd909af72c4895ad1635f2d1f0327f3fe8c1dd127b8cd690960091ed52fbcd4c3c72d98136aa7d6e6884eafbfa

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
192KB

MD5
6aa62ddc61ffbe12bc3b85cf68b69d2d

SHA1
58b1a0dd6cb6a74107fb7f79719cb1fca5ad475d

SHA256
812c525c92c317eaa298cbb50227fd477fefcc8c9c8fba078bb0ef9d27e6d209

SHA512
cc82f430d2bfce4b2c19c9c733f999b9f32b86f49b9e8d87f73da8409c710c4b0aa1a61447656e30243b89b6b6401af6d54e063ade1059e5f8b41ccf484969f4

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
192KB

MD5
7a212dd5af552f077b106489864aa17b

SHA1
6873247ab2c124924c97df41b450685065af90d8

SHA256
69dc5867133b6f7aa5e3af45e0f7b2fd17975fa315bb545820d23a4e9a3a045a

SHA512
ef7a2bd1609e450c1b4bae7899d9d5b5efc5f1b054428f0307164d14be73b503a30a72b99f1b8a6a3fd2945ac3ba2e74434f9c61863c5696b4f1fd5bf7d48c17

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
192KB

MD5
a3fbc36f704bedac300a1d3df56ced81

SHA1
b280ef486d0eedac371b12a4538788989f85cec7

SHA256
88a642420ca5222e87c38d60a211caff9b1072e1836d86b66f8c49af4a403b5b

SHA512
c7df9e7cb69dd098a0dcd5704b99418215784dfe10033ff54705c3d175f6c7a7af29a41372bae68fdfcf1071b77c96ce968d2ca377984705bde59766782c0f0f

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
192KB

MD5
27a7d399df590dbbf15032314e22c3cc

SHA1
c7abcd6e2973e53fbbd84f3c003900d4ff026b1d

SHA256
73dd169847a2cdb67ac1cdbfed037ead80c2d61dc4398832e38b79765a04cc95

SHA512
4e5f7c1606d6f808a2ecd19e58d3514eb92b9cca0918c85d25e4e8add8a0cd531f4d5524e47453329510c1e7d1e16cf67ec55673af01b90badc8da4bc5a9a9cd

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
192KB

MD5
ece71dfdd56ced3f9f936ec64b18eb31

SHA1
7a002ebd2b27f576279123e78ffd297aee4f0995

SHA256
cac587c8504152781f5183c79af3e82c5d1074eee5635044fd07d6c7d5748200

SHA512
eeff29519a0d7989c7b6833bc238164b5ead944dc5076eb27dee1bc40917a94306a5eb94856da214a5ddcdb5cf8b4960f3b4af748cc29f335fa4c4a5caaa03da

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
192KB

MD5
7833f5b5a278b1d7a8c32d5cba6c4ed5

SHA1
13bce8c1054d60efd6728ff9899327bbbf6c34e8

SHA256
f3dabe98ba6c043f5af553d4903a9f6bb51e97054a7d7053c9084f39ffa3b366

SHA512
504e5989a5f9cae0591a7db0147ee730203e5ee58ab8bdc969943dc022d244e0bf25775945d4860ffcbc1abd1512e68bbda5376907dd4705979daedecabcf70d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
192KB

MD5
d56b6ad92c1b5050c6a9f00eac58e177

SHA1
bbc17723a212a046a8f4ed3c26d28a306bfea9ca

SHA256
db9212e545cf000951999cbe1e77ec454db3a2f7f5e9813238a6787c93bfc8b1

SHA512
e1486827c501ef748a7f4205406cd94b19f6d4e4cea919a26538717a49d975337ecbdefb33247e8a7b221687b50c48c51747e10279e7f2062d8d61fad04c58ba

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
192KB

MD5
b681f9f113224a990e4b7c2d6959c2b4

SHA1
428972810cee6c90c9ed337520d454a8f475d698

SHA256
0b8292b7e8f432f1ebb8e23623881ffbccaec22b5ac7534d5370ea03993add80

SHA512
afc895da7b2081ab1eb84e8bb737ca00171689797b9924041ebb4ce1d3d448a0c746b0a21708741639db842a6a6eacb684cf695b8ab17aa9d4639e84ce6ce54d

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
192KB

MD5
68f3f9f3338bdfeb0df4090e8f59ad47

SHA1
2f82b479559cedcc33ef4ed5af6b084236f18d29

SHA256
349bc5231698da112608341c0334ba5d641ace813d8e9643947903a721c0c682

SHA512
ba3277423b87d92fae3112c451fd72b50f14bf08f5802ed2b8621bfeb7af6b7d2ee13de37a38a94b35c9c99ff214125499ee500f26e52989c970129d36c7aee2

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
192KB

MD5
9033cb88e658c5da09fc784eb7f1f692

SHA1
3e4980bd057585323ab76d9416fc9a8b105953fa

SHA256
59b4a725befd01664a0192970f47c0765b7f918c79b24cabe22307d85ab8ffaf

SHA512
249892c79fdc6faa3719a5fb4790e6266d5a5724130a6078e578be6b503008b7740856eebe069b843438e1d11c2d6468faea5554ccfdbe6ced61eb91369b3299

Download Submit
memory/776-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/964-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1532-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1532-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1680-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1876-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2280-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2280-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2332-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2360-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2508-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2760-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2760-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3524-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3792-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3792-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3804-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3804-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4380-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4380-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5140-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5292-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5292-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5336-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5336-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5492-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5492-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5604-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5632-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5632-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5636-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5636-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5660-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5660-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5788-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5792-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6016-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads