cc083dacace5f3adb124d19a7f37f075fc8778c27bb3915269a70d0cda271458

Analysis

max time kernel
139s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe
Size

448KB
MD5

ad75a1867bf79bac0774c7a2bb3c09f3
SHA1

104f50da84a1f21e8fda6d432e77dd27c6e5cc82
SHA256

cc083dacace5f3adb124d19a7f37f075fc8778c27bb3915269a70d0cda271458
SHA512

4d890b58e2afdcc203e6fcbecbba6ad4eea046cbcf6b9ae55f16a5a86935c9b0a8b3ccff51716979b7e38b12ea2c7043f60bb58f6a98815194dd0086a46b4a7e
SSDEEP

12288:A6nTESI705kWM/9J6gqGBf/sAHZHbgdhgi:AA27pB9/f/saZUdL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe

Executes dropped EXE 64 IoCs

pid	Process
1824	Fifdgblo.exe
3624	Fbnhphbp.exe
5028	Fmclmabe.exe
4164	Fmficqpc.exe
1180	Gfnnlffc.exe
2524	Gcbnejem.exe
1212	Giofnacd.exe
1208	Gbgkfg32.exe
4372	Gmmocpjk.exe
2080	Gfedle32.exe
436	Gcidfi32.exe
3652	Gifmnpnl.exe
2076	Gameonno.exe
2528	Hmdedo32.exe
428	Hbanme32.exe
4832	Hjhfnccl.exe
1696	Hfofbd32.exe
1992	Hmioonpn.exe
3076	Hadkpm32.exe
4308	Hbeghene.exe
3100	Hfachc32.exe
4276	Hippdo32.exe
532	Haggelfd.exe
4224	Hcedaheh.exe
508	Hfcpncdk.exe
2456	Hjolnb32.exe
3092	Hmmhjm32.exe
4980	Ipldfi32.exe
704	Icgqggce.exe
2112	Ibjqcd32.exe
672	Iffmccbi.exe
1548	Ijaida32.exe
744	Iakaql32.exe
2768	Ipnalhii.exe
3440	Icjmmg32.exe
2896	Ibmmhdhm.exe
3856	Ifhiib32.exe
5012	Iiffen32.exe
244	Imbaemhc.exe
4676	Iannfk32.exe
4712	Icljbg32.exe
1128	Ibojncfj.exe
1652	Ifjfnb32.exe
1120	Iiibkn32.exe
1528	Imdnklfp.exe
3648	Iapjlk32.exe
2568	Idofhfmm.exe
3924	Ibagcc32.exe
3912	Ijhodq32.exe
3960	Iikopmkd.exe
3144	Iabgaklg.exe
4412	Ipegmg32.exe
1300	Ibccic32.exe
2384	Ijkljp32.exe
4824	Imihfl32.exe
4540	Jaedgjjd.exe
636	Jdcpcf32.exe
3016	Jfaloa32.exe
3124	Jjmhppqd.exe
4612	Jmkdlkph.exe
2932	Jpjqhgol.exe
4256	Jbhmdbnp.exe
3416	Jfdida32.exe
4304	Jibeql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6172	5428	WerFault.exe	235

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1824	2692	ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe	85
PID 2692 wrote to memory of 1824	2692	ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe	85
PID 2692 wrote to memory of 1824	2692	ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe	85
PID 1824 wrote to memory of 3624	1824	Fifdgblo.exe	86
PID 1824 wrote to memory of 3624	1824	Fifdgblo.exe	86
PID 1824 wrote to memory of 3624	1824	Fifdgblo.exe	86
PID 3624 wrote to memory of 5028	3624	Fbnhphbp.exe	87
PID 3624 wrote to memory of 5028	3624	Fbnhphbp.exe	87
PID 3624 wrote to memory of 5028	3624	Fbnhphbp.exe	87
PID 5028 wrote to memory of 4164	5028	Fmclmabe.exe	88
PID 5028 wrote to memory of 4164	5028	Fmclmabe.exe	88
PID 5028 wrote to memory of 4164	5028	Fmclmabe.exe	88
PID 4164 wrote to memory of 1180	4164	Fmficqpc.exe	89
PID 4164 wrote to memory of 1180	4164	Fmficqpc.exe	89
PID 4164 wrote to memory of 1180	4164	Fmficqpc.exe	89
PID 1180 wrote to memory of 2524	1180	Gfnnlffc.exe	90
PID 1180 wrote to memory of 2524	1180	Gfnnlffc.exe	90
PID 1180 wrote to memory of 2524	1180	Gfnnlffc.exe	90
PID 2524 wrote to memory of 1212	2524	Gcbnejem.exe	91
PID 2524 wrote to memory of 1212	2524	Gcbnejem.exe	91
PID 2524 wrote to memory of 1212	2524	Gcbnejem.exe	91
PID 1212 wrote to memory of 1208	1212	Giofnacd.exe	92
PID 1212 wrote to memory of 1208	1212	Giofnacd.exe	92
PID 1212 wrote to memory of 1208	1212	Giofnacd.exe	92
PID 1208 wrote to memory of 4372	1208	Gbgkfg32.exe	93
PID 1208 wrote to memory of 4372	1208	Gbgkfg32.exe	93
PID 1208 wrote to memory of 4372	1208	Gbgkfg32.exe	93
PID 4372 wrote to memory of 2080	4372	Gmmocpjk.exe	95
PID 4372 wrote to memory of 2080	4372	Gmmocpjk.exe	95
PID 4372 wrote to memory of 2080	4372	Gmmocpjk.exe	95
PID 2080 wrote to memory of 436	2080	Gfedle32.exe	96
PID 2080 wrote to memory of 436	2080	Gfedle32.exe	96
PID 2080 wrote to memory of 436	2080	Gfedle32.exe	96
PID 436 wrote to memory of 3652	436	Gcidfi32.exe	98
PID 436 wrote to memory of 3652	436	Gcidfi32.exe	98
PID 436 wrote to memory of 3652	436	Gcidfi32.exe	98
PID 3652 wrote to memory of 2076	3652	Gifmnpnl.exe	99
PID 3652 wrote to memory of 2076	3652	Gifmnpnl.exe	99
PID 3652 wrote to memory of 2076	3652	Gifmnpnl.exe	99
PID 2076 wrote to memory of 2528	2076	Gameonno.exe	100
PID 2076 wrote to memory of 2528	2076	Gameonno.exe	100
PID 2076 wrote to memory of 2528	2076	Gameonno.exe	100
PID 2528 wrote to memory of 428	2528	Hmdedo32.exe	102
PID 2528 wrote to memory of 428	2528	Hmdedo32.exe	102
PID 2528 wrote to memory of 428	2528	Hmdedo32.exe	102
PID 428 wrote to memory of 4832	428	Hbanme32.exe	103
PID 428 wrote to memory of 4832	428	Hbanme32.exe	103
PID 428 wrote to memory of 4832	428	Hbanme32.exe	103
PID 4832 wrote to memory of 1696	4832	Hjhfnccl.exe	104
PID 4832 wrote to memory of 1696	4832	Hjhfnccl.exe	104
PID 4832 wrote to memory of 1696	4832	Hjhfnccl.exe	104
PID 1696 wrote to memory of 1992	1696	Hfofbd32.exe	105
PID 1696 wrote to memory of 1992	1696	Hfofbd32.exe	105
PID 1696 wrote to memory of 1992	1696	Hfofbd32.exe	105
PID 1992 wrote to memory of 3076	1992	Hmioonpn.exe	106
PID 1992 wrote to memory of 3076	1992	Hmioonpn.exe	106
PID 1992 wrote to memory of 3076	1992	Hmioonpn.exe	106
PID 3076 wrote to memory of 4308	3076	Hadkpm32.exe	107
PID 3076 wrote to memory of 4308	3076	Hadkpm32.exe	107
PID 3076 wrote to memory of 4308	3076	Hadkpm32.exe	107
PID 4308 wrote to memory of 3100	4308	Hbeghene.exe	108
PID 4308 wrote to memory of 3100	4308	Hbeghene.exe	108
PID 4308 wrote to memory of 3100	4308	Hbeghene.exe	108
PID 3100 wrote to memory of 4276	3100	Hfachc32.exe	109

C:\Users\Admin\AppData\Local\Temp\ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad75a1867bf79bac0774c7a2bb3c09f3_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\Fifdgblo.exe
  C:\Windows\system32\Fifdgblo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\Fbnhphbp.exe
    C:\Windows\system32\Fbnhphbp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\Fmclmabe.exe
      C:\Windows\system32\Fmclmabe.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        23⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        25⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:508
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        27⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        33⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        39⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        42⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        48⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        53⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        63⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        67⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        68⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        69⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        71⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        72⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        73⤵
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        74⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        83⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        84⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        87⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        88⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        90⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        91⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        92⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        93⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        94⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        98⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        99⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        101⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        102⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        104⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3156
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        110⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        112⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        113⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        115⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        122⤵
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        123⤵
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1032
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        125⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        127⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        129⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        132⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        137⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        138⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        139⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        142⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        146⤵
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 408
        150⤵
        Program crash
        
        PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5428 -ip 5428
1⤵
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
448KB

MD5
298b323c280b3c4e513294a006bff55e

SHA1
a4f80f0c8f83a136fa15223017213fe0a98fa7b9

SHA256
77282f35c0b1be0ffe53a5357900e7689c15b78b4a97e4e6878b3d11d3082ffe

SHA512
619984973276c3e8a04237e9e9d1c7d823f3c4d167dc1943fd9bc2956b7ff1f2c98c953a5fec0f12788b28b4a200f8822d89cd262868f66f5b1a9d74105e0767

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
448KB

MD5
1a25eb48ab69ad79bc584f7c92b9209b

SHA1
a76a6ae9b61b01a3b05752e6d17a6a7aabcb9d48

SHA256
8c4c3b4d67956ef5395a51d3f935477b9c9f9c779a30ae1b9db9cfd8ef642cb9

SHA512
6bb6fe55be018ebafedcdc140b0d346928ad4385f7d06397003e133001d347ba87f0bfb8545768ab99072b5cb357076ca186ae1dabc0426b927afc777acb8d6a

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
448KB

MD5
1de065a563e5483b7a29ae549b59fb87

SHA1
100e9655c65f5e4a237988e1db21f43b81f7c69f

SHA256
ff5aca15af71448ffb7a700df566ad9bac59931c0d0d80a63e11d56e274d0507

SHA512
0bb40320a44335b4829b96583eb8fe501dfc3433b0d7fc09f1437291b2b7a0e35be212d88bfa954097bfe387133aba76a361848a023690296a9f6dbf6206f167

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
448KB

MD5
4d0570768e9388ec4a11966eeee7ce0d

SHA1
2654f3a7284a57263a9d91bb57f889153f260aa8

SHA256
161b18b5e4e0aaace58070901b043a1c562ed6940196a1c2c1089cada3baf2df

SHA512
ac705d125337df87cea70a9433eee97effc2e9845d0021b789166ea56d9486cdea9a9eafad2332f587dcfd7149c8e12361b53155cd08491aabfec51d39afa57e

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
448KB

MD5
c354e1c782d73fff36e98bf274ecdee3

SHA1
a8b19ad9acc107adf45353dbaa718fdee383ff36

SHA256
6b7a9ff7af85757bd6b7c14b366a75829ba31d0fb1cab7df3e48a066cf5085c1

SHA512
e312c31c80b61a238100170f2b5e1cd6215ab85cad92342c40319196f6f44626bef04ccc55337bda2b5ca47864fe9b63876af0befe7d69633b27ba069d68eea0

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
448KB

MD5
184483ed8e84c495ca35e2258d485ba1

SHA1
6e34cb87ff54d241c66e74d33fbd71954f59bfff

SHA256
9ae522ed0f30f5b186fec785be08e73ad258c0cd3e9173bd9148c362ad014f7f

SHA512
45f918e8368b157e15eb0b0a5e8eb6bfdb6f95718c1dbb6c669df1832eed707a893997a736829577e1873055ec10b8e8606e7cccb41c031be74d057a341f1912

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
448KB

MD5
4bfe24ba5f8acd937eadf38669e15deb

SHA1
86d09bc40e22d92512979ce0acd51f208264e239

SHA256
20798fbbc389e3f474795aa1b4abacc9c99c944142731fa04d2331000a8eef5b

SHA512
2b91fdc906ee45cc3dd5628edd62e5c5588af52101236c6fe0ee48120304414c238542ab169b46ca2106df16d98c35cfe8780881c0e05d532a1dac9213a38715

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
448KB

MD5
783f847f1b7221fe48c9e9694c9242ce

SHA1
a712b1b4c723cff37462d693314f241ed5c46361

SHA256
9a53114c9c5988663e6e6154cb2142b8eb34cd785c1fc42d5bed6e91f7cb4190

SHA512
5619254a2df3588f940ee0c1d4299f973c6a8035ae6712acf4aa8e0c437ba2afbfeca9f6adaeee82ac9719f0beb510e09be33f1ae54f72a05324b52ef2308d8b

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
448KB

MD5
4aac5ce978e2718ba55ece462e25fc2f

SHA1
88d38c318c18e2871172074f611e2efea9a39d52

SHA256
e362fad509b4d3aa7d68b898976c148ac3a3c420440009ea2063015b6f49810f

SHA512
d4f942ce8b2e83952a8849102a33cd2dd61bb71a9747b86d94840f25accd1d19dcc8b1f8271526b5fbe573226117667b924be5a6deb0597eac3f271d4c4d1ffa

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
448KB

MD5
faa7235440ff0cd1d1ece88c08fd22ab

SHA1
1b7ace2085d389ecdfe443a328da07d3dc93ec2b

SHA256
c3aabcbbb8d023289252bf863d06d48076543560d9fbfdb0f825a4b8dd7a5184

SHA512
ccafe7c9f95c2ab5d6b8e6ea39dccec13498ea9642e90c24d8cae879e149b6b0611002df306f971a3f5c8c538cff657efdef0821f2f2d2c251476ac9ad9f5f8f

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
448KB

MD5
c8fa60807c859fcd95cae651f44b47fb

SHA1
c40848a03fcebf54c5d15b5125d0f726da11143b

SHA256
e1bfa65e435724a8f7278e736c1b722640c756b528c47dd35184d157ee39b99a

SHA512
757d4a484ed951a80d0b4b57606148e9cce8f1b10c8615a4785a311967e219cd0474d334b57cfcc361506ecaacb876e779477c12f94ec66e9829def527196f02

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
448KB

MD5
d571c4c96e622d1fd353dc30da40dac7

SHA1
aa88c549e10b2f93bdded8882c5bbe700113a9f3

SHA256
b5c447579b2928ea12a4504dee4e426b41fbdde9634a8ef0a7df04a1a215bfb4

SHA512
920dd7cf7675d812d3ea8a8617c14a9d831528bc51edee25e629332d9f1e6b86b330852065c29a9e9f7fa349c2477bef256b57f81fae92e5cfa5f6a43333ceb4

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
448KB

MD5
686dcfca1232461e09b6213a7172d46e

SHA1
46570f41d268f72ec6ef1ae0f55d07f21749d772

SHA256
bc63e89e1c6d512f907ac5400be40b5a791220b1f9e223d74dceff4aa399b0e8

SHA512
8b765ce9d62b96f4a59774f62cab4c3588acb867833c45491adb1b0dafb176095e8aa82f2c02c6c4bf848f4c1f9f265e552328f0f002fc4b3a6c5c3628fe106f

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
448KB

MD5
5f4b54a23a3804845cf93ad66a07716a

SHA1
22a17e631bf7efc14f827113c136d14fc47ef787

SHA256
aab27de07683ca81edd4cb623a843c410ab97bc0f804d57390015660d5b71856

SHA512
fbba03889bc2fee63b5218cfaea3813e1ce169744f2d4cfa283917655158580b212ddc6b55a26bb124c31c99594b347b0cdc0e1cb7281600833f989ebd004b7f

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
448KB

MD5
36ec6f6fa9b456d2665f4743cd52e1b4

SHA1
503cbfea799ab4bdc8f841be05b8b04915299a04

SHA256
a5d0f68b84638af77635a1910cbcfec13600cee3af9543c61c142868d1885385

SHA512
e0363769ea264fa35560665774c394fcb42734fc26d7f9cd159ff1535f8f2acebd0ce326c4d1badb2981c5e1a6a3b5d811d899948996066611da31ba9f730041

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
448KB

MD5
b62bfb8fe283e18ec3df8fe98c10577b

SHA1
6777b298c24accd4691a1c897ce8114746cd0099

SHA256
8671215a32a85920abe4ab82c01c62c6076ac2ae07f2a1f2e5e3e63b0e5814b0

SHA512
912713c42be0f4ec9f25542c2a46a9eab6e548087efdabd8db36d2d2086e70ab61164a4cd244949b76f94171dc9f1a53c550e8d0c629d35f512af43cade3749f

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
448KB

MD5
05e3ac5976c5f7af136cd55e26f1e6a5

SHA1
aa4ad16aa07152f06960527d86ad06209ba2d5b9

SHA256
0ec670ff5515a868e8954d447946a0b7522bc1fc588b2a43c52895814b250f0b

SHA512
c823a0c5aa53fcdb38a21c4ddfe289dde21b84b80a92b47627f0ee2e2f1badafed795070901ec9b8882fa87d0130802cfdb8c08b2af0da06be1701c26913dde2

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
448KB

MD5
61953e10d1fc1f4a0142be967dcadced

SHA1
a8e237a10a5085228f947a1608ba255ff2140336

SHA256
f24cc527564446ebd28276aede4d0db611732582ef8b3a49d3782c6a59a54dc3

SHA512
5c0bddb549c9a92115e025d5352b584d89a0aeb0744366a1f16e3a6a747a6f240368d9eb22f1e245eb720754be39bb1c85216f1492fec86682c26d7266a07118

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
448KB

MD5
00b4270b885577d895a2efeaea328ec6

SHA1
ae03417315de77a6aed73f7322292dce7979c4d3

SHA256
434c87c76b3f3c963d16d777d00fa5e83ab744dde54803b6bb78646434d608ad

SHA512
cf2563526c4b1a24103812f2553fbd153b00d13d80fda23d6a4eaa5f855db7650619f0b94c1cdb36d6cf42019227cefa218213c7510238fa1e1097a54e999fc9

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
448KB

MD5
d90373fd38fd97314db5be54c5ae3f91

SHA1
80787e55b4b4ef4ac5d0697f2aa6d27204b2ef1e

SHA256
67276a7e7245c5e7f37c022b12b0d1e49806e307894a81a890fb94d382c74a0c

SHA512
f7e6e980de202671d79e5e2fea4d6739d6e2fb317fee40b863e4981e4da38bfe710d3153fa7b4236fafe9c802a517542c1d58ea31475a64c58d324ddfbe188a0

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
448KB

MD5
4b462fff5c753e338c190ef55a016c3f

SHA1
b4e0f4b284d304a81890723d7a17dc66c5799cf6

SHA256
cf97c038524f6cefd4420a50bca0dd3cc9fdb53faa5646e4396ec18d5b2e69c7

SHA512
0513648f69359ebef5131a84d67ad3b92eae07abf47cb2c33c77ae3a9ee8d52a7d4d612d193d29b9067cf482350b28acd45976725eab5a470436bd2af86e6952

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
448KB

MD5
4bc7454b92ea705ceb5010dedcef5783

SHA1
4fe4b304d3ecb9bb66fcd88b2f854cb722e7d2bb

SHA256
163d9ef29ab8ab3891cdb595294f5fc53c3f54d6a79bb7b583b2b3c444299a9c

SHA512
1e3baa2a915e68012d3dad61327e6fd9ad57a196f05c9eeac73dac365db1a2d837f1dd3fe1dc779c5f5741043c738a4ceaf4e1fa63660476313cab3c668a2485

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
448KB

MD5
1a41dfaec39b024f58cd9aff82ab63ab

SHA1
1f74fa51a5040eaf85d340b142c4d5766177bde4

SHA256
c7ff76333c740b37f61b6ee1da624410957250d08064c16ce8066e716b9c86d6

SHA512
aff2638927e4ecf3076dcbae5d904df24289a5bf39c366b903b28ad21b6b4681f119a2f0d62eb1f910a33b52074d035514cc4b2d54095d1937596d5495349584

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
448KB

MD5
92b5bb10d989b0f3bb933abe190257ec

SHA1
1ac6d926f4fd643461ef99830ab1b6f969b65935

SHA256
cbb5869ae8089d86230d6378032d5e84117eaf46f7ba28c1b002c502b57bb440

SHA512
26da016a9f747d519d4bab03969715872925622e6f9578be669b814ddca1d2e8c670332b744c995b10bcaeba2254edeb5ddd0d8d1ad7f07520180a9151319577

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
448KB

MD5
de0dd33e6f9cd28d626f17fe38dc774f

SHA1
f5a3a3e812e3b2bd82b2c40ee23e226afdc75cbd

SHA256
e083baa3d1395de346f87aef7fa91c506064e8c52aa3ac0ed98a94843d64dfab

SHA512
c221f28671ec6bdf92d88d544a5393dc4f5c441a06c7b4b1bc57277de518678e72a601892d59951dc61c97cd5dfe6295159b893fa14dc0733cc0e5e555f04a87

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
448KB

MD5
742895b511f0d522b3dc96639f94a93d

SHA1
c7872562d1129a076c39599b46e98ee2b4dcf8e2

SHA256
6b3a4e0d15d1b1996844fcf817c46fe3cf9e03839ec17904bb66356a5df26896

SHA512
dddd0a8d97a7686cb10b8994a8110b461628cedd08d95f6ffdf827aa452bd8d981f5aa9270a002e86a49b512b8b600ca74b4c8ef070aee963eb0c45df004439e

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
448KB

MD5
f8c4c04db52c7816a0863f31f97c9c58

SHA1
62b84b0cf8aab9f682a6eef0bd775fb9c7da8165

SHA256
34d771bb9c1446167979ed3413b9507d5c17b1b2d524956cd56d3bcf8fcb4001

SHA512
806d50ab69a96e7918ad5155bf3112c78947e5b1328a8b2c5fb0030cb80be2ace450f3a6c0c8be7cad1a83460e6223fa399f7e873898348dcca44e02e026ee40

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
448KB

MD5
7080f10c58297e1fc749b530185f7c35

SHA1
da72c7be3755b0718c71d0536578e3fb69502ae0

SHA256
9b0fc2e81c64076b5bce33aae085cbe2bd659dc4cbcc8cfe4f82fa8267d734d5

SHA512
82be2a907fb92e36066784437e79360aff1c3650839699082f2f10f82a94bcf4457f99768b66a3efbb1649d4e2bc99a9a6e3535e45d7365d7087d8eb0f9b5221

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
448KB

MD5
6ae80bf9d3c3cb001820e6cd22ddb844

SHA1
0906787c3b37291b626d22d13d2f3dcb7af7ea8f

SHA256
15cd090b066f8b1431331783622dc6470588196c9a2bdd03013238d6ccb81bc3

SHA512
86494019cd8db9858f661c6ccbd7bf668e9123fabf52ee4425680f1a683c3c91bcc3008e36435e2c1a2b9cd25adef5bf252d657570aa63aaacde98313755b02a

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
448KB

MD5
a7029d73b9290bfeb087f53aeb540b73

SHA1
0081cd29b740049f8f2ac5c4eb810eda4ec98f55

SHA256
05ebd71c4219f05f71eed7dbb31115a6932f7dd6b4915ee21ade506fd8ee9de0

SHA512
de50a3b6a1a222a4ce8777751018bd40066134a689fbdd562f2c4a58dfb9616227375f934fea0b50e10fdc74fbba53ecd25a2124902494a72ea60329fcf96859

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
448KB

MD5
baa82d12da09c0a03430329b9acecf83

SHA1
d288acb5e6bca6873424db21a6bc5995070d618d

SHA256
4e438f2f06a103fa7e3935a14cb51e3008d9a2adc23e26218168473c223ee251

SHA512
667364369c06cdc99ea2cb8cc12d8538cf19bcc02c3f012debf5baa7af3c5609d9e8bda8d7e0e3c608af3e422effa444a080bccfc2090654928f08ea5129c251

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
448KB

MD5
cea7296fcb43b4d795679c2f699a2904

SHA1
fda209e4bf9cf157d57d18d1ae54951471b1d0ef

SHA256
9cbd3d746da3bdf0ce9467b8982e02fdc4a187a0cf888752fd03e69d50d3cba9

SHA512
86a8ed27ff8162f44ef544561c70ffc2d5ca4c811b6b736479a9790cf65709f7b46ee6cce12a1ef4268e7228bd45f25d03973f87ab4f77ab721b3b4fbab84351

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
448KB

MD5
247d1808bcc05ad683eb512b068db63e

SHA1
55c1c79f5bae7669b125604719146a38218c2c85

SHA256
31c423e57e79a9154fe44060fd6fbc3ee7ce01e3156e179343e4de1fa777bc79

SHA512
7c0d7313b3239876acec47141667755aace845e78b395a5eb25886f580e9e7fd734e639eb00f24faa5b2e55606e38074695751b20ec3fb99dcf07b4468c94e85

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
448KB

MD5
8b775924d28ba5b38b1ee403cd0385c5

SHA1
fae37d4a7e15f7ded0a2cb5712e3acef1fac56ac

SHA256
074f76e4821862f3b396dc18433781d80ee71ade6170a2c25ee64b60791e6f0c

SHA512
c0bf6b8c5635169a9c7c969f0fcf99c5181a56aded562a5afe70e1d5ed89502971839005f0a6afea5e6c5f85d036bb95afd7d8b5a28eba252f80cbd711395403

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
448KB

MD5
20530f85a41e998aa211a172fe63d8f0

SHA1
9db14448d6b5c80e622f161378ca71a4d8c5d195

SHA256
8e56e870928ed5fa4c136939b49439b443e415edd6df3e105588de98fbb61874

SHA512
116c668628c9bdb78a58247894165d3a4b55018450de32fe50bbccf6d2547c626df7a6e8a478c3f9afc8d5b56e38ad4e81e09a7cd5b75683bf0fab1d2b602d40

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
448KB

MD5
4452b919ec2e90e6273616d50bec93ac

SHA1
30d2b73e0c3c0b1b20dd4fc35f362dbb86c6249d

SHA256
157d9f036333f85d9c7ea2fa94681a49475f1821ecd7827262be205635b75f1c

SHA512
f5f65d83ca327c1f1e6827decbcca9bb27b61027f183a09f5afffb16670f9317d0abf7e49d7691ecd6a786b90d1aab95034cc58fbbc9ca8f78b3c559d6b436f3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
448KB

MD5
10f85c6f3139fd5638121615674481e1

SHA1
728d4361fa64703f9d40a7cf982ca6c26984cffb

SHA256
740a69cdae577b5ec57f9e5ecfadc3a9a01830d9876f47aec3fc646d674dd9aa

SHA512
63bc98af3626a397912dcd90aed44cd1a128ce20406dc03a85125302ad8de48ae28cdd6a0f998970051906304f9d04b55d965a27dcdf4d3c18126c21024fe098

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
64KB

MD5
94a0947b45846ec231f6422c89389265

SHA1
e27219fdea2711b9eea57cc94b025fcb6d2902d3

SHA256
ba33177f099a7fb4b3fd3f29a169af201a2648b0441c6d28d2852322622c147c

SHA512
38ede9d3b28c54674dc4b51a55a395d5ef8327074dfcdd9fea0de6e42d3e638bb16b7300e9965661bebe74bdbb58f614a101befefc9edd9e56323097f62de65d

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
448KB

MD5
f5cbb5f45f5ee0f056e117a176039edf

SHA1
b844f9e577e72f5418dd6123911dd96c3c2c736b

SHA256
e18550088f822e9e1e21e1a9e056dfe05fb85bb9b2b9799499c67e79f3ee94db

SHA512
a1eaa07b4485552827ff3d27943bbfb189a4a5b29033138ef8af218868a22ad38b6c684161c618a98332a9f73df8dc45f555087aa0293b86177f5fd30739dfae

Download Submit
memory/60-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/244-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/508-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/672-427-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/704-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-1027-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3856-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5124-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5164-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5236-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5272-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5304-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5344-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5380-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5448-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5520-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5552-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5592-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5624-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5660-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5740-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5784-604-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5824-613-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5852-1012-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5864-621-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5900-622-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5900-1049-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5944-632-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5984-634-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads