c0dd4e55d75615b47c680797e36c1d2ffc0ba483115f8ec25a304128af493e50

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe
Size

145KB
MD5

fe5e5595ac346813e50b761eaa48778c
SHA1

f2ee6837def4ae61dbc3d043d8a271e0952257a5
SHA256

c0dd4e55d75615b47c680797e36c1d2ffc0ba483115f8ec25a304128af493e50
SHA512

c853f1879005b6fc4dd3a909c770b63ec48d067304b40000b84b2b9e181f744e283610f965d45878d0b97072a0caff8e138d0c82bd04721eedcd0264437ae01e
SSDEEP

3072:VTgjfo3qAKx97wu7UexA8dYKRonkWEh+h63:Vsjfo3qA697z7nxVr7h+A

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpedjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beppmmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbljeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bifbbllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe

Executes dropped EXE 64 IoCs

pid	Process
1452	Bbljeb32.exe
624	Baojaoke.exe
2028	Bifbbllg.exe
3000	Bhibni32.exe
1592	Bemcgmak.exe
1748	Biiohl32.exe
1336	Boegpc32.exe
2748	Beppmmoi.exe
2980	Clihig32.exe
3752	Cpedjf32.exe
2224	Cimhckeo.exe
3180	Cpgqpe32.exe
3892	Cedihl32.exe
3232	Cpjmee32.exe
1916	Commqb32.exe
4504	Cefemliq.exe
4484	Coojfa32.exe
5032	Camfbm32.exe
4040	Clckpf32.exe
3212	Coagla32.exe
5048	Cekohk32.exe
3796	Dhjkdg32.exe
2112	Dpacfd32.exe
3484	Dcopbp32.exe
1816	Diihojkb.exe
244	Dpcpkc32.exe
744	Dcalgo32.exe
4112	Dephckaf.exe
368	Dagiil32.exe
2940	Djnaji32.exe
2164	Dhqaefng.exe
1252	Dokjbp32.exe
2892	Dfdbojmq.exe
1380	Djpnohej.exe
1948	Dlojkddn.exe
2060	Domfgpca.exe
4848	Dakbckbe.exe
636	Ejbkehcg.exe
4080	Epmcab32.exe
2108	Eckonn32.exe
4620	Ebnoikqb.exe
4708	Efikji32.exe
2800	Ehhgfdho.exe
4664	Epopgbia.exe
2180	Eoapbo32.exe
3952	Eflhoigi.exe
3508	Eleplc32.exe
2008	Eodlho32.exe
212	Elhmablc.exe
2452	Eqciba32.exe
1936	Efpajh32.exe
4072	Ehonfc32.exe
2796	Eoifcnid.exe
4964	Ffbnph32.exe
3624	Fhajlc32.exe
3204	Fqhbmqqg.exe
836	Fokbim32.exe
1492	Ffekegon.exe
3988	Ficgacna.exe
3852	Fomonm32.exe
4372	Fbllkh32.exe
4396	Fjcclf32.exe
1388	Fqmlhpla.exe
3132	Fopldmcl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Dokjbp32.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Baojaoke.exe	Bbljeb32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jfjdddho.dll	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Dcopbp32.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Clckpf32.exe	Camfbm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ofnpim32.dll	Coojfa32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Camfbm32.exe	Coojfa32.exe
File created	C:\Windows\SysWOW64\Icnmgkke.dll	Cekohk32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hfbqnjem.dll	Bemcgmak.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8016	7928	WerFault.exe	301

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqikhah.dll"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgjcg32.dll"	Bbljeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhngp32.dll"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1452	5112	fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe	86
PID 5112 wrote to memory of 1452	5112	fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe	86
PID 5112 wrote to memory of 1452	5112	fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe	86
PID 1452 wrote to memory of 624	1452	Bbljeb32.exe	87
PID 1452 wrote to memory of 624	1452	Bbljeb32.exe	87
PID 1452 wrote to memory of 624	1452	Bbljeb32.exe	87
PID 624 wrote to memory of 2028	624	Baojaoke.exe	88
PID 624 wrote to memory of 2028	624	Baojaoke.exe	88
PID 624 wrote to memory of 2028	624	Baojaoke.exe	88
PID 2028 wrote to memory of 3000	2028	Bifbbllg.exe	89
PID 2028 wrote to memory of 3000	2028	Bifbbllg.exe	89
PID 2028 wrote to memory of 3000	2028	Bifbbllg.exe	89
PID 3000 wrote to memory of 1592	3000	Bhibni32.exe	90
PID 3000 wrote to memory of 1592	3000	Bhibni32.exe	90
PID 3000 wrote to memory of 1592	3000	Bhibni32.exe	90
PID 1592 wrote to memory of 1748	1592	Bemcgmak.exe	91
PID 1592 wrote to memory of 1748	1592	Bemcgmak.exe	91
PID 1592 wrote to memory of 1748	1592	Bemcgmak.exe	91
PID 1748 wrote to memory of 1336	1748	Biiohl32.exe	92
PID 1748 wrote to memory of 1336	1748	Biiohl32.exe	92
PID 1748 wrote to memory of 1336	1748	Biiohl32.exe	92
PID 1336 wrote to memory of 2748	1336	Boegpc32.exe	93
PID 1336 wrote to memory of 2748	1336	Boegpc32.exe	93
PID 1336 wrote to memory of 2748	1336	Boegpc32.exe	93
PID 2748 wrote to memory of 2980	2748	Beppmmoi.exe	94
PID 2748 wrote to memory of 2980	2748	Beppmmoi.exe	94
PID 2748 wrote to memory of 2980	2748	Beppmmoi.exe	94
PID 2980 wrote to memory of 3752	2980	Clihig32.exe	95
PID 2980 wrote to memory of 3752	2980	Clihig32.exe	95
PID 2980 wrote to memory of 3752	2980	Clihig32.exe	95
PID 3752 wrote to memory of 2224	3752	Cpedjf32.exe	96
PID 3752 wrote to memory of 2224	3752	Cpedjf32.exe	96
PID 3752 wrote to memory of 2224	3752	Cpedjf32.exe	96
PID 2224 wrote to memory of 3180	2224	Cimhckeo.exe	97
PID 2224 wrote to memory of 3180	2224	Cimhckeo.exe	97
PID 2224 wrote to memory of 3180	2224	Cimhckeo.exe	97
PID 3180 wrote to memory of 3892	3180	Cpgqpe32.exe	98
PID 3180 wrote to memory of 3892	3180	Cpgqpe32.exe	98
PID 3180 wrote to memory of 3892	3180	Cpgqpe32.exe	98
PID 3892 wrote to memory of 3232	3892	Cedihl32.exe	99
PID 3892 wrote to memory of 3232	3892	Cedihl32.exe	99
PID 3892 wrote to memory of 3232	3892	Cedihl32.exe	99
PID 3232 wrote to memory of 1916	3232	Cpjmee32.exe	100
PID 3232 wrote to memory of 1916	3232	Cpjmee32.exe	100
PID 3232 wrote to memory of 1916	3232	Cpjmee32.exe	100
PID 1916 wrote to memory of 4504	1916	Commqb32.exe	101
PID 1916 wrote to memory of 4504	1916	Commqb32.exe	101
PID 1916 wrote to memory of 4504	1916	Commqb32.exe	101
PID 4504 wrote to memory of 4484	4504	Cefemliq.exe	102
PID 4504 wrote to memory of 4484	4504	Cefemliq.exe	102
PID 4504 wrote to memory of 4484	4504	Cefemliq.exe	102
PID 4484 wrote to memory of 5032	4484	Coojfa32.exe	103
PID 4484 wrote to memory of 5032	4484	Coojfa32.exe	103
PID 4484 wrote to memory of 5032	4484	Coojfa32.exe	103
PID 5032 wrote to memory of 4040	5032	Camfbm32.exe	104
PID 5032 wrote to memory of 4040	5032	Camfbm32.exe	104
PID 5032 wrote to memory of 4040	5032	Camfbm32.exe	104
PID 4040 wrote to memory of 3212	4040	Clckpf32.exe	105
PID 4040 wrote to memory of 3212	4040	Clckpf32.exe	105
PID 4040 wrote to memory of 3212	4040	Clckpf32.exe	105
PID 3212 wrote to memory of 5048	3212	Coagla32.exe	106
PID 3212 wrote to memory of 5048	3212	Coagla32.exe	106
PID 3212 wrote to memory of 5048	3212	Coagla32.exe	106
PID 5048 wrote to memory of 3796	5048	Cekohk32.exe	107

C:\Users\Admin\AppData\Local\Temp\fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe5e5595ac346813e50b761eaa48778c_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\Bbljeb32.exe
  C:\Windows\system32\Bbljeb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\Baojaoke.exe
    C:\Windows\system32\Baojaoke.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\Bifbbllg.exe
      C:\Windows\system32\Bifbbllg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        25⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        26⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        28⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        31⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        33⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        36⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        40⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        41⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        42⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        43⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        45⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        49⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        50⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        53⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        56⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        60⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        61⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        64⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2348
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        67⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        68⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        69⤵
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        70⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        72⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        73⤵
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        74⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        75⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        79⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        80⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        84⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        85⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        88⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        91⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        92⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        93⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        94⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        95⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        96⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        97⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        101⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        102⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        103⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        104⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        105⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        107⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        108⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        111⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        112⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        114⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        117⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        118⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        119⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        120⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        121⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        122⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        124⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        128⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        130⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        131⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        132⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        133⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        135⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        136⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        137⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        138⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        141⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        142⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        143⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        145⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        146⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        147⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        148⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        150⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        151⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        152⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        157⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        158⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        160⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        161⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        162⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        163⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        165⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        167⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        170⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        171⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        172⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        173⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        175⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        177⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        180⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        182⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        183⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        184⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        185⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        186⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        187⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        190⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        191⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        193⤵
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        194⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        197⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7420
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        199⤵
        Drops file in System32 directory
        
        PID:7460
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        200⤵
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        201⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7632
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        204⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        205⤵
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        206⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7792
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        208⤵
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        209⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        210⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 412
        211⤵
        Program crash
        
        PID:8016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7928 -ip 7928
1⤵
PID:7984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baojaoke.exe

Filesize
145KB

MD5
3f0e8eadb0b2e15247265fbd9744d946

SHA1
f0c998b27f0ab90392e9667915cbe24511c72d09

SHA256
53f6d7fbc0af4f8c87fb7d86690053b6a68ab710b63de1a5c2d551a4d6af89db

SHA512
ba6f35d29cd3b3f452bad200496981e850503615d60dbe6e0af8927124cbdeaa772e35a234a8e8bb64d762b0a95d4ac855742c393f53dcccbc6fd11d9c87f934

Download Submit
C:\Windows\SysWOW64\Bbljeb32.exe

Filesize
145KB

MD5
36b8345614e6f62682a7bd71bffcda5f

SHA1
38e4a7dbf86eb1657b5596869091dff2e83bb103

SHA256
a7bed41c36dde1339620761fd05bca8ad0f41b4b8d6f5561411a82102db56f6c

SHA512
b7ac3f484f81e491a902b8749ec6d0d72f94e7b241e5c35459df17080c3e54ac71ef0af585156a9028475a662087720a034726c5529cc352a3840cbd8d8a1a70

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
145KB

MD5
f6771fe1a23f89364d436cb200918a8d

SHA1
89d923722f02c8c4d23d0c78596a17e608e9a26b

SHA256
a022166fdc2756cee6af208d518d938f31accbf83c23942dc061ce70ea65e5b4

SHA512
a05c89201cd2e57c581d0cb2d3ea955050e99e0cd36ef161a31d041e72e57dde913411b214f311914d14e8ade0e8e08930508142b82136a4f5fe644f18aa18d4

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
145KB

MD5
faf57ee77e08391cf8bcd1596c59fd51

SHA1
d9b39447a91152a815023d2f443c272800775405

SHA256
21d8ebb96ad48f07cad662d2149149000fbeb94c3c101de578d199a06e28cc64

SHA512
1fc348b6a65439c6500304983ba77b9e5bbeab4ca6764f7c44ce14509e058ed32e41b0b924a198af72168babd67f0a18957fa8c1675e4b6b94a343b92f3ab165

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
145KB

MD5
08d583d92aad0e9c0899e29e4109ef8f

SHA1
d3561c3f3c0536af0b191c9eabc4546ea767bc9b

SHA256
2a4ef4b55599f9b3a25b3bb21d6be000a17c72fbca6829178c1e1a513ee15385

SHA512
dff86c87e2a9d4754f038480513c858d7420915737e00fce10ec657f403c8f6831b3d06d3af03287a18dff234381be353315fb6065b5107e05a9372c87327905

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
145KB

MD5
2eba2a2c6a85d4b7e4c522056255976c

SHA1
53bedd5d0fa913289ca04f46da1858d64146b4ff

SHA256
0a13d3a548ccb79515146f3816fb8d4de18bfe09fa4b9fb1e72435a8fc6ea6b6

SHA512
af399d9b0fca54117b356e03360958a468ff190fd1a837a8968068e0ee26c3103075ad6b186f3c6129bc73c95dda564e3c4ba8703612c7e06efea7035b3691b9

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
145KB

MD5
f88e821d73352b9bf3c34062dda3af50

SHA1
119f773981c41425ff75fb7a6309cbdf640a860f

SHA256
7f6b8b0ace20506f2437806d7d250f008f44384fe4e05462642064ca21555a1f

SHA512
f86e1d556d926dd36d4ad46074f7d5a82d0d895e0455fd073e6d7bd6bf7f9ca1064082d539746a853b7c9eb29c0a47973dc263f24aabfdfa2b8db8186b78c141

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
145KB

MD5
def8c25f90a840a4bd41f809adcee134

SHA1
442e2e2042c8152810e0bab106d871f1f0d40196

SHA256
4ce8c60dc34824a070fefbe0ea0a37c10a9103df580e7cddf19964c026e70ced

SHA512
7fd026c6495cdf413b256d7b1bf4c08b9dd2711d96dff4dfb008c2c4899d8ce80057a907312217a32b38287e3dd8e6daf5de4e118ea8e24dc615518646d64465

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
145KB

MD5
5e3664896330a2e03d937f85895b1c19

SHA1
92f16dd443606a81fb8e5705e8566e4643d9d32d

SHA256
78b134d19267241f3f2b4ee6fabed68e2d340de777c62e89735c05c6d4bb88e6

SHA512
d2fd9fde32bdfd3b99fe922d3b865fc451f2c0a076ceaba1c9387ac3a656043dfbfd1f2a39850eeb6f0cb97a511090940870827b30e5cf0d90d178297da1939f

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
145KB

MD5
bd8cbb935822ae87f0d0642eb20cd093

SHA1
f965fa08211fa00845301b80781a81782a14ebc3

SHA256
d800a2bccf3ec0db85cedd8b227685aeeca207e3b3bd60067f0290584e410281

SHA512
ebf916f540c4d0fc8cd7c9a6d08445e22c71ae7807175641d849686a78ae53d72096d1c804593af807ea76b5777a528661c3ce9b0d8daaaf808226aa7c30540f

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
145KB

MD5
c5a4dc0d87b36ceeea1dc38ea9984b79

SHA1
71951765b2810385498ebe2e90a3d90878b8595a

SHA256
045fca4d973fc32e942ba460ef11fc26b5423f794a2388e59350fbcb06308f6f

SHA512
0c65d33f557e365e35d5950ef4bdece69a5869f80f21df83c8c6dcab8721797f916fa04cff4d2886c2259427b59951d57f06742ad129a115b40c51adcd583829

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
145KB

MD5
7ffa65b81b7df0bb350e7bf6cff768d7

SHA1
32a8f88d6afe753ffcfc5839ebfeec9387f9b37e

SHA256
2bf169426038543d6820d7821819c20a21dced7aa8908b8558e5848618f09338

SHA512
2d4c3168298ace39921846cb7a7bea34626d46c19c9f042a9aeb30538dcdbd7188b302dc1d1d70d1f94eabee404a190cbb1bd57943d75cf83a7fe395836a43bf

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
145KB

MD5
4b38a50f9fa2485eefd028075697dd15

SHA1
9b9342985703db360d647f7ae90852f616d9ad82

SHA256
6fcfe5d1d1974a49da2a3f120fb01bcf2d1165eca5cb3ca3284b9e7ea1e78a57

SHA512
d783fe5d2c55e92ec5c2498ddfe50b93a3c08afbed0325e29123c9d5d88b4ab78ff86c5845a254a1f6cce34db204913aced19074db707c54c91c4cc6320b1375

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
145KB

MD5
c4642f7b4d49558ab6dd2316d0b6f18a

SHA1
274f5a5991bf534b8e4ba1d3edae9e7f741bb2ef

SHA256
abc5fdcff60250c6adc26b2e54fae510c6e62db325d71da8869cde87e62d1c5a

SHA512
a321559f4a9993f1ba0d4c6921f8114778ab89d53cb05ac9d60480c404090dd45187758627f249d807ee1117286c9a6f3fe2209e2b1b5a536b576895078c1a6c

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
145KB

MD5
b7a1e2e9a57351ff58158e1658ff3b1d

SHA1
5bc597e86ef4ca04f1c328238dc76db3a549b79b

SHA256
c0e8932b715b4378843a6bcb1a1dfac2c1667e8e859adb6cd0e79810b50418b3

SHA512
89b8a577117b8b384f2d995518f114892a0fa1d1d7e052387722e2e72ef8667e4cfef5abb7036e069563b204572648e92dcfc5ff4cc55cc9a01743201f79626b

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
145KB

MD5
ad3c41a66040cb328c0b009a8223e488

SHA1
a86e7139fc7e5ef7a02608203e7592eded3bccef

SHA256
297c3d969dae4a7f448474edad4006a8328d084391e22356c6e5910e3788164d

SHA512
faed1a4d434e27b2406db621d20115e9242a10d0622369f84fdb7cd2f5a27261e6c664a292903e39f8c1ba9df73ac9dc1cf98307ef444449cc95ed448f82f622

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
145KB

MD5
ca9c86b984157476a0dfc091153965ea

SHA1
8725f400e0d1636ee39342fe9698ff2b9ae2c8a3

SHA256
ff81ee067e561bebe1206440a31c22499615f1e48ef137b30f56cd92e803020d

SHA512
00fd7b4b5c7478c172f742f6fca85b8a16230813b29fd985a52261e18f658e2bfbefe9826e58a596b3bad5f42e79610fd50f54654f0dd74ec8669163e91dae45

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
145KB

MD5
7b8ab663fd8812e53e5eb470d7b983df

SHA1
3cfb580e90c81e48fc4a392f55ca54457fb3ca4b

SHA256
ac05c3a068f88760f3c228c0cd84b8a4b4594ab94548dbab451da801844560ba

SHA512
f7ae005233ad1df7788e2fbffe3f76ffac38494c41018cadf1033426419df30c8bc1fc8052dc3b86ed0e4b908b853c59cde37443773edcde275fbe8e7ed7dd17

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
145KB

MD5
8bd5169a0145111d29ccaf6b0a145b00

SHA1
201656be791ef792047266b589f74adf548d3714

SHA256
7c1c20e48cdba52092122e461eb8f925757b4b408543a9c7004d38715b74819d

SHA512
ac3fc19b8e0aa46a7d7f94b610b88f9047dd3dd18d5ece8f9df050115d562f966221b2e1b1ecc65fe645788a87f2deac98f566ffdf908b16d2af6bcd36ced0bd

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
145KB

MD5
6d45c438be15ecfad4ecbea3f2a5f6f4

SHA1
e42c73cad19706841abd083d361c343bc84a77bd

SHA256
633aaa38fdf8261b8da28f2109d5a4d1054a3c653b7f8748d62287ed1a1ef9a5

SHA512
24ab6d6b5626b2056f14dc2431806514c5209b8c5d2e0d22b249cc40bf1579f9fe3e5c7e0954c972cf184bd4394ec13ab771db0496265bc0b507a51ea9b46866

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
145KB

MD5
e4dbfec2aae8b7eb5775e4ae18df6f5b

SHA1
0bba21ced8307ecb6c50491944035a0d103c5d00

SHA256
929408763f44b3c32fcc0c92dbfa1909472a025ad9973222faeea58c2ea3b6d7

SHA512
cd11ce5caa73615a78f9e7d9ad845d94ddc34dd19f5f72ff32e15f896563512488fc0eb1f60a454fc50b1ab679f6de2637afca8a2c70e4cad0b6296e55620946

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
145KB

MD5
3b2a7604db1119980fd5d5cc80ee9349

SHA1
fa01b5597b22a19d3f2f5e50dccbedd01bf42ee7

SHA256
3722c5ca5356df442670d3f0a373e38ae2e372875ed4130366e98eaf43081be5

SHA512
cc8e5a9a12f9375ec379e2fe7d933bce3906f7581e734bfc34de9fee00229cda15100ec9edd24ce1929977ebb87e761ce777174459346ebdfca0e69310ff6532

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
145KB

MD5
858cdc739b5a33e9478253c92c2f1436

SHA1
109aa2788416d760fde586deca9d1f3eea118e63

SHA256
b6b7d19183b1efac91a60b30c5703cbf38b1a8de12a074558e3ebd0f6ffb60a1

SHA512
c0d992a79a66e2849104bb42c8fdba588ff4ef9f905135f3df76f481c4f057278bd9e35a62f2af76b3c3cf1f7ddc2fb82f29a60265fcaf915d6a389ec330495d

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
145KB

MD5
4fe9ce339b3dc245355d1330baaef613

SHA1
d9a66363d227c740e6bfab0e30b7016f05fd1b42

SHA256
e540930a099260745f6c5776dd9333c67d4f7715cab5443e8cb9e39390ca6a62

SHA512
8434c57200df85edcf5e8fe368feb480bd1b5b9d791292c358ee975c083a16323a0798790d071f40fe703bd30549f2d57d2b24b198f29ba65917e6174809c2ca

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
145KB

MD5
e48a1482d33c4b3bd83e662b30eea93f

SHA1
1dc576c6fac4275c9551a09262fc177515c17ae0

SHA256
c523eb3670cbc769d8690835b906e35b635bb5f8feb817f771e6837b8424e124

SHA512
890b6aaa57cf699dda0b6ff43e102856a2b29bb6a6a83fdce547ddd5e1bc818351ca310574c69ce77348378efe60439daa0954cc6ead372c698023b3cf3f89fa

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
145KB

MD5
5b45318a1b12e5561125bd1b3303631b

SHA1
40cbd1dc8496e6b2899de3ec13ba0dc1c145b3d7

SHA256
fed3435a1e85e9c0c13aa80e9af9b965b05f62f0d1b786c4adc42d4c094b6433

SHA512
7b4fce75d66f82f9848c6bf6fc6a4e71a39fd55aa9f67468bfe93cdd03ef73266e01310ccc5009031594179fe6e243b5e847fbd09dee2e60cb46e91be5007d8f

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
145KB

MD5
c9aaf043764b8676335a3db20f1881e5

SHA1
a9ff01d5e95fd3a8a9f4fb267a4f3e60dafd362b

SHA256
5cab313b3f4a7ef121420031851b089055f93bbe1ac51234a4a65e4d7a164e17

SHA512
90a27ba36c30249c26e457f8c0051d5717a2fd051f06f0995674b56e6cbac12eda280c39b45338a90316368fe33a12017f3b05ff1c3c78516027eb7555b4b754

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
145KB

MD5
c68ecf49d6d846187122691807d965cb

SHA1
d6ddb082e0e04b3901b540e11c8e897b95cd96ff

SHA256
add79a6b88c712b683a2eea515e0a97440139af7672a288c71c121d8873d1185

SHA512
53c0c522d8c860dce9b7bf6f9261ef8daa33bbd65c0cfa0c25d2bb79db479f98dff9cd7f47c189cd681f2bc01189eea1948552498068694654b37a6b32feee12

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
145KB

MD5
a5258f8c67db6814f8b2c9473ad62c5b

SHA1
a63a4099fca988a982bcec01f70e0f85c7f904ee

SHA256
00eacbf44e7770c6017d49d30e46a07b937abbb38cb9aab3d1ae5767053f6f56

SHA512
b5a08f47ac2b9c311fc33428f45dfc917dc36c0d79b0a34774ba1f42f74db65d9cbcb1e38adb1300d375c123322421d66d5ee0d596b6ba1d114e45d1b3366799

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
145KB

MD5
78688b02a3175934531bd6a27133366e

SHA1
f0bbd913dfc2029ed0a1bfbffb681380cc18eab0

SHA256
e3f3f8163872840378b795c3234ff0fccb72d23309a22813f6ef4b9da23b1068

SHA512
53516994e8b0c291cd2189285e5e35be412c93fe52e0419a7aab69deebc2d4c74d26163a48501c2b8141edb01213986d680ed51f47f8dfd207c482390768c5a7

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
145KB

MD5
7894ddf2c2473b5c128c4d32da88f331

SHA1
dd02e5e56fd0d15133fd50a63c3579a395aef331

SHA256
9ae420155595a9c27014b7f4fbd8d88737da62be2466836ae5f131c34c4afba3

SHA512
f1d722b772d6237203205b4503c6cb98c4b620dd2c4173794aa3c68e94f90b49bdeb1d9c64212b47c9f2424d8fb6c765a47bdff88b1aa7eaa027061302a6aadc

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
145KB

MD5
b46226b992aa942c02d37bc6c7bde5ff

SHA1
d1b66754eaeacc6c6878eab6331768a9415c620a

SHA256
930fb464a97ca8c91c1d80eebf0293a776d2b5dc8901db913d87f91d23761ebe

SHA512
71287ce8c48d11028abe23c8515fda3e042e6f48173461668d66fb925bcfc604a71946092350dc320f7d783ba1c5b3982c91ccb3f6a582e1179dd51be41446ef

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
145KB

MD5
94c4caa860fb7e69690b9bcce3d2ae6e

SHA1
d8c7cff5a95707bfa19662dab3c599927808f1c5

SHA256
09aebff710d0fd4acb8c005395728c21e427557b275f44db7cda72a46d73a4a6

SHA512
2dd34f76155ee09da3927bac32d27c69cfb1a96adc25ef9eb30a405780190104080d305ed80c6cf068e26172bc7d3948baf62c34863ea4d7f4a0e605154efbe8

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
145KB

MD5
48f5a2e0dfb1caa60e07c2c6d44ffbed

SHA1
199214db4b22c930994d99fc2abc274196273b18

SHA256
5dabc6ec0e7f388fc0fa0160452e1d26648570f12df5394837fba56dbd72f796

SHA512
9ff3cb8abb5fa4f183de163fdc44ed901587a2e2150e4387e261878c788547d7ffb166bfdcc1d4246ee4fb82e1ec4f414b38e7858e785762f7aa655b08358256

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
145KB

MD5
236d85791fbf99d238d96613edc5ec5d

SHA1
d0d13e972370d85edd7482e85ca1790c69d57297

SHA256
1312ad39e88ac471939ffc0de679329178e9a19d8f7b35bb8b4b80659634738f

SHA512
06f96738db779c887f478e1d37a80ea473b0483837ee99c4b899ff838c7413710da568e1474953436a4e468ca5d58472241e8fe0b062fd241d677c5617ad4faa

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
145KB

MD5
1b849bfc7578e17ecf04d0e2c4e5c31e

SHA1
a051677a6212b7bcd80176b1f1ce62fbba41fc8c

SHA256
64a31bbab86227c75cd6244377df666253cd53b07f7dfe5c6795d881885bf3d8

SHA512
c73fe4148c468d1be3f328f873f1dad7bcf81048ce35326952250153a7159e7451a0e5b68226fd97c62f38f0505e8ca55ae45408f71928598ac0f0fcf43a98c4

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
145KB

MD5
d9602320e2c065228c94e802eb14a1b0

SHA1
5a4404a9405a5b89488ad86f0ceeaf901b0ebb3b

SHA256
cb8225a3df9963081eb177800a13da080ab4398462db374eaa677f9506ffb1c7

SHA512
9308befff43ea3ed75d7f0cd1428133e2d8cca352232d02425fd4ebe506ef7c414dcbb7f1667fa45d6fda706ad758e4ab1a501846f7e8ca2d352f80a9300f6f3

Download Submit
C:\Windows\SysWOW64\Kmgkno32.dll

Filesize
7KB

MD5
4e39185ac08d1a8ed34a86eb7edc2b2b

SHA1
bdee99701ce2a56ba4d34587937d82fa990cf7f3

SHA256
4672530144384788f4b5c1fa1dca18f9ebd04091b33fc84060163c8eb113870c

SHA512
b42143d3b75a7f38c826d54f978f728f1ad9aee2a7ce14b8a5e3924020648efc187ac1eaae585ecb8b7212500f1d5bffb7aba4bcfaea82ae2b4c97e17b009564

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
145KB

MD5
1c5ed6231132f2736241cf2b10d34e75

SHA1
8013a3e7aa7fcc2db3addf6ccb41abbcb4c39351

SHA256
0061c116bc5c1b5665eff65c21afe965e6d00de54211ede5b69e533169984c6e

SHA512
a5288805de6f82390f22f72ab8aa9167c620c0169e18a9e51b42090cc415a3d50a9b2388622f97965d04f93f6f43952467a2cf18e36f4a9924680f5c2b98edc2

Download Submit
memory/212-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/244-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6228-1431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6280-1419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6304-1416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6308-1442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6312-1422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6352-1430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6360-1441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6444-1418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6456-1458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6544-1439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6564-1423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6588-1455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6648-1454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6692-1427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6744-1452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6756-1436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6900-1449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6932-1417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6940-1420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7056-1446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7112-1432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7256-1411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7296-1410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7344-1409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7420-1407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7588-1403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7632-1402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7836-1397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7888-1396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads