fca7fa40f4ed562d6aded7c3742cce424c449af0c327e07678e3c7dbc058616d

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe
Size

224KB
MD5

d452ed8d03e0199436d18dccd9859701
SHA1

411285723cb5efd7e87b0a25c49cb6f9e239ba83
SHA256

fca7fa40f4ed562d6aded7c3742cce424c449af0c327e07678e3c7dbc058616d
SHA512

d2f555ace387fb3d3775d47b0129066142eed97ccabaaed78c4bdf738e9a38ded6f4b93c00c36aa004d50504be6404dfe372c6ae1fbe9df691e61a89809197ca
SSDEEP

3072:idvC8OSBcBgaSGTlP2OnjJd976HRy6TluWHnjJd976HRyFbLJorvWHnjJvBxjUSL:idvCTSjaHlp4PlXj4IyqrQ///NR5fL4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe

Executes dropped EXE 64 IoCs

pid	Process
4056	Ccfmla32.exe
3764	Clnadfbp.exe
2556	Cchiaqjm.exe
404	Clqnjf32.exe
2528	Ccjfgphj.exe
5112	Ceibclgn.exe
4104	Chgoogfa.exe
3432	Dlegeemh.exe
3172	Dabpnlkp.exe
1788	Dpcpkc32.exe
3548	Dephckaf.exe
2512	Dohmlp32.exe
4244	Dllmfd32.exe
3132	Dcfebonm.exe
3416	Dlojkddn.exe
116	Efgodj32.exe
2004	Eoocmoao.exe
2872	Efikji32.exe
2288	Elccfc32.exe
112	Eflhoigi.exe
3408	Efneehef.exe
4784	Eofinnkf.exe
3952	Ebeejijj.exe
3988	Ehonfc32.exe
532	Eqfeha32.exe
8	Ecdbdl32.exe
2684	Ffbnph32.exe
4080	Fhajlc32.exe
4196	Fqhbmqqg.exe
2696	Fokbim32.exe
4312	Fbioei32.exe
1716	Fjqgff32.exe
864	Fmocba32.exe
4516	Fcikolnh.exe
2180	Fbllkh32.exe
2184	Fjcclf32.exe
652	Fqmlhpla.exe
1528	Fckhdk32.exe
3636	Ffjdqg32.exe
3064	Fjepaecb.exe
4800	Fmclmabe.exe
3664	Fobiilai.exe
3704	Fflaff32.exe
1988	Fodeolof.exe
3584	Gjjjle32.exe
2780	Gimjhafg.exe
4416	Gcbnejem.exe
4488	Gfqjafdq.exe
228	Gmkbnp32.exe
1636	Gcekkjcj.exe
2732	Gfcgge32.exe
3660	Gmmocpjk.exe
4400	Gpklpkio.exe
3248	Gidphq32.exe
664	Gqkhjn32.exe
4336	Gbldaffp.exe
3104	Gmaioo32.exe
1040	Hclakimb.exe
4648	Hfjmgdlf.exe
1348	Hapaemll.exe
4176	Hcnnaikp.exe
2976	Hfljmdjc.exe
5096	Hikfip32.exe
4892	Hpenfjad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Oijnep32.dll	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Elccfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Gqpmkibm.dll	Dabpnlkp.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Jilbbcha.dll	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Ehonfc32.exe	Ebeejijj.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cchiaqjm.exe	Clnadfbp.exe
File created	C:\Windows\SysWOW64\Fokbim32.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Dabpnlkp.exe	Dlegeemh.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Dlegeemh.exe	Chgoogfa.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7080	6980	WerFault.exe	254

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dabpnlkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilbbcha.dll"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4056	3240	d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe	84
PID 3240 wrote to memory of 4056	3240	d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe	84
PID 3240 wrote to memory of 4056	3240	d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe	84
PID 4056 wrote to memory of 3764	4056	Ccfmla32.exe	85
PID 4056 wrote to memory of 3764	4056	Ccfmla32.exe	85
PID 4056 wrote to memory of 3764	4056	Ccfmla32.exe	85
PID 3764 wrote to memory of 2556	3764	Clnadfbp.exe	86
PID 3764 wrote to memory of 2556	3764	Clnadfbp.exe	86
PID 3764 wrote to memory of 2556	3764	Clnadfbp.exe	86
PID 2556 wrote to memory of 404	2556	Cchiaqjm.exe	87
PID 2556 wrote to memory of 404	2556	Cchiaqjm.exe	87
PID 2556 wrote to memory of 404	2556	Cchiaqjm.exe	87
PID 404 wrote to memory of 2528	404	Clqnjf32.exe	88
PID 404 wrote to memory of 2528	404	Clqnjf32.exe	88
PID 404 wrote to memory of 2528	404	Clqnjf32.exe	88
PID 2528 wrote to memory of 5112	2528	Ccjfgphj.exe	89
PID 2528 wrote to memory of 5112	2528	Ccjfgphj.exe	89
PID 2528 wrote to memory of 5112	2528	Ccjfgphj.exe	89
PID 5112 wrote to memory of 4104	5112	Ceibclgn.exe	90
PID 5112 wrote to memory of 4104	5112	Ceibclgn.exe	90
PID 5112 wrote to memory of 4104	5112	Ceibclgn.exe	90
PID 4104 wrote to memory of 3432	4104	Chgoogfa.exe	91
PID 4104 wrote to memory of 3432	4104	Chgoogfa.exe	91
PID 4104 wrote to memory of 3432	4104	Chgoogfa.exe	91
PID 3432 wrote to memory of 3172	3432	Dlegeemh.exe	92
PID 3432 wrote to memory of 3172	3432	Dlegeemh.exe	92
PID 3432 wrote to memory of 3172	3432	Dlegeemh.exe	92
PID 3172 wrote to memory of 1788	3172	Dabpnlkp.exe	94
PID 3172 wrote to memory of 1788	3172	Dabpnlkp.exe	94
PID 3172 wrote to memory of 1788	3172	Dabpnlkp.exe	94
PID 1788 wrote to memory of 3548	1788	Dpcpkc32.exe	95
PID 1788 wrote to memory of 3548	1788	Dpcpkc32.exe	95
PID 1788 wrote to memory of 3548	1788	Dpcpkc32.exe	95
PID 3548 wrote to memory of 2512	3548	Dephckaf.exe	96
PID 3548 wrote to memory of 2512	3548	Dephckaf.exe	96
PID 3548 wrote to memory of 2512	3548	Dephckaf.exe	96
PID 2512 wrote to memory of 4244	2512	Dohmlp32.exe	98
PID 2512 wrote to memory of 4244	2512	Dohmlp32.exe	98
PID 2512 wrote to memory of 4244	2512	Dohmlp32.exe	98
PID 4244 wrote to memory of 3132	4244	Dllmfd32.exe	99
PID 4244 wrote to memory of 3132	4244	Dllmfd32.exe	99
PID 4244 wrote to memory of 3132	4244	Dllmfd32.exe	99
PID 3132 wrote to memory of 3416	3132	Dcfebonm.exe	100
PID 3132 wrote to memory of 3416	3132	Dcfebonm.exe	100
PID 3132 wrote to memory of 3416	3132	Dcfebonm.exe	100
PID 3416 wrote to memory of 116	3416	Dlojkddn.exe	101
PID 3416 wrote to memory of 116	3416	Dlojkddn.exe	101
PID 3416 wrote to memory of 116	3416	Dlojkddn.exe	101
PID 116 wrote to memory of 2004	116	Efgodj32.exe	102
PID 116 wrote to memory of 2004	116	Efgodj32.exe	102
PID 116 wrote to memory of 2004	116	Efgodj32.exe	102
PID 2004 wrote to memory of 2872	2004	Eoocmoao.exe	103
PID 2004 wrote to memory of 2872	2004	Eoocmoao.exe	103
PID 2004 wrote to memory of 2872	2004	Eoocmoao.exe	103
PID 2872 wrote to memory of 2288	2872	Efikji32.exe	105
PID 2872 wrote to memory of 2288	2872	Efikji32.exe	105
PID 2872 wrote to memory of 2288	2872	Efikji32.exe	105
PID 2288 wrote to memory of 112	2288	Elccfc32.exe	106
PID 2288 wrote to memory of 112	2288	Elccfc32.exe	106
PID 2288 wrote to memory of 112	2288	Elccfc32.exe	106
PID 112 wrote to memory of 3408	112	Eflhoigi.exe	107
PID 112 wrote to memory of 3408	112	Eflhoigi.exe	107
PID 112 wrote to memory of 3408	112	Eflhoigi.exe	107
PID 3408 wrote to memory of 4784	3408	Efneehef.exe	108

C:\Users\Admin\AppData\Local\Temp\d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d452ed8d03e0199436d18dccd9859701_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\Ccfmla32.exe
  C:\Windows\system32\Ccfmla32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\Clnadfbp.exe
    C:\Windows\system32\Clnadfbp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\Cchiaqjm.exe
      C:\Windows\system32\Cchiaqjm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        31⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        33⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        36⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        39⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        42⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        43⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        45⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        51⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        59⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        63⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        64⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        65⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2612
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        67⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2212
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        69⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        70⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        72⤵
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        73⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1640
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        75⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        80⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2348
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        88⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        89⤵
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        91⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        94⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        96⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        97⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        98⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        103⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        104⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        105⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        106⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        109⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        115⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        117⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        120⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        123⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        125⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        128⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        130⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        133⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        135⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        136⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        138⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        141⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        144⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        147⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        148⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        159⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        160⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        161⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        165⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 220
        166⤵
        Program crash
        
        PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6980 -ip 6980
1⤵
PID:7052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
224KB

MD5
c301f0cf6736ffa801d27f667fabe283

SHA1
a8c9fddc87feb3fb4db45fb557925203c791b93f

SHA256
119a04655e8a39a69e8d497a9409933b94068157d6439c03086bae526af3136b

SHA512
9ad4d83f0054c3c9883d47ab84184f0d1277a08b07a9aa74b4b789a0e0e29990a50ed6896ac5d4edc3b646e26cac05ded88d89a58cb59e53091bf78f37f62663

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
224KB

MD5
c43798214bab4af095da3be462571799

SHA1
24e86e819fa3d3ba60b21991e5447912c8114d3b

SHA256
51f753bc1f90f9cb30e1cf65f9c58a66441ea47374cab980a56b8c6b9e4d2d26

SHA512
a05fe5384865d0f249fe98062a8412e22f79f7e8d425ce6609fd49a4c0219111733ab68f4951b5bfe80516a62b103d664a618b375dd721c06b4ab942fa32230a

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
224KB

MD5
b4609690202218aa1d3771d7f0a480a6

SHA1
2a4e8de63bf3da2ac8e9a49742ac5bc468013654

SHA256
45b2c77a4244b7268ea5743c13a3906effe7dcf5ff81f498713f59a3895c360c

SHA512
ee02f75f658098dd8bb89a7b2b3aea67a323ffe88cdd08d92f2c33d41db89f0f7961c389bd1d0435eb8bfef71a6cf48428f1ba20cee983ac2f2bee649f2f67c3

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
224KB

MD5
5a02290689461f0cdfbe5ea976cb1969

SHA1
5dc16a45cd8f16bbcf221330aaa3bce64b153ac0

SHA256
098e84e8aa6a5187948e92c276e0013f137467aa24b8b6b67c4012948a176744

SHA512
ddfd791a82f9d3fd6b327bb94d205633e671034af3144ad6d8ee1da7feb719b22249433d63e7ebb5947760296d3946da4006299dd376f026bf59e43798af1958

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
224KB

MD5
e96dbd4b8bbe44bcbf83fe03aa69e5ed

SHA1
ec1c0b53c616ecd63ac3427944d551ec24ca52b5

SHA256
85042721993a54c77811ec9b92f964b7404d5733196f3a2bb078363ca725e3a8

SHA512
573b962faabd57449851fbfd163cc98809d21fe7909e610a12cd630aa069e441b52a9e345305ebe044a1cce9bb668ccfde2be7151e302da897f5ca59a61999b3

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
224KB

MD5
e35a13a4d4431315e167fef1a10e69b0

SHA1
8a8c5edbee065e4813b82bf7dd7368feb4433d12

SHA256
745ebc5d30b31b310569cd3327e5bd1e99b7b3032b7a362b3da75ae5c58c1091

SHA512
2aad68ee497588378e51952be7f66279970f1850a15a63856c142caddb1579bb40fa77793653f3aaa23252ce7537550d4335d21422e9cb501d3925e70cc53c92

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
224KB

MD5
748edd0766769fb186f45a2a341a49de

SHA1
44c0f5109de69dbf8cbf57ec82d1a2c9733a8e79

SHA256
1be8136529cfc3407ef116849ecea6d1d769875181138c2bb950c3d11dfd0dd7

SHA512
e85a4f4289df93a9e0c3c64026da286f9b358386d75735800793702fc958cd578774ec4844f8b2c7031003b1956cadf82f237a35c54a88a364407948bd764dff

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
224KB

MD5
e7b262ad707cd5a39dfd2533e4deba20

SHA1
e99cc2494ec7cf3573628b40480840d86b54ce48

SHA256
586c8836e5e773ed1356cc83ffdd837975f11146a748f562494cf8e0bdbc64db

SHA512
0e26a14cf3862e350f45507080342d0737d34ea52623cf8bba31520d65a9c09f019c7f6780297d1735fb2b5bfc9b09887da3b77330cd22b45e88a4ce36186872

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
224KB

MD5
26b9492867db27e6c2272790ba06e4d8

SHA1
73a3a47eac32d393437ac8ac43566b3bd8000cb4

SHA256
488b6cb93614a53f453033ac3a4027aa92e0ba65a9c2509f6c602904291b287d

SHA512
bf0a8420bb0d2d2839e9af11ff802b38a48366994078453c65b7ef49a01c245b1e40cba0aeffaff99bc4e8f839551128c1254752e56be23cbeef226e75d6a1dc

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
224KB

MD5
8eeb4e30d46bfd245d2fc2f477439be7

SHA1
0861d02837a907326cf28c6f74321ebe83bad7f9

SHA256
cf36287b7d448a2e1b9d70ddcbbf42a27fe39e96b4144ce8d7ea4d5e984d21ca

SHA512
66c6d8c4760e57a4455fdac07540b523653bfd4105653acadf0fa6e5ea851827f1abed845dba7983b288fc4410d20ca2f8c624760d8b4a649eac09b300566cb9

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
224KB

MD5
df30f8fc9ad31fad7a54f5ef76880e56

SHA1
f56a3cc7fc08ce53eb2d7f23c3944f2aa0f8d7ce

SHA256
6b8eed2f57f293a93b81a1c62559a510bb5031f5d216c938404d4d8d6cd95828

SHA512
b2458d050207305cf856450d46582347274c8fce921d778fa144ab0efc9b23acea44c1629640f14c3cb744edc080b3e6cbb35ab666410a5f491549bfd66b830d

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
224KB

MD5
86d1a046470b7298e4dedf712a3516c3

SHA1
693d2ef700121ea5ce561a913ec25e84b16f6550

SHA256
c8f9ccbee52b0b5033ab6fb89ce578b47ce9393f444de25ba620864edb23e3f8

SHA512
e16fa457b622c03e5e727a0d00b3c4f62329442d15055643ebb0eff3e0be5f0408cd77c444f3037b890940d2e8ff92b95cf89f3a30456ffb81684cfedd8847f2

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
224KB

MD5
8d867e3bfc3bde47fa554a61220ae9c5

SHA1
c3c3b3966a5b0ad73192025173373658597c060c

SHA256
46f84cbc7dab16b07f7f94aa5e04307435696fe655dc1d7e9e22552aa73692f6

SHA512
a61cf1b3f6fef44b0ed7eee76b3d2fdaad17bb7d5273fdd5c794095490e2246cae28fa30ed2a6845aa64fa4b5f7e8c650b4dede023af15cb37e566be48c354e1

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
224KB

MD5
72204762f7e4b3396a49ed5bab9f89c3

SHA1
b405a8c9cad7faaa400edcd249da6bbcfd939d3f

SHA256
fd3fa23cc8bfc4c920c189a1798679fd74bd76859b2536acdaee4ac18e244763

SHA512
2841d6953eeb916eadb18f48bb7e15dbe3b39809322d12d866a601afdeef187b91a6a938e5c29fb919a769405b7b0976a43fd54ddd1ba9eb14bc785f12366a24

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
224KB

MD5
7264913518adf7486ba7b9e57d04efb1

SHA1
16349259ef670960a877d823efd165477f233f62

SHA256
e20c5d6cbfe41fbac7560c2f2383e901f7393621cfe36fc857974cc4c8095d2d

SHA512
a30f9f55e0505686951faec798dea220a151ecaa5de5e115ad77eac33da552fdb6b088f29864e8d412e86db136298274f3bd7dae1f0cb670d1abc6a00786ebce

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
224KB

MD5
adec99d66b0eea1ed42c570de1d0c0c2

SHA1
7632f27b640e5de6473218730d8e0d11e7ecf7f5

SHA256
810f95f748b6d7c60b6aac5dc17aeedfd1c63653fa9e8016ada37fd473ddd3a7

SHA512
66269b47f1bff5671eb8fc8742f669d2fc1177033246fd99d3f9310d30cb1bda2d8cb8b412f9c0b94fbd8c2f4304bf72b2de8d9022af67c559f63e4c10ecfc27

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
224KB

MD5
061cbd0c9bad649c7de8520b1565b814

SHA1
dd0135450ae1f51f418487bd898e395664b1d06e

SHA256
ddbd6386c9022cf3aee6b44d5a2ebdf244221eab8c5a3a965fa176210bbe54cb

SHA512
245043075be8f9d562690c97be98229c6ef5f69e8995dedceca878492654938bf3847931e0b0803060f080a699eec5a40ba1d88dc926b31685ede187721eb2f5

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
224KB

MD5
188419af0f837eb8a57b19b1b0f2871d

SHA1
5b97bd4596cee6c21b78eb7e10477cefb9906852

SHA256
8b06b600f4cb948b5404d5734cea5d7f60fe4b1d3d503124d5d3735424efb650

SHA512
4c16063a12f7a3ad37e321140a8deaf0cd31130196e500b31a18ce255ee99067ca19a1507bc8473de4a2334b0545f0ebaad6659059dd6c8d2ba7fa7389002f4d

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
224KB

MD5
884de317458025c7f0e0e246cfdcd2cb

SHA1
be830dc7e459bc7c2b48fb17afe677ff027827cf

SHA256
e46397fd7d10e081477c135f94aacc2ffb52352c058e5977bfa150058b4c255f

SHA512
4c13294fbebee1dbedd59d9a6faf77cc47bc1884f097480384569bbd44f31502b30e1bc9f5bff79f7cd7ac812498c006ab881d90eda8f62fc302510a255dd991

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
224KB

MD5
374f4a38d78c940b38eaa53eca4ff412

SHA1
0810fe5342459e7472510badc1a0b0d384319a3b

SHA256
46cabd7e3955e7ed40960096f1fb4de93334d60ef512fcf2e75d96bbdbc8bd61

SHA512
5d2ea7eda8ee1c28962eab13fd8596a0937434a8ce838f436d15196626bcc4d9e5eb4d6167376d168bc5cd9c1e7621a05da41e8c7a7397ec693308dd43fde6e1

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
224KB

MD5
0a20bffdea122aac8bc468c7110398f0

SHA1
ea9f53d143a044744f37408ad6056ab63ecb8875

SHA256
76f9142d80b390f8054cd21df437b9dbd6c9ebd6a54a60836be881bf740ee685

SHA512
41068f0436a0fc04d08fb94da9b395fc6cebd4d59ac55b0005e5433f38b4dea9fc646ba9c053d057527763139e2f0ba18183f7382dd71a1f73bf34589c7c1fae

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
224KB

MD5
187c8a3fb1bc9973b625f61d4df07043

SHA1
75cfa78a4c6ce1841e1b256e7a6f179c02938c9d

SHA256
a638f038ea098d743b060261d46f115c75ebf5c729c4d49f93944be416a96b69

SHA512
2d687359b93b96c1410bff50b0993c9ae0b6c941f644f5d59c6ca1e662c72f40f0d14d19f9c1e1fce272d3b8cc69760b3990a6e1ea42e37dcad45d7b90d58ddc

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
224KB

MD5
5b3512f5d847901c8046c3280a7d87fd

SHA1
6e8f8406cb3e2abbf5be64bc4be9ca3ea1c987c6

SHA256
9d083c17d10e1418e770ab5e0f24c3f4daa287dc02169fd0168018321db713e9

SHA512
536dfea5af3f2facd7f1d29af1118de83d55162ecca978bc5f380b204c29766b15d480442981d425318b31115734837e12ef8195ec67a284560dcbf9bf52b48b

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
224KB

MD5
4dce76dfee44957655e4babd47a267ed

SHA1
ea8bd15d648ce888e5b98df646da90ca0cd877ca

SHA256
81ef531f9e392127d463a377203972dea89ceab0a9b79935bac395c39195e79c

SHA512
d05993812e5efe5db8b1081665679a172a06479f7a7c6d1d9f602391e5bdba4ac11e10eaba5a1f934de2c99311b235b8e35daa3519f3aa1446ec680915cbc0b5

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
224KB

MD5
33c792cc502a672e3bf26383af019723

SHA1
5db21cfb0eefb8af8067f0fbdd84cbe77777104f

SHA256
3bdfca41d8025cee95d5b509210ebd4f26ee0d58695d086abcee200d87cb811d

SHA512
0c16ffec393ca85de07a13fac208a5b73272794ed2fa9f2ab641ebd1ef291ca6ebeab5e7fe8b3008299dbc9dc2f22a809314c0eb43dbfd90300f8483ec4795ca

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
224KB

MD5
483c9c072e3dce73fa79ff5317f6f6f3

SHA1
8d38a6bcbebe7269194bf17ea1e7cdded27f5f74

SHA256
5ccfd9d3135cddf4dc3c4cf18e78eb363dd0e196c444474d5e81f41f8f50e15b

SHA512
fa27bab2e74a3f55efbf3ac23c03e7487a112d907238045d06543e78a71dabce12a556b269a35247953a72b6a738b1bf4bb801427590156ef9f1300868b05e55

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
224KB

MD5
d2656984c05cd7be6e6c9a881e3c4e4e

SHA1
ae78f098208cc466bc4fd636ec52d6d8cdb87a0d

SHA256
96dfe997e22565235b59c2bc1b9a88b4197f2e606cd42742406fa081892e4dfa

SHA512
cfb2ae35c06202b7560e52b893c731c7ca20761b286833da4a1dd7860d4c3c0cc32eb9a0ca2c5fc37308aa5a1277c8a29381409e1614588612d44fea15fcc046

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
224KB

MD5
8b8d3ce83ec69f78f4b7c55874edc886

SHA1
8a3fcc9385822672ae9977f10edac48bfae1f984

SHA256
88938a1ea2bb78d64ab85b7861d30c53ac19287c7e6b4b7961c4af608ae0fb8e

SHA512
1315edfd253228bd27c053e774cfe73e2fa6b974afb32f793a2773cb27e11922cb03cdefa78f398fbdbcec57ecf9270994ceb5eb8db71669f3ac59ae63e2c9f4

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
224KB

MD5
cc0c78c48b0d164f6eab5b7b5819caee

SHA1
b10dee84310eff5bb5ecd17f9ea2276b3ce53547

SHA256
8b5dc84a996917b6636552b1989b9740ae1f307c929348660576cd8232d30337

SHA512
abebf17e0d263ed4944186d712bdfed4c2226742531a2612271b1f9e699594103362e68faa079176ea6a7d77bb03c135e2148c2d1f40bc3aa7c68ff51796a0af

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
224KB

MD5
47d17d57dead6a05a6c892a0fd3f3e4d

SHA1
33ad5d3ebc9b11fbcee37fd5e56030d8aee30e19

SHA256
5513cfeed163d73e97a5662ff0bf768295134c7066a5d0eab7c3020d8fc1d757

SHA512
097ddb6bf9ddce68a00651d257a58d5148600b16f8d444a3252cee83918e7280f05a770fe3605660242d1a5facd6326a04d468be86089e2ed1eac7f5c7b3eda1

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
224KB

MD5
923cc9a1e626079208169e72b692acfd

SHA1
dd881461fc50853dbeb828e05506c2a7d95ee41c

SHA256
2754e85c710b5f0039675ac509a89484212d6a08a06e79163e32943efa65d85c

SHA512
851b8b19efcd950d6a579089917365f62de76481aff3787fcc28a4d916bc4f5bf5dfdd6b62312ad1cb3eb31165339463bac57c765cfd8e15c5dbb4bbba5ad40a

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
224KB

MD5
7e8dd4ad701d985de554d92a09a2fef6

SHA1
9024e60e3e0dcdae1277d90a6fa513afc64ea603

SHA256
0b1e4e20a0ff9cc3612b462acdb3f5a3c2a657ca45b6e423ce526ad413508ab9

SHA512
c1ca7a35925635a875e6839e4c73260128be31815429205d81191444b61b9d10e984e68917e371bc520e984fc3408483c843bf6b6aad8424211279a3f2881070

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
224KB

MD5
cbac15bf0517c540bff881a61c76b336

SHA1
6e711415accaf0e0a5aecbecc0ff26be0eef88f2

SHA256
1cccf25bcf3aba9b2d460adfcb816e6e6cccb2b759aa9d267943794afaf23093

SHA512
9e46b08d34075db71840475fda37abd0cf13c130293a6b146aea27a49c41449c08a0aef6bbb33e3137328c32e5406e0cf6940ce296e712f696f856e0262f1418

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
224KB

MD5
4675614904e9eba8c97e09755b01a7c6

SHA1
bfb0f8f7238528a2a8509db07ef349baf234e6f5

SHA256
d93493a52ddc2aaa38e5c675594ad9eb63e80bbb5643f1fe297e57ea2b8d0c47

SHA512
772dd4aad89b141146a71e422766008ecb065d99c0c1ef160ebd57d264105511a62de53a54df5bd39be97454f752bee5437b8cb95828d7b8704dc561e5a43134

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
224KB

MD5
ca3cf20a5baa79755eaa23f32ad4deeb

SHA1
86455b567f4b2e1608ee36f07d451054cce3890d

SHA256
ca3a9b03280fc3b9bcb808c1d5c6cc2635de67a07f1b090ca03846ac4fef382f

SHA512
964c7cd67f409d613da8a9ebfc157581a023fb3b904a17ed0ed30ca9ebfdac1ef0f10c24fc103f350319ae9604938059e9a44b7a76039e175859f916232b056a

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
224KB

MD5
a699e0e87f95b747523ef89f993dde66

SHA1
3a7d019ea27c6f88e97f240ccc5cee505ac4ceb2

SHA256
08412413615df20b38b0648b85d9632f9e01661d6a1dba8c29c717e17b32e040

SHA512
d265f5f05ab859753de55207c4a61793c1969306f7190a5b117319be379979055225c0f03eaaa0627a657b0529cb3a4b49186982650f27bcbb733bf437b69803

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
224KB

MD5
0be34b3ffe71eab1f3a2770a295620b8

SHA1
5307fdbdcf0bcb8cfda7ed9c8dbc6ad567470c7d

SHA256
5312918b14ff3bba17a4ffee6d5979d233ee3996b7dbd5dda0de95890fdf6e25

SHA512
2da81f2a0018c419814a4feacbd912547250c546309d2cc0cd78bef3bc6c56d51e99f4fccda3e74f06d101888d372483e866858f78f7817b3857e09314901748

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
224KB

MD5
25bb52f67aa88c457731fa35cebd1eca

SHA1
806b410fe78fd3e89f1727b62fef2c99dd193706

SHA256
2dc928da34872b01f73604a91f2981c11d2997dd38c05143eda4f3e6a133e815

SHA512
3fbd9351bd1673ea3a3ec04a22c44430ced58ef80943c61e5bec503dafb3aaed306c85e9d525d6b20de00e851db7e7cd7cc56bb72e60ffb26280c6e09a05c68b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
224KB

MD5
23c1b425f0fddf50e3a20d721a584574

SHA1
37acb0a69117b58e4c8864b539da91684cc5ac13

SHA256
39b588327b5936b0ca8f31c16c85b51190ac7eb0c5f7502786baeb75d93002a5

SHA512
93cac2e742c28e1f9b97ba21326d2b6a3a044f9a7a3d56b0c9fc112903bc9d605022dc7df796c8dd73cb82fe25c7d88f28ca589eb5643f3c9da74900d45936b1

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
224KB

MD5
8035d756e81446e3920347da04e17ba8

SHA1
4473673b15ee087d8cebfd0249ca4ff372a690df

SHA256
3d62bd3c8d0c6e7ef734f2271688208d37a7753b3849d8c06e4736b7513c65fe

SHA512
3360ae77b0e2e5461f22f055155921f07e56281154b0adcf800474e5c1a67eb7c74a8431f0c47d6a3f48dfae3e74c4c4b1a1c2c24e1c84d5292cba64fb12ab2d

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
128KB

MD5
9d15f5f8393d17b1ee202395f115d45c

SHA1
be2b01a4e227e8fb6d5a97665d2ddfff4cb992ff

SHA256
f735152af0343784a57f6a420ecce08f95bd9ba087d5d0f3c7af13bb77a9f845

SHA512
1941b107080e5247c2e81b91a1d3ab6fff85630693f458944891b516ae6f2e6da24bf0fb3be8e9b0985ef9f1b159058b84e5b52c2218816713e56742ca6a2425

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
64KB

MD5
bcba0167549cf495c9714fb3e091eded

SHA1
b25d13087cf52d659ac9d5b4dfafeb8e648d73af

SHA256
a405accb56b80698eca4a8bf0a394a787e4d5bfd75d79fed7442e66df3100912

SHA512
1adc65e858e78895a8ef088049dd18ce46c73bd535f352675696b7d73a14e413ff476b3902ecdc0c54441900b5efd2ba902d2f498dbc1b6c1fc617171fb53143

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
224KB

MD5
d79f556ef51f4f7c8edd5545c0eccd02

SHA1
0fbd528bfcfc100d70a75419918040d953542652

SHA256
1c9b8381e019a41aa66a3072149238170f4d3388b35e93a23dce70d518d36e5a

SHA512
2d0b005e2c29b1e8b70a4859def19603206eda31c77b799e86f950bdecaa692f392bf9666c4b9b35f850536e27f12612da6642a6705ff53980d28295a836c36d

Download Submit
memory/112-160-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/116-129-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/224-466-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/228-348-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/404-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/404-631-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/436-524-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/460-510-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/532-205-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/664-384-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/864-279-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/872-530-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/968-550-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1040-401-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1132-541-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1348-413-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-300-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1636-354-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1640-493-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1652-585-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1788-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1788-670-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2004-141-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2052-482-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2168-587-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2288-153-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-564-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2512-96-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2512-684-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2528-638-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2528-45-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2556-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2556-626-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2556-1380-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2612-442-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2684-249-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2732-360-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2872-145-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2976-425-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3064-306-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3120-471-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3132-113-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3136-562-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3172-669-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3172-73-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3240-599-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3240-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3240-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3248-382-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3264-483-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3324-459-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3408-168-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3416-121-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3432-662-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3432-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3548-677-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3548-88-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3584-330-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3636-305-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3660-366-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3664-308-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3664-1303-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3704-314-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-618-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3952-189-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3988-197-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3988-1338-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3996-500-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4056-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4056-613-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4080-250-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4104-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4104-651-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4176-424-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4196-251-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4244-105-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4336-390-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4360-512-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4400-372-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4416-336-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4488-346-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4596-452-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4596-1255-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4648-407-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4656-570-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4784-177-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4956-593-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5012-518-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5096-431-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5112-49-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5112-645-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5140-600-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5188-610-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5268-619-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5356-632-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5400-1191-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5400-639-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5484-652-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5600-1145-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5608-1181-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5608-671-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5660-678-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5768-1141-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads