9bce5a2e3466526d5bb9f235aea5fa41288e5149c2fb50b78421a49068c3fbd0

Analysis

max time kernel
137s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Size

80KB
MD5

ead2afbe89df3d16ab79ca4714a56e67
SHA1

ab9e08b2670daabfc8a0f01b352c9be342ba6392
SHA256

9bce5a2e3466526d5bb9f235aea5fa41288e5149c2fb50b78421a49068c3fbd0
SHA512

5c8ee1a8e91ed2ff0564bb0225e1160ccd8cbd3445bb26b79e3d052b905ed61976d3d776f13ac1a414c522d07da50c228f5750ff8420fabd4a66ed8ec80c205e
SSDEEP

1536:yG/xh9KQMgy8gWhICLfGpQgIKwPN8zZ2LwS5DUHRbPa9b6i+sIk:yG/xThIaeGewcSwS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe

Executes dropped EXE 64 IoCs

pid	Process
2760	Emjjgbjp.exe
1020	Fbgbpihg.exe
4272	Fjnjqfij.exe
1536	Fqhbmqqg.exe
3292	Fokbim32.exe
2340	Fjqgff32.exe
2124	Fqkocpod.exe
2592	Fbllkh32.exe
2084	Fjcclf32.exe
3068	Fqmlhpla.exe
2456	Fopldmcl.exe
1808	Ffjdqg32.exe
1516	Fmclmabe.exe
3224	Fobiilai.exe
2272	Fjhmgeao.exe
1940	Fmficqpc.exe
1052	Gcpapkgp.exe
4576	Gfnnlffc.exe
4084	Gmhfhp32.exe
1032	Gcbnejem.exe
372	Gbenqg32.exe
4108	Gjlfbd32.exe
4104	Gmkbnp32.exe
2116	Goiojk32.exe
2136	Gbgkfg32.exe
4276	Gmmocpjk.exe
2412	Gpklpkio.exe
608	Gjapmdid.exe
1588	Gqkhjn32.exe
3636	Gcidfi32.exe
3420	Gbldaffp.exe
3336	Gifmnpnl.exe
2584	Gmaioo32.exe
3316	Hclakimb.exe
2724	Hjfihc32.exe
2764	Hihicplj.exe
4824	Hapaemll.exe
4228	Hcnnaikp.exe
4364	Hbanme32.exe
1732	Hjhfnccl.exe
1264	Hmfbjnbp.exe
4716	Hcqjfh32.exe
4768	Hjjbcbqj.exe
1436	Himcoo32.exe
2016	Hpgkkioa.exe
928	Hbeghene.exe
3672	Hjmoibog.exe
2736	Hmklen32.exe
2248	Hcedaheh.exe
4928	Hbhdmd32.exe
3264	Hibljoco.exe
2240	Haidklda.exe
4068	Icgqggce.exe
5020	Ibjqcd32.exe
3016	Iidipnal.exe
4740	Iakaql32.exe
3840	Icjmmg32.exe
1720	Ifhiib32.exe
2320	Iiffen32.exe
2036	Iannfk32.exe
2752	Icljbg32.exe
2032	Ifjfnb32.exe
4920	Ijfboafl.exe
2916	Iapjlk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6632	6464	WerFault.exe	259

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 2760	4704	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	83
PID 4704 wrote to memory of 2760	4704	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	83
PID 4704 wrote to memory of 2760	4704	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	83
PID 2760 wrote to memory of 1020	2760	Emjjgbjp.exe	84
PID 2760 wrote to memory of 1020	2760	Emjjgbjp.exe	84
PID 2760 wrote to memory of 1020	2760	Emjjgbjp.exe	84
PID 1020 wrote to memory of 4272	1020	Fbgbpihg.exe	85
PID 1020 wrote to memory of 4272	1020	Fbgbpihg.exe	85
PID 1020 wrote to memory of 4272	1020	Fbgbpihg.exe	85
PID 4272 wrote to memory of 1536	4272	Fjnjqfij.exe	86
PID 4272 wrote to memory of 1536	4272	Fjnjqfij.exe	86
PID 4272 wrote to memory of 1536	4272	Fjnjqfij.exe	86
PID 1536 wrote to memory of 3292	1536	Fqhbmqqg.exe	87
PID 1536 wrote to memory of 3292	1536	Fqhbmqqg.exe	87
PID 1536 wrote to memory of 3292	1536	Fqhbmqqg.exe	87
PID 3292 wrote to memory of 2340	3292	Fokbim32.exe	88
PID 3292 wrote to memory of 2340	3292	Fokbim32.exe	88
PID 3292 wrote to memory of 2340	3292	Fokbim32.exe	88
PID 2340 wrote to memory of 2124	2340	Fjqgff32.exe	89
PID 2340 wrote to memory of 2124	2340	Fjqgff32.exe	89
PID 2340 wrote to memory of 2124	2340	Fjqgff32.exe	89
PID 2124 wrote to memory of 2592	2124	Fqkocpod.exe	90
PID 2124 wrote to memory of 2592	2124	Fqkocpod.exe	90
PID 2124 wrote to memory of 2592	2124	Fqkocpod.exe	90
PID 2592 wrote to memory of 2084	2592	Fbllkh32.exe	91
PID 2592 wrote to memory of 2084	2592	Fbllkh32.exe	91
PID 2592 wrote to memory of 2084	2592	Fbllkh32.exe	91
PID 2084 wrote to memory of 3068	2084	Fjcclf32.exe	92
PID 2084 wrote to memory of 3068	2084	Fjcclf32.exe	92
PID 2084 wrote to memory of 3068	2084	Fjcclf32.exe	92
PID 3068 wrote to memory of 2456	3068	Fqmlhpla.exe	93
PID 3068 wrote to memory of 2456	3068	Fqmlhpla.exe	93
PID 3068 wrote to memory of 2456	3068	Fqmlhpla.exe	93
PID 2456 wrote to memory of 1808	2456	Fopldmcl.exe	94
PID 2456 wrote to memory of 1808	2456	Fopldmcl.exe	94
PID 2456 wrote to memory of 1808	2456	Fopldmcl.exe	94
PID 1808 wrote to memory of 1516	1808	Ffjdqg32.exe	95
PID 1808 wrote to memory of 1516	1808	Ffjdqg32.exe	95
PID 1808 wrote to memory of 1516	1808	Ffjdqg32.exe	95
PID 1516 wrote to memory of 3224	1516	Fmclmabe.exe	97
PID 1516 wrote to memory of 3224	1516	Fmclmabe.exe	97
PID 1516 wrote to memory of 3224	1516	Fmclmabe.exe	97
PID 3224 wrote to memory of 2272	3224	Fobiilai.exe	98
PID 3224 wrote to memory of 2272	3224	Fobiilai.exe	98
PID 3224 wrote to memory of 2272	3224	Fobiilai.exe	98
PID 2272 wrote to memory of 1940	2272	Fjhmgeao.exe	99
PID 2272 wrote to memory of 1940	2272	Fjhmgeao.exe	99
PID 2272 wrote to memory of 1940	2272	Fjhmgeao.exe	99
PID 1940 wrote to memory of 1052	1940	Fmficqpc.exe	100
PID 1940 wrote to memory of 1052	1940	Fmficqpc.exe	100
PID 1940 wrote to memory of 1052	1940	Fmficqpc.exe	100
PID 1052 wrote to memory of 4576	1052	Gcpapkgp.exe	102
PID 1052 wrote to memory of 4576	1052	Gcpapkgp.exe	102
PID 1052 wrote to memory of 4576	1052	Gcpapkgp.exe	102
PID 4576 wrote to memory of 4084	4576	Gfnnlffc.exe	103
PID 4576 wrote to memory of 4084	4576	Gfnnlffc.exe	103
PID 4576 wrote to memory of 4084	4576	Gfnnlffc.exe	103
PID 4084 wrote to memory of 1032	4084	Gmhfhp32.exe	104
PID 4084 wrote to memory of 1032	4084	Gmhfhp32.exe	104
PID 4084 wrote to memory of 1032	4084	Gmhfhp32.exe	104
PID 1032 wrote to memory of 372	1032	Gcbnejem.exe	105
PID 1032 wrote to memory of 372	1032	Gcbnejem.exe	105
PID 1032 wrote to memory of 372	1032	Gcbnejem.exe	105
PID 372 wrote to memory of 4108	372	Gbenqg32.exe	106

C:\Users\Admin\AppData\Local\Temp\ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\Emjjgbjp.exe
  C:\Windows\system32\Emjjgbjp.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Fbgbpihg.exe
    C:\Windows\system32\Fbgbpihg.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\Fjnjqfij.exe
      C:\Windows\system32\Fjnjqfij.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        26⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        30⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        31⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        32⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        33⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        35⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        43⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        45⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        46⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        51⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        53⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        54⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        61⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        62⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        63⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        69⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        70⤵
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        71⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        72⤵
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        73⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        74⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1560
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        78⤵
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        83⤵
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        85⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        86⤵
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        87⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        88⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        89⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        90⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        91⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        92⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        93⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        95⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        96⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        97⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        98⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        101⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        103⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        104⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        106⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        107⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        108⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        111⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        112⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        117⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        118⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        119⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        121⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        123⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        125⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        128⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        131⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        137⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        138⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        139⤵
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        140⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        141⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        144⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        145⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        146⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        147⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        149⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        151⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        152⤵
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        155⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        156⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        158⤵
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        162⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        164⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        167⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        169⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 224
        170⤵
        Program crash
        
        PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6464 -ip 6464
1⤵
PID:6588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
80KB

MD5
8f1c340870f3fa1b00fab30b6b667591

SHA1
7e6b142635ae24f03098886c6f0aa7a7db0fb703

SHA256
ac5e274c537990c6520972a67e0206d326a2ddd35a728c554c1151bfcb3ee50e

SHA512
fe5bf7d0dd632e047ce60eba33ad7f55da11714389f3734730c1d536c79def39c061abb8f0f42ae2935b7eba5993e1a1d5e1a7df7e2bccfef1c4a2a87623626f

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
80KB

MD5
4c9d1ef636198a1d7d65dbd62a9b681d

SHA1
d8c6134a498040caa2a4a1fcac84c30d061ec624

SHA256
f110b61828e45c1409b4f322a81541fbd84fc40bc3aafba0bad90d41561fc9f2

SHA512
ccc8846d3b451b8b2db653905aa284d7a08bd2402fe883f2e64b4b692b3da8ff44240be4c64de5127059fcb47d5df051f001be6e133b75e2bebaf2ec2cb1ae6a

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
80KB

MD5
7fafa37b8fec48879fa52a3b6942635e

SHA1
d6ee8c3d5f7d6bdef6b024e794cc3802dc33c1b0

SHA256
21d17a55d38580c1d6412e2565b5e666ce25861fa227dd905d53d55d702c8883

SHA512
edf0f63d1b980ee7043462556e83e191f7da0b277555aa2a8fb445db08ea493528f75350381152231dbd8044dfd1d594e7f9dce72484ffa15a78e509b7ca8e57

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
80KB

MD5
345ed681b582bfc696e44ef3f006a9bf

SHA1
9433ed25cd63ea8c8c88f465e98d5491b428c8c4

SHA256
dd5a12606a7959f0200f5ac0186e7cdd622ab4174049e8f9adadae1e8896d6b2

SHA512
3ea698ab91b19c8e40f0cf03ee0b2d7113d0110cd1bee7f80fabdb84ec4ece537730e20e6bb1874e1d380f86c6f79e3234046d1d0186773c4550218a8d7d9f5c

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
80KB

MD5
9f8143cbe6ad54d4f8d717c7ce764b57

SHA1
aa737cc9232c12aef41834b8074a377c6cab0bfa

SHA256
17065c862b6b4bd522bd602c0dd317b1a063c81b3fc5ad3750f24d989227d025

SHA512
ec7dac72c51dfdb259d828a8de79deae067fad4fb60c522ff938ac20258874f8287a8a3aede120c15adb2191b08884559204cae6c46705a18966ba01799f0866

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
80KB

MD5
8be369e637c16a0860ebeea7adb41a25

SHA1
28140b5dda7c84d6c7db569cc7036225ab939ed8

SHA256
cfbd24344098e9a8ba46d96fe8e9d4a180fd56a64230bb34e49fa21dfc647998

SHA512
4568b13f41c429d0764749c30e779d1e018ec1ae4eba72ef76be358146e187c21ec20d7ac55063f6a17447cbcd4098abddeecd5565b2ffa325721304026737ab

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
80KB

MD5
b3d4795008a0b97766768469a6b95f21

SHA1
bc8482d22339a2da1feb00367af88408743ccefa

SHA256
bbe75f5ae1b1b40d8c1f91bf2e5359694e0af70dc8b206541f8b671d942244a5

SHA512
10b063d1dbf9b8414f82509386f1d279aec1ec348db4f442217fc454c8f0ab9750c3b751563e4bcf0a8f04c5f70cdefe442bcbda466f131b3451f5782120d0f0

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
80KB

MD5
cc6e55a102150b2ee62bd7d528ebdfbb

SHA1
3b371f6ccbcb1507d4b940234b5f755576360128

SHA256
00564f91f0b57b2ec4eab5c20bcf67ab1130dc9ef17065b598d9679b889656a1

SHA512
7be225a3b1e37c17aa26bf5657dfb508becb340a2b77b65a4f1bf3072e63025af325d610c0f655a65637ab2171e2c321f1b27db85da1f0235d1e798c65d6a90d

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
80KB

MD5
65e6763948963aeb75dc6b447dd8da85

SHA1
a840757ae4f20456e81244151f7bdfa04af5e40e

SHA256
69327b7f13fabb30556c283f12c2c7d641084da6b01cf2fcf1a60808473515b5

SHA512
ac1b0f2cc3547e35be4c7a58e4b052de4b6e9d9d850353691aa12ad43d5c1e75ab7e1099adae72bb85b51d6a44c391752c9839cc174e297809a0b33e9a18e3be

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
80KB

MD5
596dc82aa32adcc043c6641c56d88934

SHA1
77e4f9e1448e82e33fbb16595378d1ba3399cae8

SHA256
fde66eb2cea06e51e27aa13d365933f737b1720d039f1bc53d3698f017bf1643

SHA512
45c7c009ac28b71c73b37a7013db0ccafcef3b94e9261ce5479d157713985fbd068fc1a5e5ec5f6b707eac9f8b330d6716181fdf588e2f8867dd3d5a74ecb508

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
80KB

MD5
7539662e4e3ea4f5795be96d70891f67

SHA1
9865f95222126e60713220e8d66b657134d710cb

SHA256
38ed8d54385be9eab0307f0fc74832add0666ed7168557131c6513903207ddb5

SHA512
6672eaaecd9a7a1f9f1e718f084e06ed3ec10428400a349207bfb45666cfe9562cf539854611779ec8ed8d2671d6b8fc08e37c16d06e21309061babf665a1b56

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
80KB

MD5
967c20369b73e29402ac19828b4cc7cb

SHA1
2c80cd33a725600e90319622e03bc1e70ffe43ae

SHA256
2922a6fc3a8de394a18ccc91ba9355c60b96818b93cca5ab207bd2bbd022fdb1

SHA512
960d0c18dd25911adcdf069ec7146a7387f9de465b50abc063e3be227e5ad5e4eed785bb94c805ce0a3a3a4671d5f99dcef2d4326df7324d52a09938a3bb404b

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
80KB

MD5
0e5aac409f9fc65e86cbf55071fc41e4

SHA1
1085c38fa7252113af44d03b6b61d0dbb5e95c81

SHA256
029af7e3255b6dd83120e498dea2a8e3560ca21dfa2b65c84e39851a7b5113d9

SHA512
69f261f64e522776eee21c62527bd6cb331e726b8061be14b7601a8cef6f00f209f87c8e94021828773bd1f8b17bacd19588bf617afb612066101c4951e9d3fa

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
80KB

MD5
1c2c502a477cc9a2193b37e905990be8

SHA1
b6f449bfba2b53ab656b8718e05d2f157d7a2147

SHA256
e8c55c63076a155b6aa33af58ea080f7a40887ef7070df1a4c45140bc53f34ce

SHA512
a96cdadaf53806a13f4b0b8e500defe3f77b95b6244c8d4ae6fcf046e853706e5226c512a9790200f631a245c269791ddf2f1267140490ef77ae5dbf38de8dba

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
80KB

MD5
4d417f57be8e155b3de839228dd693a6

SHA1
48545d63a8e2b71278b39f75d3db89bef9ad8d50

SHA256
5250499a64025992f15021f9245a74c4aa067af8f7755be03ecad8b0c34975e2

SHA512
109df1647eea968381aa3231f505ba174e569946b0885711940354977bf16786e6612dac1147fae9b890ecbce6b8c4f1d5310ef42fa00bf8e9c8c6fc7ca82c36

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
80KB

MD5
400bb25988443cc97df877a713e1433d

SHA1
75e81cc80d8f3a33a4770c2d31dd097f0e8a57f4

SHA256
5efa55334f4883a51d1885b9c2e3eedd2aa4a673c371cb1c4855cdffbc7cccb9

SHA512
1a089f96cd47727e2c7dacf1a1d43db957f257fec70ff028f2bab8fb8b93fe7294da638b3b36d074ab86133eb38d22c8976ab5d3b7b1baded9ff0e20dca96769

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
80KB

MD5
b38eb54522f9be1ae1a355e1eb4f1a07

SHA1
5f26a174086ca41b49485afd95c613095a8e3f78

SHA256
ed6eb64482bf26e3afd1c1b5450b7b2a363cd3e111a3a27f87d5935668d0bb43

SHA512
59e5000c8cf138485b4e228974b59246d135e19e8c676a805a055d897cae48bb7f3be574c83043d28896f2a3f076fa78b79a99fe4e66699e43dfb4978af27517

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
80KB

MD5
45f5d33507c927a08f692d59385726a6

SHA1
9fdf08442d70b14b8abcd02684a87de494c2b340

SHA256
9ebb1b449444e173c442aebd66b8cd9082ce37e670ae2d6c23cfce91a9e6ca41

SHA512
f87fe2d05bc64fae388b355df87802d1076aa9520fc7d8f1725a48c10f62554963ff41e721b55def2f929167a0c4091a674a6c11bdceea2db9847b4c510244a9

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
80KB

MD5
b117b1edf9dadd82cb6bf60ec9ee19dd

SHA1
14c7dcea6025279100adbdfe9da1bbbf77756575

SHA256
a39dcb87e5546d011011f71c2f316081a22e319af48aed67c7a0dd2c4fcf5c52

SHA512
4336a90349d58e7326d696247fe6ccb20c58dcac61938c37eefce5bac005c2cd491547c2745dddfb3cc556986533c149842be2c6ded36636f4b5b3102bb6ff14

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
80KB

MD5
7fe86d6cc7d04406c2835f56ff44afae

SHA1
07d7ab813cefa10ed60b4f4f0179ff52692ebb62

SHA256
c0db0d3ac8f0fdcacd778df126b10aa813c3f6295e97fc149b998b746456c5e5

SHA512
beee3ea35866cfeee9d8ae09911eb59eabbca64a0da5062db2510f2fa861a6fcb427afc143f6138ebddb1b71f4c42d1b1b93185eb418d2ae4abfb82652e716ec

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
80KB

MD5
9497a066e16d6aecae00f5f3ccc80f43

SHA1
bccc756fd4392efd79e22399e5ad61f201b3b619

SHA256
f8d6e40ed68005a726d901846c13e17fec6ae80ab6b5f8edcb95433b817390b9

SHA512
5232e1d2b21eb648f371cde3c6dababeab4063465a7276000b3876504744b82c3924fb53da2bce73c1882436533ed955335af73497983c4557b00a5767d6f3b5

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
80KB

MD5
612551ed808e7ac798c4fce20cc8706d

SHA1
19a5794a134b10b34c52fb22bc0db16a59d006fc

SHA256
f8309a0a29dc74f6982092392695e5b042de33a34bcbf86c3bdc5ac0b07162cc

SHA512
b941b50b0729e7ed29ea3cc3ce753de30a48648773204999d6bfb939672b52c85ac233de705a04b1f2d5bd20b962336a1415cc548e16a7daa48f8cecbdab31e4

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
80KB

MD5
4bc0cc4053f7a5ff44fb50b5c2696762

SHA1
e15ab4620e34b7327e55d372b2085b6a733c9aad

SHA256
e56cd919361fe68c57097e27a0adbd8901b9153aead35e7114e1cc4ae086f6b2

SHA512
8eaa2609b2aa73da4237b5d24de93ef82f82eaf0a6cee99b89d8758448b0d9766083e5d6fdc6bd5920249844092d8e7ad935af1ae352dd24c0a01beb2db1b1c5

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
80KB

MD5
ac32392d618babc4a7c0e53b2812b86f

SHA1
84ef29b59cc30b71f437df88f83ed45db339523a

SHA256
c331eb88c85b50dde71acb051308e5aa03e0ed2c7d8bb8bcaeed5d1f54161751

SHA512
05c3b81c0886d2f53819f1a6f8ff8b8a0c68a94b35c98dcbc8e9fc34d9d8eca2e36eb9bbdc869d28e75dd50958a308e1924428231c358a5c71883f1ac775965e

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
d5ffd63120e82a8d82aa4658b7b160fa

SHA1
8613212c01a583b23ef19b5f82394903994bd9e0

SHA256
0216a067d999ba6159232dba0cecb36b7fa025750d911b4dfcbce370932c0b07

SHA512
90409991b1a3e98e739d2827d4bdb36f2a049b85db6ce8a52b93451596d1ae2779f8c63a8aaf0fa7d367a77995b753a9b9396b6823b306dbbaada84215203ae9

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
80KB

MD5
3aba68fcc1d7c134732dda2d95340c5a

SHA1
b41d9f18206afe80d506da00f18ca41ca9486df0

SHA256
3de79bf212a70e3969bdc899467478bff16fce1ccf42afeeb72b53deffa26683

SHA512
9a66c44fd478642f27b478499bfccb873a2ee21fc43933ab4086866a4a722bd6ecd74ad7bc821229d3421b3195d52c99f5715398b21b77f710c5783ae89562c9

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
80KB

MD5
0030bf972a7117a8da8dd24f1d20c1a3

SHA1
f2bd8376cbf1d153c88d1ad7c30927e890c76255

SHA256
bb36f5acca11afc3be7ef1f7af175a6f4daa481b806ae5b619803f548f5be1c9

SHA512
a6c7cfdb32ca431661775704860a28904fe588f8ad00ca7f9def0c9dfcd4c8fa7182509399e9d18eae8d463ed13d3f7c438a68368e51c91944f19e99f45fd13d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
80KB

MD5
110e43473a3080ef8ed8e9d7291a4fa4

SHA1
1ca11af92f36d3c10d84f97715f9a92f5efad562

SHA256
9d35151423e4b8c0320e5c23ccb78c4009fb641c176ab6fb014e1aed1940104d

SHA512
1c392ed3cead55b25dc80b700a2eb6893558817d6d36d535f69c85093b44408c81893d7ab541695f303012bc0306092214c579db2553e3103cd9835d92fbda99

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
80KB

MD5
2b66c077c50963f2166ef2089f0ce8f5

SHA1
8fe84e17148ec659ff783b3a1594e8db0eab30af

SHA256
853247391fa4688efe13978c041d6c47189cef1206c5a42db574d492b7d33763

SHA512
6d4322364dc7b339099c53160dd669daf61209ae4c9d83fe34e4c7d284dc3e4713391bc51ac0320c46f59133139fb16daa51173a16a3b6e94ec546fb67e29b4d

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
80KB

MD5
08a47f64b62ffdba63a270d5ad1bc1e4

SHA1
58caae856a7f680411712a335cfbef057f8d8a79

SHA256
40f1e5969139d0b18e2a8592259ad95a4d35b2c1f445339d2e2c556336a48d08

SHA512
f8516ca5fd675839857fd5b98e2ef9f7058d7323883a09404cb3029b447de5362ec8112732d5572a7f920dda35e7656574571505f367b555ce7215a3801e8d39

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
80KB

MD5
e43d08bc7f49627463a925c296c35b12

SHA1
ab9af08669194dc551115f3c9d41ec0510c1205f

SHA256
576fb3cef284748d88979ad9cbf648cee73bcf0f43781ee4207a5d1ee2593875

SHA512
71f556b4adcf0a5275cd9bb79317d3260767105c78cd5e0905307d04fb0bde693f4bcfbb6fc6fdade55612ad3395bf9804c61b7599fdfaf4493c869325da12f3

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
80KB

MD5
af9a0a1863b66b49016b0eb05f6ffb74

SHA1
47a9cd10ceb442a3334709c81848aa1d55defadc

SHA256
4a3dfdaddd34b799b3d6c1696676ed9e24d10b8e355cc368a0a544e5dd0da3b9

SHA512
81bd9d644db38bc444dd4991be076dda26dc4637335d0fa59d702cefc17b345f9280a63c3f684d3539833e08c65869c8ab0b3567fdf38db7bad0beda8846a005

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
80KB

MD5
b21c94a55303e0902e67ea16010b6916

SHA1
0e4fff45abf3f0f05d9e6e5b4583881157401890

SHA256
2e8726c1124ebeb9bc51ea2fca2316bc38063090aa3261c6b61a79a78cbf92a3

SHA512
40475e922a3be4c9e8ea2146bda4ec4d9a7f522bc822a6f01c570971152c5899dac03f03887c47973d1d848ae48fac46679cb2e48640920b97b3af5b25597abc

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
80KB

MD5
e15a24ff582646bd482e800f71683aaa

SHA1
c622d239b8b7742e4c14994216ec23fe4970788b

SHA256
a13893929b59c9b061d8ab9ef3dd6e179980e8cc6b7a88c14443a256e37a43bf

SHA512
f2efd72c0f67115305389e12c7fa7d79b1e7924db47751fc20fc49c57f16d584c70258ebb4e6dedb9d3c6e12a9c909a944137e51823e6969d25a9a104877761a

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
80KB

MD5
145a1a5db12c8f570649e11bcfb4cdfd

SHA1
67bf0902a50205cd3e60d89400474ef3317b4022

SHA256
acd1fadac278a2fdef58a67d06af5cccfe401575733b022aa2c8464a7b744f7f

SHA512
b5b6f6e1c70a2f3153502373201fe7964983da65caa4ab2ccd8e8f5d279d89c34e4e1d066a195daa5a9a937c2ade8066e5212b3b89179adbac349bcd4165dc26

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
80KB

MD5
93d577c8c5b42ba9b953276f4c43d332

SHA1
d0adfa9eba23d50b47259223470e8e95d1ee49ed

SHA256
b958a605394407f8826180bd8c75bd290b3a2b8df9fe805d6d14c6a1108593f9

SHA512
4e71c5be2f5d5357cecd8a5b20d028d7a5aa0c16f8b34b34ae1d297837de05cd2d3f3180cfa93865f4ee22f70989f7120e3235dad2b25a88a60a51ccfe6ba825

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
1d153bdddef09585068a291065c6fb98

SHA1
5cbeca3908a0a8ab4c6aaa18b3a6a8813b5e3a5a

SHA256
3dc9da7bc80552898c63114ccf86ad3c9cf2336605f66b8fc77cfcca4dc40cf1

SHA512
c667c554f8d4be1c3c2ebe8ce695641d2e77f4f3670fbbb5d450f20a774104b2361acc19733a407c4662e0accf819a4bb3f3ffb705bb052a5613aca5b3ed62a2

Download Submit
memory/372-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/608-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/928-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-577-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1264-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2016-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2084-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3128-591-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3192-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3224-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4064-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4292-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4408-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4704-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads