5b3f200e5525cd7115ca9f5b14b145cc41e356964ee4adffac6718d98ce82dd2

Analysis

max time kernel
135s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe
Size

64KB
MD5

d941470bf6a37fd2d759fe10911ab67f
SHA1

86c5b98de658b65ee138e5ab5b55dd72692deabd
SHA256

5b3f200e5525cd7115ca9f5b14b145cc41e356964ee4adffac6718d98ce82dd2
SHA512

832722facc04f8a48a5dc5a65e78a81ab673b412ec3fcaacdf0beba69bbc0616fb478351681316e6654fff10128f26d2e060b341a408b32bb2272ea4a2e748ba
SSDEEP

1536:7zrqdDlCbQQyvRj6PWgWyRrPFW2iwTbW:7z6YbQQyvRGPLXFFW2VTbW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe

Executes dropped EXE 64 IoCs

pid	Process
2156	Gqkhjn32.exe
4824	Gcidfi32.exe
4624	Gfhqbe32.exe
2512	Gifmnpnl.exe
5100	Gppekj32.exe
4796	Hjfihc32.exe
3936	Hmdedo32.exe
5036	Hcnnaikp.exe
4912	Hjhfnccl.exe
2432	Hmfbjnbp.exe
4216	Hpenfjad.exe
820	Hbckbepg.exe
2648	Himcoo32.exe
4536	Hfachc32.exe
4968	Hippdo32.exe
5012	Hcedaheh.exe
60	Hfcpncdk.exe
3228	Haidklda.exe
2144	Icgqggce.exe
1436	Iidipnal.exe
4920	Iakaql32.exe
1340	Icjmmg32.exe
1204	Ifhiib32.exe
1428	Ijdeiaio.exe
4952	Ipqnahgf.exe
1496	Imdnklfp.exe
4360	Ipckgh32.exe
4876	Ijhodq32.exe
4872	Iabgaklg.exe
2720	Idacmfkj.exe
400	Iinlemia.exe
2212	Jaedgjjd.exe
3016	Jbfpobpb.exe
3320	Jmkdlkph.exe
624	Jpjqhgol.exe
4460	Jfdida32.exe
848	Jjpeepnb.exe
3596	Jfffjqdf.exe
4680	Jaljgidl.exe
220	Jdjfcecp.exe
3516	Jkdnpo32.exe
3144	Jmbklj32.exe
4264	Jpaghf32.exe
4540	Jfkoeppq.exe
4288	Jiikak32.exe
1112	Kpccnefa.exe
2032	Kbapjafe.exe
2920	Kkihknfg.exe
860	Kacphh32.exe
3236	Kbdmpqcb.exe
2404	Kkkdan32.exe
4084	Kmjqmi32.exe
2548	Kaemnhla.exe
4584	Kgbefoji.exe
3008	Kknafn32.exe
1564	Kagichjo.exe
3560	Kgdbkohf.exe
4104	Kkpnlm32.exe
3976	Kibnhjgj.exe
992	Kajfig32.exe
2336	Kpmfddnf.exe
2264	Kdhbec32.exe
2044	Kgfoan32.exe
4896	Kkbkamnl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5132	5928	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2156	1668	d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe	85
PID 1668 wrote to memory of 2156	1668	d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe	85
PID 1668 wrote to memory of 2156	1668	d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe	85
PID 2156 wrote to memory of 4824	2156	Gqkhjn32.exe	86
PID 2156 wrote to memory of 4824	2156	Gqkhjn32.exe	86
PID 2156 wrote to memory of 4824	2156	Gqkhjn32.exe	86
PID 4824 wrote to memory of 4624	4824	Gcidfi32.exe	87
PID 4824 wrote to memory of 4624	4824	Gcidfi32.exe	87
PID 4824 wrote to memory of 4624	4824	Gcidfi32.exe	87
PID 4624 wrote to memory of 2512	4624	Gfhqbe32.exe	88
PID 4624 wrote to memory of 2512	4624	Gfhqbe32.exe	88
PID 4624 wrote to memory of 2512	4624	Gfhqbe32.exe	88
PID 2512 wrote to memory of 5100	2512	Gifmnpnl.exe	89
PID 2512 wrote to memory of 5100	2512	Gifmnpnl.exe	89
PID 2512 wrote to memory of 5100	2512	Gifmnpnl.exe	89
PID 5100 wrote to memory of 4796	5100	Gppekj32.exe	90
PID 5100 wrote to memory of 4796	5100	Gppekj32.exe	90
PID 5100 wrote to memory of 4796	5100	Gppekj32.exe	90
PID 4796 wrote to memory of 3936	4796	Hjfihc32.exe	91
PID 4796 wrote to memory of 3936	4796	Hjfihc32.exe	91
PID 4796 wrote to memory of 3936	4796	Hjfihc32.exe	91
PID 3936 wrote to memory of 5036	3936	Hmdedo32.exe	92
PID 3936 wrote to memory of 5036	3936	Hmdedo32.exe	92
PID 3936 wrote to memory of 5036	3936	Hmdedo32.exe	92
PID 5036 wrote to memory of 4912	5036	Hcnnaikp.exe	93
PID 5036 wrote to memory of 4912	5036	Hcnnaikp.exe	93
PID 5036 wrote to memory of 4912	5036	Hcnnaikp.exe	93
PID 4912 wrote to memory of 2432	4912	Hjhfnccl.exe	94
PID 4912 wrote to memory of 2432	4912	Hjhfnccl.exe	94
PID 4912 wrote to memory of 2432	4912	Hjhfnccl.exe	94
PID 2432 wrote to memory of 4216	2432	Hmfbjnbp.exe	95
PID 2432 wrote to memory of 4216	2432	Hmfbjnbp.exe	95
PID 2432 wrote to memory of 4216	2432	Hmfbjnbp.exe	95
PID 4216 wrote to memory of 820	4216	Hpenfjad.exe	96
PID 4216 wrote to memory of 820	4216	Hpenfjad.exe	96
PID 4216 wrote to memory of 820	4216	Hpenfjad.exe	96
PID 820 wrote to memory of 2648	820	Hbckbepg.exe	98
PID 820 wrote to memory of 2648	820	Hbckbepg.exe	98
PID 820 wrote to memory of 2648	820	Hbckbepg.exe	98
PID 2648 wrote to memory of 4536	2648	Himcoo32.exe	99
PID 2648 wrote to memory of 4536	2648	Himcoo32.exe	99
PID 2648 wrote to memory of 4536	2648	Himcoo32.exe	99
PID 4536 wrote to memory of 4968	4536	Hfachc32.exe	100
PID 4536 wrote to memory of 4968	4536	Hfachc32.exe	100
PID 4536 wrote to memory of 4968	4536	Hfachc32.exe	100
PID 4968 wrote to memory of 5012	4968	Hippdo32.exe	101
PID 4968 wrote to memory of 5012	4968	Hippdo32.exe	101
PID 4968 wrote to memory of 5012	4968	Hippdo32.exe	101
PID 5012 wrote to memory of 60	5012	Hcedaheh.exe	102
PID 5012 wrote to memory of 60	5012	Hcedaheh.exe	102
PID 5012 wrote to memory of 60	5012	Hcedaheh.exe	102
PID 60 wrote to memory of 3228	60	Hfcpncdk.exe	104
PID 60 wrote to memory of 3228	60	Hfcpncdk.exe	104
PID 60 wrote to memory of 3228	60	Hfcpncdk.exe	104
PID 3228 wrote to memory of 2144	3228	Haidklda.exe	105
PID 3228 wrote to memory of 2144	3228	Haidklda.exe	105
PID 3228 wrote to memory of 2144	3228	Haidklda.exe	105
PID 2144 wrote to memory of 1436	2144	Icgqggce.exe	107
PID 2144 wrote to memory of 1436	2144	Icgqggce.exe	107
PID 2144 wrote to memory of 1436	2144	Icgqggce.exe	107
PID 1436 wrote to memory of 4920	1436	Iidipnal.exe	108
PID 1436 wrote to memory of 4920	1436	Iidipnal.exe	108
PID 1436 wrote to memory of 4920	1436	Iidipnal.exe	108
PID 4920 wrote to memory of 1340	4920	Iakaql32.exe	109

C:\Users\Admin\AppData\Local\Temp\d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d941470bf6a37fd2d759fe10911ab67f_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\Gqkhjn32.exe
  C:\Windows\system32\Gqkhjn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Gcidfi32.exe
    C:\Windows\system32\Gcidfi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\Gfhqbe32.exe
      C:\Windows\system32\Gfhqbe32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        25⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        36⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        41⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        48⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        54⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        68⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2216
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        72⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        73⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4368
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        77⤵
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        79⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        81⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        87⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        90⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        93⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        94⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        95⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        99⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        105⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        107⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        108⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        109⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        111⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        112⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        114⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        122⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        123⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        124⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        128⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 400
        129⤵
        Program crash
        
        PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5928 -ip 5928
1⤵
PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
64KB

MD5
ea66e99a53a82c2709c5ccd0b6bfb65b

SHA1
f43a4caa2a20e4629495aded156201d83f4192e1

SHA256
26d3e1ae7b09496766112471e11b93784c3b594e4640073e84c701d69afea61f

SHA512
4eda0937f74e217a36e27133892253673c43eada78960fd336b357317d894f9a5c65da8ee87d0791cb3beeb1204dc9c1c02a78b7f2947c4458a6e3d3ed45a6bb

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
64KB

MD5
23be339dab2f8782cd99f47b23750b1e

SHA1
25d06941a8172587521bd9f853cca78cd92fa794

SHA256
b8b80916b5997f6465be77ceabf298b83e4c12f79814d10ce1bdc51168e69539

SHA512
2ce559b93072b37d7d390308f4bd951f46be85f4b0cc38c6fac93772b4ea3c8d6f501aa7810ac29b79d46434bbce7a979563d19f7e35842f81b8cc4c4e8223b0

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
64KB

MD5
5f7f8047b743479c13e7fc5fefcf3c2b

SHA1
d3a53e9f308fdb435785e443db2351906e6a6fec

SHA256
c5e7dc10ba64f87421c2a3ffb31f830b2e0eb03964d0df37f3229c73836f54af

SHA512
94ba6c20734b666f9a7fd69b741568b5be16c82e1910c6307104a643225841408d76065134e38340f8b4f441425a8b670c38d66c390200d5b8f8caf7b313fe87

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
64KB

MD5
dc83795bd2c58a8a85eb54463c67a01e

SHA1
68ec9a6f23cafb8050d1d9c46b616d3f72fbd751

SHA256
df56e652e0a2b49129ee25aaa0e3e3d2f381722d3737390634a0adf46b6481a7

SHA512
55b47058ca5302cf49b4cba7c6a0f9f8653f3b2b2f73f4f38935481d3de820c38663a69161383776978efdb780873d8ec121fe743a7d2f1b95f094d409086a2a

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
64KB

MD5
42ac7628f4cfefdafef3666e042c1430

SHA1
066da02c87f835f5e593c0be59eda61efe4884d1

SHA256
359d6cef456e9ac9bb037a29be0ccda6a0adc4a1c6b503d572dad9af0ac69677

SHA512
b498ad2fec2baa2b537a7d56585763638d479030d15b04be26cfea6624ea92a6c54bcb57a2adb775f2b26e592dfbda351d2078d05336f939b1b862be3f541859

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
64KB

MD5
4820568ddaf3c790902711e401fb53c7

SHA1
d1a748109f5001832f6e9dfa159df31a2a22f490

SHA256
16edca5c1f691ee17432241d106250fdd0b2661766c51a60c39ef03c3e90cf1b

SHA512
89162ef7a72ce8a7ba6e5db13a8e55b13fd1671818e91a269f0766de2081a9080a2827c2fe4f8899c9005282a1884f3a553327202dbd3cb33f41e9d3f6665aa8

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
64KB

MD5
ce02e69a33f3f30df5b8babf9b3bb1ba

SHA1
c7aa0a6985fa41c7b3e3c4b4c2af870195e830d4

SHA256
4da8b9838b0a5354bbca2341dbb858687bc34143869447d23f1907e0ec06b41a

SHA512
c44caa8acf6d3ae16b629ed5bf847253cb65d096a035cd6204aadb8ce4f6e714e6b59ca40e77c9dfdef951a889f7e1a8ca825721db2a63ab5d1eb40a882508fb

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
64KB

MD5
5e8e21eb35adb5223063edeffe3c8d11

SHA1
22bc2aa434882b4aaab2419f0d1c8f8d889707fb

SHA256
7bfe53f6cb3f8d498f1d81c84e59d7a70538833a6ed768a194bc54efe03b465d

SHA512
3348df61b8cf462795e051a0d6727e44f627c14cf782a890231873145c15d79ccd3b3b3817d94453c49ba6f5629404b0790630cf523a4d755bb895ed5c5dd601

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
64KB

MD5
4bb49279f930de94fa0ab4e564d57544

SHA1
fb9728d802ed33b06c2cd1f31bc8c8ecfa5d3666

SHA256
e1ee8cc60430e138a10c01dfe5fd5203db592a5809400cb559917a798c5d3070

SHA512
a127d100e172a7de541eebe13f46a9a4b829d0352a8614055cd6949b967ea49cfc0f0a8ff1cb44974215baff695cdb192c859ae464fd556cc901c8933f03a398

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
64KB

MD5
2e414118edb3785cfb5729464061538b

SHA1
5d0ef9d7748f08ddee8111764b2a8c996332206d

SHA256
4f9768e6b5d020e6029c6572a2400d2cb0971fad96b4401c3c66a9b4c8f8381e

SHA512
8299f5cb4c0b5b8c8e34ab8b2f6199e5265ab4108b31c870be0854c9439418fcdfe682f77071f89f8bd542c1aae463fa1cb9b6f10613bb7887437c5752451b9e

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
64KB

MD5
979be1a27cf633c4552d2963449a0347

SHA1
6e5bf7596770629526fe665c747d678f2b43c375

SHA256
e94a40dec0e488d69c2827015ff0fb20718c845924ec38833f751901fbfa57ae

SHA512
e45661c126c9e184efd513e06ef34d28c0beb0003ee68d547dd4c2268f1c57b80a7be9efbcadeeb3c6fb93d82ba7a9c439dedd49a05b698748f69473f1bbe01a

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
64KB

MD5
8a9a0a02fef458829cd72972295de841

SHA1
5dd17a57526eb77497434664a3e42eb2fc7c019b

SHA256
bea822efc96127fcbcbaafc288ac0bf72ae03ac7e1cdce548909ebf83b8f89f8

SHA512
03ddaa1ce68d975e77fc0773f341e1352b197ef35719bd0386f64a9343c3f6332d255bbaf243c2a7ed565f4a62f2d3d66c8dcbdc76bf70af27b7f36b41744005

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
64KB

MD5
07dc3235e6c0079615f945183d426252

SHA1
499ebad4c49c56ff10f9262b2e0526066c8fcfe2

SHA256
6a53443d65ab5c991e5f6e284b0ee3ce3cd0a7177da396c91a22d5cdd84f2864

SHA512
448d986f377c941b46f198552e7c35921218c391373b06bd31cce7f2ec974637d78d3a6538c8b0665177c8646cbf9d244363426e39c8f15e1236e59bfa5ed8f2

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
64KB

MD5
ed13354ce40fd8e37b6078ad7b4b0001

SHA1
b145fcbce38b0c06873061198df2a349a246bc56

SHA256
fac45204b56514b412e7144fff61bbe3c35f1b4348efcae3d2f36e4f02a1a1b6

SHA512
9d2aca716183d58c222f72cbc47493131fbf64203eab3c36c542648b0e997ec0308fa8bc875858a0e189b12fe511f61ad3bff85518d949a6962f8aa68465893b

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
64KB

MD5
5f89773da9ec45c4e2ac68745be0e024

SHA1
c4069746ef4847e7a9402ddf97cea448df17720d

SHA256
3b95ea088ff3f520a2cb0833e8634dbf29ddc3de8ba6faa8af7d2830541646c2

SHA512
ef68899e809bae5cba4434e0811588b1b430d1b678f1c25ade2969371953e6a260d17f98565edfc075da9d7ae179fda770d057d5188f638b5b0171707ac15f51

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
64KB

MD5
20d9a53b8c97c1551af1aef67fca4b2c

SHA1
a56069fc9d77cfdb9f307a1c263842d0b7d5ce3d

SHA256
51c1c9e90bca90f5aea8b0f7875f6edaa94736d1a113fb9f5f35e4b8626b467d

SHA512
95387b3d1bfdf7c39e55d19d334426675c923ce1b831c7c9db9dfe434cad61031a5ec5d64c96ccfda2f7a2331f1d691a671c135746483d41d93ea24447d13e98

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
64KB

MD5
b9562572f29698e3ee3095386c982e7c

SHA1
15dde2cfe59da7829d20cf856631de3b16ffae11

SHA256
ecf9824a7baa7aae93db77bc29387f22b8fed4c3efe037ae4f21dea1b55f2046

SHA512
013c87418e797dd425c44c5fc5e44bcf1b31cae09c183fb0bad97d91a450b163cce08b880bfbb59b19629109994b961622d3d11e634473ea62ea96ab5d6ee0da

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
64KB

MD5
122fbdd86623f648422cd70123f3f16d

SHA1
5ccf659e3e587779dc077b8824200f0bb209cd78

SHA256
209aeee95ec6e80738dfda90ba10fa5ea6d9e060bc6bb1c42e69885df184a177

SHA512
dbf561c4be611fa35f7e30c97c24b7aabfc5c17679e7e6507017017091cda17c9c1851214ab03e95f4020a8ff0cae80a9d74cf7e6f3c3cb802104bc82066999a

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
64KB

MD5
b0ded30ce2ff7a5bc81b01e3822386e2

SHA1
89771df8f716bfd52d902781f3fa5e8fb8655288

SHA256
76ae9852a4327da8fbaef5e60332c3cee44d647c3b848474541bb40a8349740f

SHA512
0d409351a366655c07ce3efcc36519a1c38a549a23d03dc5e9ba124e4482c75fdbae6a526ac958962ddaf7c95b1727e93bb4dd9f3455bb7f5944b2c4302b575a

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
64KB

MD5
0cf3a042c5044d611f7e412754003f6d

SHA1
c569602f4b52dcab3472eb2874aec5bd496a7cf7

SHA256
1631967b2d8f2522631d4c8bd517863c8705fc1758bed0007bf3fc03c3c46877

SHA512
dbc90d99d5f4333baf02c1feb713d2bed206b22492540faa3eaf90b12f3260cb8735f90d10853669446f1bb3cb922d066b50be27f0847d8e8bb9869111611ba3

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
64KB

MD5
2a7b7286b58587d0739004ab0e271148

SHA1
4d9c22fb682dcc70c3d5b424eccc02b29527a804

SHA256
32f2706a2137ac817e34134b558562a8601f056fce2b678d818feb994f9a3176

SHA512
12e5dcd9eb55edc926ce0cc578cf50d9ccb2ce53e5d586e235d91f7782b44e66499af38b965995a5a82a33d76e8deae4635661fa734b1600de6d01c23e9f0c84

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
64KB

MD5
138d5976003a6b5e1e3e69ab0b0983b5

SHA1
c52a177706385d06610e091f4f2175277d5fd91d

SHA256
3ea073367b4d82b41cef50d9f6764cdc784607a1da605718604d7c04f799c2a5

SHA512
0c7b4a03ad2bd39f9f9dea20521ec63bc861b7979620c16f022caeb4d44cfe10c9038749277904801abd525ad4b8293e971cd811833c3ce137fbb226e8ecc231

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
64KB

MD5
66f30cb7ebdcd8e90827ade214aec998

SHA1
f0cf08fb6f89e7d2b63c6aa84e9da2642f9da655

SHA256
f8efd3ddd54f5ed46d925774913725b92a51b971c93ddd4bd5f3745578496b75

SHA512
45be7ae6f60f5ad3997d6ac69bb9af336e9409cec840abdea8eb2a4b84523e10e4a86a902a779e9eb004bd956f59d988b65b760774300f955441813a931f5758

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
64KB

MD5
598977ccbd64ed8927684f17f8e90d62

SHA1
8c803fdc5029eee0452a16d6939864e53ad3774f

SHA256
484a66e5a37618e703d8b69c02a1eef7c9f8ab51e5393f057b49655d0bc95745

SHA512
171bd64e7f4840f7242870858679efdab2c31961d61a1a2087cada19c6781ec2f30af4d8be3b6ac4793f3f6ca60e5b8a2649e5889397b49163dfed23b8557937

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
64KB

MD5
18da15001b6fe478fa6d261f45e55e0b

SHA1
94a3bb7cbe0eee0ad9272a2a5b125bf808d91c48

SHA256
636f33bcd0e98b328f6f3ea098370ea46cf4dcc1ace923b853e30883453b519f

SHA512
fdbc9f6bceb6f22c8d04473e7d3ae682e007013cd075c017b1033ccde4dff7ed4984b7d9e4fb7956e8a0882fea42c79f40618a41c1d485d0fa1d1264ecc93a86

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
64KB

MD5
c3b8d15692b17fe8a2f586b6250f07a5

SHA1
678dc841dbaa83928ae440968752ed06d4a4d9bd

SHA256
1447535b25b69f3bc46997f875cafd9ce287f0f0934c42bbbf89170510adaf66

SHA512
68485ac3bdad5cc43e308e5faeaa77b111666f24678ebb7a85f0b2a39bda092b8c6b2405b1917c493efffdc3f881df8523a52370c4bd62068fb4439f09c2ba4d

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
64KB

MD5
679355ce4e2434fe894b4900507ac31f

SHA1
bb80f60cd7a160246b5719820069f92c7e1b2ac9

SHA256
a2fdc18e5d9ff3d7d764d5446cbba4442c1f816fcd38a4473c61e8171bb63e94

SHA512
b7092e1c98d037e8776127975b0785bf837c8261b73d15c70a01be3ff4ea491d575f3018dbbd7b561555e40c2aadbb7ec8023b40f575f06617d0837df65a2a53

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
64KB

MD5
19de095d61475de99bef86003e9e8af0

SHA1
4c0ef2ee7f2150953bc193cb8c96a2d5b70794aa

SHA256
fc74f7492d11ed21bf8f5bda6fb646673f766fceaf64bb5d900e997fb7ba0fbb

SHA512
31e93f595afd2fa72ff76430c7e2de39d01bd2792ae003d44d08563b59549893788f51c14ceb116e3d143b6faa6ed756082d91b0e39c1438f69e015d4dd5becf

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
64KB

MD5
44cd21186202c72c9b73701528453504

SHA1
328f2085f9617cae31cfb6c6f159ccbd6b1e6ae9

SHA256
eef438234c0139da5a6950c310d922ebe1b2df03372849421ac4cf82609aa78c

SHA512
43ed6869541444e0a7352dab487d090078035d37963837d4d1d4203edd85dc785a78281988dd78e42e00d606de7427210268eac3ad4e087809865f98d045b601

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
64KB

MD5
ed16c1a69b35fede8524dc403965fdc8

SHA1
12466aab2aced2bec6d911465645e24f93e7279e

SHA256
67e160ef6e31fb3d8a0ec2303d5964af563c16555df733581747191f8c81b656

SHA512
93f13fdb0174fad49934aec22541c3db5ed3c78368d2308440ff4064ba4ace6afbe91bfb33fddd661479daf682a23cd034153b06ca12353107b1339b5e663bf6

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
64KB

MD5
4f2578a5bd5d6f3152fab5c082f438d7

SHA1
c827faae36edb5514fd8de2cbd2abdaf216ae460

SHA256
6263f6c9222099c689fd0b0626b4989e328a1a2164be8b97245e63abd6eff6fb

SHA512
a3292349e0a0c427166895453ece855ea50adce0370b0aa0b1d9d443da6c465d7d9b35e4a34cbf85e120955fbb545575e1614d34c7859d95a1b69ec04838fb67

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
64KB

MD5
4962c57d16dd6fac8b09c49c553003c2

SHA1
4722e6111c986247f2751f7fd4b712af067e7cf1

SHA256
4676a011917f3167f60968b185be617b7c357d463a9595a1b0f19809f5ae4d73

SHA512
44fe3eff1db3c307988eca3e0064730078dfd5e4023d1f9eb220d40e57a217d6cf15ea4f935e28b2b095d8dc7e2c81661b360badb19f5a0861a0f9b4f4e51771

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
64KB

MD5
83e914dc78e33cfe140ee8f793338d3e

SHA1
fddb243dec64f9e0a238b26693d35a6cea706475

SHA256
5e9323cfad7e25cde6f783068459199611292d73a4e4273760f46fd935095eab

SHA512
b2348b6d09c3be5576031a08d624c56ff5b8c213049e4f545fdc7432a52321c2a4b63e87b17f00464d6a2e7d8086edccfe7d829c06584d337ffa03442ee07830

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
64KB

MD5
01b19e4a38fd8635577e3110e9a6b8b1

SHA1
b754ffee45a9bd855c2ec0cff30b4750a4a08e38

SHA256
c2cf99205361159a25e0ed6cc6c40775a590f46cef856a8f98e8fab88e61612a

SHA512
2aa60ed16564ba4a45a51a57a2db7f31533430b7e776e1a93a434da33207d8273925820a80ab6b6a54dc1dda878ef7a015258db18e25f831f7e87e58b6cf6d1c

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
64KB

MD5
8b07ffc712e04fbf5915a0801ee6b8e7

SHA1
4c944b84a097d137293a77d7d38778555bddea3c

SHA256
42792dd79aacf863187c3c90a6c0a3609bd04699cd255b34d24691a53923c99c

SHA512
e77a8d8d0a4e262782df7a3fdf5d600f6a41123e7544a0b566e52be2c52cbd25c68b365e7df913e145bad934a391c231d04755dc8fc708881591a505a182345a

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
64KB

MD5
0041f6a3f4531eaeace9c9d1bf7dc1e2

SHA1
59795642b4865de139912225face1c7135636f39

SHA256
b9a27a1c39d01baf2a13fe052985b251e1913b341bc0f6a4f0650067ab39bd38

SHA512
d47557d85a07e0434351e515af4935b1356b33012f30471217c69ae914e0ebbd7835da9cb31ad227f13b1f883b7ed250eae9dc105afdf368b9e2e737f1566cec

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
64KB

MD5
72b6cdf9214c70c6aaff67302016cd98

SHA1
9927ea1072d86e2ff93dc6cb44d5e28d2e29cbe0

SHA256
d19472ddabee322bb38fc6ea27485be2e0672aba856441431a0b5a52e7c09870

SHA512
46fc12eeca2ff472c16d4ef0595f0ce40ba09c480f5fb3e697fec646831e4bf1c0b142bfcea2a2eb9fa81e7aeb063239b297b924e999392823b9d9eca04a20e8

Download Submit
memory/60-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/60-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/220-332-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/220-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/400-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/400-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-302-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/820-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/820-192-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-311-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-379-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/860-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1112-373-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1340-193-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1428-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1428-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1436-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-227-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-303-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1668-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1668-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2032-384-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2144-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2144-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2156-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2156-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2212-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2212-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2404-407-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2432-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2432-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2548-420-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2648-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2648-204-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-437-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-356-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-283-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3144-413-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3144-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3228-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3228-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3236-405-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3320-359-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3320-294-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3516-343-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3596-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3596-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3936-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3936-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4084-414-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4216-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4216-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4264-357-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4288-366-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4288-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4360-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4360-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4460-372-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4460-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4536-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4536-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4540-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4540-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4584-431-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4624-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4624-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4680-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4680-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4796-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4796-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4824-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4824-19-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4872-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4872-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4876-317-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4876-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4912-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4912-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4920-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4920-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4952-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4952-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4968-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4968-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5036-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5036-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads