d1f92cc0ec1f658c66ebeed78a00a1a7a639c7a07bae575b62a22ec13e78ae46

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
Size

323KB
MD5

bdf698f665e97cc0b6c617c54f54a5b6
SHA1

cd448589622b9357d559f476cc17d6fdcefb2b7c
SHA256

d1f92cc0ec1f658c66ebeed78a00a1a7a639c7a07bae575b62a22ec13e78ae46
SHA512

908c173b21cb664907871821b67f2e5cafcb6784b61adc5a353b97e4e0841a817a1c1ed4b6d995b383f67e8734687522a29b585351bf7296c56a189e0f3c790a
SSDEEP

6144:/eoOqlljd3rKzwN8Jlljd3njPX9ZAk3fs:GojjpKXjtjP9Zt0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe

Executes dropped EXE 64 IoCs

pid	Process
2920	Eckonn32.exe
1604	Efikji32.exe
4708	Eflhoigi.exe
348	Eqalmafo.exe
1736	Ecphimfb.exe
1332	Efneehef.exe
3120	Ejlmkgkl.exe
4204	Eoifcnid.exe
4596	Ffbnph32.exe
2848	Fqhbmqqg.exe
456	Ffekegon.exe
2728	Ficgacna.exe
4272	Fbllkh32.exe
836	Fopldmcl.exe
4984	Fihqmb32.exe
4220	Fqohnp32.exe
3344	Fcnejk32.exe
3444	Fqaeco32.exe
2504	Gjjjle32.exe
3232	Gogbdl32.exe
4112	Gjlfbd32.exe
3452	Gqfooodg.exe
4880	Gcekkjcj.exe
2676	Giacca32.exe
4436	Gbjhlfhb.exe
412	Gjapmdid.exe
4336	Gpnhekgl.exe
2456	Gjclbc32.exe
800	Gmaioo32.exe
2432	Hjfihc32.exe
4452	Hpbaqj32.exe
960	Hmfbjnbp.exe
2096	Hbckbepg.exe
620	Hjjbcbqj.exe
3628	Hadkpm32.exe
3500	Hccglh32.exe
2348	Hbeghene.exe
4304	Hjmoibog.exe
680	Hmklen32.exe
4256	Hpihai32.exe
1980	Hcedaheh.exe
4932	Hjolnb32.exe
2740	Hmmhjm32.exe
3676	Haidklda.exe
2988	Icgqggce.exe
4592	Ijaida32.exe
2836	Iidipnal.exe
4476	Ipnalhii.exe
796	Ibmmhdhm.exe
4440	Ifhiib32.exe
3596	Iannfk32.exe
4168	Icljbg32.exe
2972	Ifjfnb32.exe
2268	Ijfboafl.exe
4400	Imdnklfp.exe
4316	Idofhfmm.exe
1300	Ifmcdblq.exe
3640	Iikopmkd.exe
2180	Iabgaklg.exe
4976	Ibccic32.exe
2876	Imihfl32.exe
4076	Jpgdbg32.exe
1048	Jbfpobpb.exe
672	Jmkdlkph.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Ejlmkgkl.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6588	6496	WerFault.exe	241

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	Eckonn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2920	452	bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe	85
PID 452 wrote to memory of 2920	452	bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe	85
PID 452 wrote to memory of 2920	452	bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe	85
PID 2920 wrote to memory of 1604	2920	Eckonn32.exe	86
PID 2920 wrote to memory of 1604	2920	Eckonn32.exe	86
PID 2920 wrote to memory of 1604	2920	Eckonn32.exe	86
PID 1604 wrote to memory of 4708	1604	Efikji32.exe	87
PID 1604 wrote to memory of 4708	1604	Efikji32.exe	87
PID 1604 wrote to memory of 4708	1604	Efikji32.exe	87
PID 4708 wrote to memory of 348	4708	Eflhoigi.exe	88
PID 4708 wrote to memory of 348	4708	Eflhoigi.exe	88
PID 4708 wrote to memory of 348	4708	Eflhoigi.exe	88
PID 348 wrote to memory of 1736	348	Eqalmafo.exe	89
PID 348 wrote to memory of 1736	348	Eqalmafo.exe	89
PID 348 wrote to memory of 1736	348	Eqalmafo.exe	89
PID 1736 wrote to memory of 1332	1736	Ecphimfb.exe	90
PID 1736 wrote to memory of 1332	1736	Ecphimfb.exe	90
PID 1736 wrote to memory of 1332	1736	Ecphimfb.exe	90
PID 1332 wrote to memory of 3120	1332	Efneehef.exe	91
PID 1332 wrote to memory of 3120	1332	Efneehef.exe	91
PID 1332 wrote to memory of 3120	1332	Efneehef.exe	91
PID 3120 wrote to memory of 4204	3120	Ejlmkgkl.exe	92
PID 3120 wrote to memory of 4204	3120	Ejlmkgkl.exe	92
PID 3120 wrote to memory of 4204	3120	Ejlmkgkl.exe	92
PID 4204 wrote to memory of 4596	4204	Eoifcnid.exe	93
PID 4204 wrote to memory of 4596	4204	Eoifcnid.exe	93
PID 4204 wrote to memory of 4596	4204	Eoifcnid.exe	93
PID 4596 wrote to memory of 2848	4596	Ffbnph32.exe	94
PID 4596 wrote to memory of 2848	4596	Ffbnph32.exe	94
PID 4596 wrote to memory of 2848	4596	Ffbnph32.exe	94
PID 2848 wrote to memory of 456	2848	Fqhbmqqg.exe	95
PID 2848 wrote to memory of 456	2848	Fqhbmqqg.exe	95
PID 2848 wrote to memory of 456	2848	Fqhbmqqg.exe	95
PID 456 wrote to memory of 2728	456	Ffekegon.exe	96
PID 456 wrote to memory of 2728	456	Ffekegon.exe	96
PID 456 wrote to memory of 2728	456	Ffekegon.exe	96
PID 2728 wrote to memory of 4272	2728	Ficgacna.exe	97
PID 2728 wrote to memory of 4272	2728	Ficgacna.exe	97
PID 2728 wrote to memory of 4272	2728	Ficgacna.exe	97
PID 4272 wrote to memory of 836	4272	Fbllkh32.exe	98
PID 4272 wrote to memory of 836	4272	Fbllkh32.exe	98
PID 4272 wrote to memory of 836	4272	Fbllkh32.exe	98
PID 836 wrote to memory of 4984	836	Fopldmcl.exe	99
PID 836 wrote to memory of 4984	836	Fopldmcl.exe	99
PID 836 wrote to memory of 4984	836	Fopldmcl.exe	99
PID 4984 wrote to memory of 4220	4984	Fihqmb32.exe	100
PID 4984 wrote to memory of 4220	4984	Fihqmb32.exe	100
PID 4984 wrote to memory of 4220	4984	Fihqmb32.exe	100
PID 4220 wrote to memory of 3344	4220	Fqohnp32.exe	102
PID 4220 wrote to memory of 3344	4220	Fqohnp32.exe	102
PID 4220 wrote to memory of 3344	4220	Fqohnp32.exe	102
PID 3344 wrote to memory of 3444	3344	Fcnejk32.exe	103
PID 3344 wrote to memory of 3444	3344	Fcnejk32.exe	103
PID 3344 wrote to memory of 3444	3344	Fcnejk32.exe	103
PID 3444 wrote to memory of 2504	3444	Fqaeco32.exe	105
PID 3444 wrote to memory of 2504	3444	Fqaeco32.exe	105
PID 3444 wrote to memory of 2504	3444	Fqaeco32.exe	105
PID 2504 wrote to memory of 3232	2504	Gjjjle32.exe	106
PID 2504 wrote to memory of 3232	2504	Gjjjle32.exe	106
PID 2504 wrote to memory of 3232	2504	Gjjjle32.exe	106
PID 3232 wrote to memory of 4112	3232	Gogbdl32.exe	107
PID 3232 wrote to memory of 4112	3232	Gogbdl32.exe	107
PID 3232 wrote to memory of 4112	3232	Gogbdl32.exe	107
PID 4112 wrote to memory of 3452	4112	Gjlfbd32.exe	109

C:\Users\Admin\AppData\Local\Temp\bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\Eckonn32.exe
  C:\Windows\system32\Eckonn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Efikji32.exe
    C:\Windows\system32\Efikji32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\Eflhoigi.exe
      C:\Windows\system32\Eflhoigi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        28⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        30⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        37⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        39⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        43⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        49⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        59⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        66⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        69⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        72⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        73⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2880
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        76⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        77⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        80⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        81⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        82⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        83⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        84⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        85⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        87⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:944
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        89⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        90⤵
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        91⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        92⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        93⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        94⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        95⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        98⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        99⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        100⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        101⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        102⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        103⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        106⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        109⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        116⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        117⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        119⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        120⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        123⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        125⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        126⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        128⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        130⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        134⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        138⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        141⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        142⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        144⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        145⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        146⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        148⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        149⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        150⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        151⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 408
        152⤵
        Program crash
        
        PID:6588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6496 -ip 6496
1⤵
PID:6560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eckonn32.exe

Filesize
323KB

MD5
9f96089ad28fc5fc76a4340244a6c9b3

SHA1
bcf47917c50521e4837695f293461e10340f7049

SHA256
6566b37f924d4861d03947e203b8da4a8a605ff0867c05f8a4985e63e908dfa1

SHA512
87200e8c0eaa8398b808d2b58160d7e1b53f3def2c7c8c916201a57082ee857d3f2edeeaad6f8af0e880defccbd6e4cf546e9f961ba49c0e84202c8c94edf074

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
323KB

MD5
a323be8c83e68cdbea6120b7d0b9e0fe

SHA1
4aed529c41acc1bf5a4c9d7912fd08edfd8d5501

SHA256
6571d8b787b22060b023980b8c48c33ca5ce03b230ede0c05c5c728562d798bd

SHA512
f8155e2c3aacabd90abdca70c9b359730b3e1feabcbee4f2fa1d775ac6266b314cc9c66e336e83420b1a29381930e51d972a5154dfb17b3ce925d8ea9f349e82

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
323KB

MD5
bd7df46c69547544c21ac2e0e79b62a2

SHA1
424b969a522f7b0aea6c074a3a51a73990a339d0

SHA256
99576a97324c42de0163e1a8d4334e492453f56d6c20b7b2083dfe35b0cfe7c9

SHA512
44616d4b0b74794a3187926cf098c81d0f10abf62b5817278e7da01026b550630108f77f38cdf016ec3e0cbbae80fd8119e0e21495707cb0b7bd436ac749471a

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
323KB

MD5
8d4c24ea683fa6799cfdb7fa955871b6

SHA1
015458c81e71784605824514cb9dcd7e202cb8ef

SHA256
686d63c4105b541bb9eaa3c0e4b466e109629fcf6859294f8c1526382ebf1268

SHA512
31adacbeafac61fff2dfe0d3a2b9540523e00920abb550fd8abc100cd973adfc8cc2dd3c97b4862935d4e6af6136970be9eb993f9486cbfacc7e1daa919fd6cb

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
323KB

MD5
5b5d50d24c124fa1a0e4b20e7e74e511

SHA1
1cd79e6f0135c20b2a9e7d15bfdea263b23225fa

SHA256
bd61d59316270df75f5dee84f122903589f48de7e27dfd64fbb08ab93c386bb1

SHA512
474cd1da42da4cdff1dbbdc27b0e25a8c58ba4b1b71440a7e935c53c9953261b4859700c346ddb76b273260db6227cd48d8fb6cead22d8c4b6ebc855801369c8

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
323KB

MD5
171333299afd182baea4cffa7d480067

SHA1
04e6da3ee99cb47ec35d96f321e83941dc6d92e4

SHA256
0dfa2fc64bd4f430834265c52bb46ed86a79743b4eeff0c9aedc9c15640e08ac

SHA512
0d7341e045bdb96bd34962b6d298e744a48ae2bafc6d42128811530d4acfbcf1625f152f65c1f8f59072d15d6adf552b53897cf9a8ff34874d82eaa951d4c3ab

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
323KB

MD5
42d3555f4452166efb39c9322a6bb527

SHA1
a76660a03de847bc04995354adff787f5bdf635a

SHA256
0e4f212f8c5fde8897ea6bc0efa3b0c237835bd9e10191e97311914b3d206685

SHA512
43d95d429a85ddf9ae06f489536a748c845222f15a4e88d4b1b36f810f26516fd602c53f4685296dbdd41b32226279197d9ca2ad3f63bea69076d8f20e020370

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
323KB

MD5
34e6c63ad2de9fb8cf080c9ae6c6cb51

SHA1
eeceecd3e7094942634a51830b66bfcdda707ab0

SHA256
afaf241e8752befd28e117f303067ea78eb1e1eac3e0f6669f1c02f27f715af3

SHA512
fa00675b02302cdf5f97ca23a0fb604d99721ed899fa1a8fc7acad9eb2412803d54c3d474c33b86f36f89f482da22405b752a7ad0b12f94d184c2bd08766ee4c

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
323KB

MD5
6b21f2f38a5546519e2bd0cb6abd39f3

SHA1
64a47c2c6c11ec97904cd3f397e4301c7d57f4cc

SHA256
c071eb8597fa9286967f88182d814632c21c04727fb089eb26fb3d25e8dd6eed

SHA512
734b7086fed7c29238c2c240a01dd67f591e3d7cded484721d42ac944b6c213e694b52de14f68dae50db0386e9dd319ff67ad4565e8fe0a1450ff1aa00062e04

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
323KB

MD5
eeba230807f99bd54ad87407520dc411

SHA1
218f76639574240198f1ddd6a0ec19731bdedcc0

SHA256
fd8edc20e87330e5b49ceb55b7470964e86455f80c82c8d486dada4059b76295

SHA512
a35c0241b78752d28a1c96e04379cece56245e59731f20d2933bdcf462480d171462071309b11645f20ea52e21abc780d78cba805dd498fd11d345205e1ac054

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
323KB

MD5
00ffb9274bdeb0fcff9e273c9ed16d81

SHA1
7d75745770f44171d1b1f352175b4c7d9125b072

SHA256
cd9d2ea1f4b8922676c015199da6386e2ce8c33df877ee8405f4b6bba61daac5

SHA512
cf5fc96b04c8f0442c9c99dcb72527d64bf7cc08ea0f478ce45250d40b2a87c47816da147bad7bfb94e03596737521c4c13098289bcf95bb19c86d4774ee9790

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
323KB

MD5
9a2b0bccad297cc4427b030d6d551272

SHA1
55aff8370a7c4cc3b58aa29555a6d56ab63b671a

SHA256
441515611246690e1ae573b21bf852987e4f003ab2aad0b0e1ee72ade86de9f0

SHA512
ee4dc40e8acc27d40954341604684d67c59ac746f15cfafd5e6e7f153eff9fb7e8f35179c75f2d9c29b6d49526fda28875db4efc7b0cf6ddd0af3846bf945a4b

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
323KB

MD5
16e2727625b27f75319562f62e2fcb9d

SHA1
56b6c6b9b1e4917dea947c2fd0f2982105f87a35

SHA256
a78be00239e907a491a6b0af26a7ae0b8c228b5f36ff721e962037228f6da614

SHA512
abbb66e238e63f9a6631ecd63649860bab2db6d591cb8e2b70c8f6d4a6b9a05925e4a991f642a75f6e5f73f2c8ea0ba1dfa0ab2799f4e52c1868afd919f3377d

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
323KB

MD5
87cc661dcd3823878584f35b14c5b176

SHA1
3630a1c8a9721483fa819cb3b61fff4c533f39fc

SHA256
f5df57916abada8af0e48969f140600c0a5592a002effddea0d71ecf969428b2

SHA512
e0416b37a346fde6c8dcb5c76ef205550e996284afc185f23d53b62acec8e5c53c1257334f1bb3cfb7375a1e96d14da14e6b93effe4f010b638a92f797bed858

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
323KB

MD5
5d28f1dd075d5e53db1a2f5c21f50885

SHA1
beb30c6602a7f7cc7c40eff559ec059724e7eeae

SHA256
049ead35a875de41ef6f3f560a1ec4854412720dd8ba3b4628b5fd00a3416de4

SHA512
2b9e9a3ec32569df862e71bb88a77527d70098ebdf346738883f7a92839d43fb16accb8dcaf40ae3317344ba376e5c60e9c5c0e48054b5e31d2f09e0fc441fc0

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
323KB

MD5
5fd4134b3ee67935a3a44082b11ff164

SHA1
a93255b7e3bebcb0acfe5657b92fc39e7b7b21bb

SHA256
2db5c77e7fed778df1c0ea7fae69ba3dd5ec91c732e128cc41e0d0cd981e24eb

SHA512
a43d870ba1bf83fdbaa0ef7aa24a66581478b4daf12d95706124b39c3de0c76f7c7c6cf7eb6d9e56b3c4268ed2550c1a6674e22db5ef6a8e8c2c8de2741b8446

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
323KB

MD5
4b444a6dbde33a81ed25294352682071

SHA1
8de032959f854ac3a5800db4971a5fe5270026c2

SHA256
d87830ebccea0092977c3ffbe71ad8571f015a27dd94268c62e417d7d898b28c

SHA512
692a4c01b08e1d35e4ca662264dcf7d7114bab00474280ee6d904c24cb05f824f2919774b5e8947bcc893efa2c2ed7e2b7631db71db1cebbc6483d40eb567de8

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
323KB

MD5
5fe30fd554bda7f744aaba3fa949220a

SHA1
609a7d28ddcfc55711d58a1d833c1515e0ee819f

SHA256
9036b64546848ad2f5d0cc73d199b6116b0dbaf23cfabd34d2354787c1819464

SHA512
0acd6d86981452000a221c5dcef0ed99534def5ac9999d4aef382f1126a45f9a204a02619569b3d2385645945196023ce8fa82fcb7a462f94c77c5db08f209ad

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
323KB

MD5
888d96499640d65175e56fae0856767b

SHA1
696e344329637bcdaaa19c0111c4edbb5e0a45f1

SHA256
a29624e21b207b323d29c5311eab07f1e1a70a27b8c92ecf5625aba67b50661e

SHA512
667e0db6daa3aec12d6dd643a80754e7c8e9255067239f05bd0e1096f85bdeb5487be70839d02a7b1f250271d76a47c6f1153a3dae8deeb5be2a0a0562981df1

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
323KB

MD5
d927977ed4d2d787caadf19b8c62c454

SHA1
707f68373d9c124d6fe4282b4d3cf0b555472e40

SHA256
dee25582909c7811276b4f43a14d4af174f93762676f165a511eb1beafe2f39e

SHA512
d7e6b9bcafdf2f5247fc3eb9ff635f6f5317a9ee7816f5fe250de56864ca9e32557352cd4aecc41cd1f90be3ddcbd004cdff1551c0749e43f4895a09a72a1725

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
323KB

MD5
f54594ef2d557932e292ba7c518b3a9e

SHA1
f560852d775056479db37c3bd26fa8fbfbdbe5b8

SHA256
734a1d3d5ab8f3d170834eadab3cbd34e5afc2a333d3f74a1e0e035dc7c98016

SHA512
0a0fff938a05c8590807fae898dc087a6b2039e2ec68b11e1f73c6cfc36493e26746654f3341e53ef0cac6e59d4f459c856092dcf6de0769a3bebc2f5c755283

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
323KB

MD5
7ee08e4d32d274e5dc1a040df1b8bf34

SHA1
4fd590480a827fca109a96d5a38e7494006076ff

SHA256
b321cac82fd50e69e5e89505b9a74c33846af354878c1fd93deda9119acf5099

SHA512
48bb1a99eddee21ffc0d81cfc594370c7ca07cf4b891d767c3d98a9b63d40a8c6efb4eabc6c6cfdf8e945bbeee6cfff57658402e6922e05a6403e9ed27b66ed2

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
323KB

MD5
c8ac572dcab999896653a237e258a61f

SHA1
4ebc8c078da6537f6baf0f044e747c24f43df0d0

SHA256
3909f8ad17896d299daea7b4e3aa8803607a87c7f74f5b56658db399a4768cda

SHA512
62013f24e242d23a5700158632730651697eecaa3aa13695e688377f86044216c326dab37a34a8b2cf208475ca71a584ceb07d203614ca412e9a20bf1ae65af4

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
323KB

MD5
675bd2fc8be5a4bfcca6b7f136f4a97a

SHA1
0a6b34ae49d63b9d095a01cf50750d7a502a5d01

SHA256
c5f0b87666dd03e0a075676d4c9a86e0dbe108f6f2f95d682aa113a2b4e5f60f

SHA512
fe3157b10eec4ea4640e731832350ca7fa94b153ff9e8256cb01f8d68b2a7e317f0e5b245501f8a65904250199d142eb213100b49da960dec0a99ee5f048939f

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
323KB

MD5
5284f1503fb1cc58b54b1167f900bab8

SHA1
7b178424a8b196e3072478274f23e1c99b83d121

SHA256
f2ee827ba359eff970ecab5e43072ad48e9cc77bdc0300f80c4121a7fa9920d3

SHA512
6b60fffc3c2fc8964b283f0f06fd416031b551643db41d2301db86d091e1c9b69d5c83bfb36df3cca4878074ec76851c83c589f58d8fc88c83cebe3f78991edd

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
323KB

MD5
f77333a563e279af74e7c9c576c65a71

SHA1
dc5b4c4673ff7464a127c1e2dad08395ac29972e

SHA256
6f41529f0c4a9f8b642741df2ed38e0c649ade88e65dd9799dc4570f4c429949

SHA512
807ea0ca73d63a8cc7bdcfad98dc8e833fc9d897d67d9c7584b61e25a2d6a72f5d144f0cd8666e2312022eef15733b758d289e0bd39a39d67ed9c84bb6fc2495

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
323KB

MD5
2ff134ff25edc8dbe7015481ed42e5c6

SHA1
29e332a46de4703e58c698ce6e1bc107d1f5a449

SHA256
7bc2727216d7d1aa44aac6fa5dfebd4e3c3ee13eafacbd17498c95628c3369fc

SHA512
041af1ac61a36c874cd4cfa5ec2e47d6e3e6d2635acda58f9f2efe401d6f136911c769c25ce69a30d608556307cdd48928f9aff09766cf20e7fdc517ef8bdeaa

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
323KB

MD5
ec37840e96d10185c236cac064a70dac

SHA1
aa63c1cad4745dc8c0890ed9cbaeb793e1d6289c

SHA256
6714088fb1132de8576d0549b5e5a42fd265dc0958928070846ecee3f5bc5596

SHA512
6661f03ecf333a28b6c6924e4c49e823a00195b5f5b4e3beef65275258c1e1714a1b6f4a9d5d743a759c81058db42970b30c332c7c5afebc975f95fa1814333c

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
323KB

MD5
df8fbaa92c5857520c15514a528a6781

SHA1
82486065672b1b6363ae3be98d5d77ebfe8f16d4

SHA256
e4dc09027b6cb9f25aa3da656da18cf665a9835a5834c19453e599522d319b72

SHA512
37244c5ac45adf2ec17d3a90a761b36270b50a64fc42859dad3d560b376b2d67d3c9d8cca46b69430506c10f057901edb74577d2c29b5fd99af067d7a956cd27

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
323KB

MD5
1c756d4cca454be70ee097d985fc910c

SHA1
bc78ee4ad7635d24b4fac1719ea58bfb0f36f285

SHA256
32719b0ebaaebe69006d72abb512abbfb1328b315ecd2a0bdd96c9ed78310520

SHA512
29670ece3d3ea14ea7b41ba26e787e231a64efc0b93cba8909b4e490fd49a807c00339148d8ba0f8290450e1e08f2650b87388c3e51052ae95a490f4b03d743d

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
323KB

MD5
982209fa68ccaf294ea66bec15cc34ee

SHA1
93dc59cd667b38f5711c5b649297e6d818728ee3

SHA256
868878f177b1ecb209c2699e13a45c48f45451673b29e7dade61c783e402a872

SHA512
728a4b86b9fdcf7ede603b615def09e58d3182bdd35fe53d08e233809b8a62736814b7228f913e4bbe36a749a35e05ac524cdd59edd3861f697202f2305dc13c

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
323KB

MD5
a751dc60a8ceb7e4c884c858192a0478

SHA1
b10940a2126569b4f4f1ae1782ec85c51b164493

SHA256
8981ffc2dad356bf62b2e6fd5392c1b610cd37eaecee74cfba3193954e87c9e6

SHA512
529c9ee1c2c234dab2666617eed024fc4db2c0d8fd051ead5c114541f273d5b093eb12a50f0964f4db0c734081fbbd042ffe77240f2ba5a8ed637b9e2fc86501

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
323KB

MD5
69d99e9af3c3b68c88a548f03ab1fe39

SHA1
774af8f03ac7bf64e0a34ec38bc10d9d712a35f5

SHA256
8e1f7f429e2ad2c79b275103435e50a85bd30e3af137f456b59017f30c577b38

SHA512
6427de684ecdea936ac50a7ff01ce09710f6c6064751912ba974dac51cac85c5b4e65d5616635f3f03cc3c1ed17dc0a59b51d524b2f5b3a4c6132f7c93a69b3e

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
323KB

MD5
58ce8e6f88973f98874850f5c6267a46

SHA1
ee01086c27d73c1759b31b0486d62deca51e772d

SHA256
054b799675a0a870df3d12e80ab85606ec17a85f308dd6d6371cd8f6438e9830

SHA512
fb199a868c5ddbf205277498c369bf9a5fa8de144c12bbd809fd41bce1b66966a316f0d73701bd25b78483a62d46e7cc93262f9ba0e5b998a9552e3fdadee246

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
323KB

MD5
0f96d0621930f56c4e17356365679e0c

SHA1
71cd18aab14f879bdd1a2b874b5426b53ae513b2

SHA256
857ee4fc9d705154416b7c2e3f739413b6dbfff2858771c5d6a5925eec20e276

SHA512
04a1e26d83b9f2212c115993d331a34917325dd52a647c25924672e60dcffedf91f1b27f1711e46310a63bf4fa6d895736efcb61da7736fe606b467a8d795d9f

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
323KB

MD5
90b016bb813be5c0d31b9e41c779f831

SHA1
a23c373eab0aab187b23776583018e1bb36e43b0

SHA256
a63d707de6d87a0482fa7f27582f80ac219db0dbd436462dee8231a53189008d

SHA512
bee6bcbc040b86ea05ec2b46eba6a57bc6e70cdf8b97ab50606010fafa7f9065d0d73bac1c2500040e12fe3201a90fbfae8c666fb08ade49ca6288456b050121

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
323KB

MD5
2cfa361b1a6acc5ce2d5222c3c65d955

SHA1
fc798806b1e15a6a4438513016a67825c006a07e

SHA256
e62dbf9f29c09f123758243e4c3dad73c39659aaf06cb276bb932b406bf1ef75

SHA512
1690a3ee8adb8de0a2dc58c54c64d7bebe85a3ee2a971bf880e7158422001118922439d18e74543c092cf68cea70bb02c47f551ca44823a09b8e62d802160985

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
323KB

MD5
c0eb7d29369ac5b128f6cd648d683e5e

SHA1
26798f13d023fca13da92383528b148dc6bbe283

SHA256
9bdeccb04acd0b1acabe928a268de44dfb64c012f74f96ffb2a72d392c27bed4

SHA512
05b97924f9094b54628293678d22cdd56b795bfba06c0208e4f309120bc4249e5414d2b3aa47a6666e4663ff63bab87985044215242bd8f87d0578f2c992d979

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
323KB

MD5
82e66e50e27fd99df97033b37fbfe8b8

SHA1
a9dbcc0ed47f693dbc72bcf2cee209acaf974306

SHA256
401c60d8169419160f294baa2f10760607aba6294ce0f78c3bb44c1c87531eb9

SHA512
68b78c19037d815b3236ca0bb589280a3854660b7309844367693d724d0f6eb754e5caf9dd78b9e8ee84da65c0d0630dec7fa2804200a814a0498c93b2b49246

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
323KB

MD5
a2e329fbaf954ea4d41e335f1fca3782

SHA1
652ec08f80d1451aaf5f513a0fd4ca394b1a5834

SHA256
e398b697deb63d39106ee624845ba42c61e7227f32d7e2a7cbbf9fa7f18b3439

SHA512
e1f69c022dd6c39f981ef4378407821edd802ffe2f13ca37c9e0de5f86bed25d54b7a3ac925bc71d64cf922b4d695a031a308eaa2d65e254d7726475b73dde34

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
323KB

MD5
8178d719236b90aeb111594780b6ef45

SHA1
f15a0a3a38bb9d5d636815f71226573722c21ec9

SHA256
b9e51488effd7de7eaf6abbde19e1f837274930232cc39689005c454a1955f0d

SHA512
79421af63d0060409da46b1e645aff2c00a25fc5cf4822f702ae5d315352d70b13d7a47c62e378785470632f8de3af2796f2a43451b115b0e99b155c43b34695

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
323KB

MD5
ec0364eec5e049fac8a4916c547ffade

SHA1
2d2217b838b2e11ffefbd350b2336564ca8c0ebf

SHA256
10303366c3e9e92eae02c62209c3e1565a37bebdeac6e7026f3bf50160c2dc2b

SHA512
18d95db088f3271abcaa40a10c955ae41ba0804e8c4c674a20110ad82ca1e6966d94a0a383cc0206af01151a1276d31c71c5dfa00d863cb2a8ed53f05d419a3a

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
323KB

MD5
89a01bf992d1e774dbb7c9253324e024

SHA1
9c3fadb522838bb5ab6f398fa1efc453a5d6ccea

SHA256
f1a40c33d73d40ac5e16b0e98fd24c31d2cf647b6dad45364b8edbf8f4eb2a45

SHA512
469ee6d448855ad17ed291b876165defd24a79e70667fbbcdb640cd4c2add947f6559fc55825cd5284d84e76499a5acf2fd8d6051bd44946f81e970655b8563d

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
323KB

MD5
72dac9bdb7018fb0a4d0a283e9964d79

SHA1
6a1b3bb885128b78cb35e41923781dc06b96d325

SHA256
330a094c21418c790c9512a3cddea600f4d26e7972a6125149f3af6e4a6bc8d3

SHA512
cbd02a1ff8da8d332818ec870ffe1f539357995679029dc7b8bf5dc5ada79c8fb97091b6899caaaefd3b05cf603c14cb6cd4509e806abcbb233e8f341cac9da6

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
323KB

MD5
cb3639e782dd4d71c56b5a93d5c8596f

SHA1
e3c8667cc35653e1403165122a42d804442dadb5

SHA256
83f01a6f46383c6c43a997b0209693c5f63f2dac2116997dc4a8976e3ab25145

SHA512
eb1db498026ccbeb1453014e8fa59ce969e5f0adc5792f5eae64fd5f2d8e87d77e874768ac4758cf4437968642c30a5800c3b840bc1c1e716420bf07e2386ced

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
323KB

MD5
6588eaaa246503040ce01edb7ca9c03a

SHA1
b26997d27e9f5761e83e1368f6f5aa5b16abfe92

SHA256
d35f1cce6f5c115b9ab9e3e0b15d1964a1b9a4df9e7a0db16e7af7c1abcb00ce

SHA512
153354952372466f6649955238c9d771e26c15ecb139d5e7be0f11d5f783abb8f417013cd27728b5dd225c20be6818ac6c879d70f1c6b514c19e516de4f51d96

Download Submit
memory/348-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/452-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-1082-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-1049-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5900-1091-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads