7aa0e022c4d0c81e9727f4cb0ede1188f79fd40b67914d75b723c3def1daa0b7

Analysis

max time kernel
129s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe
Size

49KB
MD5

f67d3c68a8cdec557a8b37c8f8db8160
SHA1

cd0393e341e5185bdfeee41d86429b2fcda74026
SHA256

7aa0e022c4d0c81e9727f4cb0ede1188f79fd40b67914d75b723c3def1daa0b7
SHA512

715efb6ed19df8791b121540011b4f2df8d251f03dd7eafc1b3bc1c445fb7f0065d10ac0d1fb527077e4b2d87f9e527b42b7578740f8af9d0092e92ce878b2c3
SSDEEP

768:EjDh5CD4MAnXl7davJHVtxCARX3edXVsdu/v9LgiF8dvre7A46gux/1H5v2Xdnh:EtMa7SHnkyCVsaVmU846gurm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe

Executes dropped EXE 64 IoCs

pid	Process
4376	Dcdimopp.exe
3644	Debeijoc.exe
2576	Dhqaefng.exe
4024	Dokjbp32.exe
4176	Dfdbojmq.exe
2960	Dhcnke32.exe
4248	Dpjflb32.exe
4848	Dchbhn32.exe
3116	Efgodj32.exe
1492	Elagacbk.exe
4824	Eoocmoao.exe
1704	Ebnoikqb.exe
4604	Ejegjh32.exe
644	Eoapbo32.exe
812	Ebploj32.exe
1740	Ehjdldfl.exe
620	Eqalmafo.exe
916	Ecphimfb.exe
3628	Efneehef.exe
4544	Elhmablc.exe
3932	Eofinnkf.exe
4036	Efpajh32.exe
4172	Emjjgbjp.exe
4996	Eoifcnid.exe
3552	Fbgbpihg.exe
4352	Fhajlc32.exe
2536	Fokbim32.exe
3192	Fbioei32.exe
3744	Fmocba32.exe
4636	Fomonm32.exe
2528	Fbllkh32.exe
2864	Fifdgblo.exe
392	Fmapha32.exe
1408	Fbnhphbp.exe
4200	Fihqmb32.exe
3988	Fobiilai.exe
1184	Fbqefhpm.exe
448	Fflaff32.exe
3700	Fmficqpc.exe
3016	Fqaeco32.exe
4928	Gcpapkgp.exe
4976	Gjjjle32.exe
5052	Gmhfhp32.exe
3000	Gbenqg32.exe
4672	Gjlfbd32.exe
3800	Gfcgge32.exe
2092	Giacca32.exe
4760	Gpklpkio.exe
4628	Gbjhlfhb.exe
2488	Gjapmdid.exe
2416	Gmoliohh.exe
4664	Gpnhekgl.exe
4536	Gbldaffp.exe
840	Gfhqbe32.exe
4052	Gmaioo32.exe
636	Hclakimb.exe
4044	Hfjmgdlf.exe
4504	Hihicplj.exe
1104	Hmdedo32.exe
5060	Hpbaqj32.exe
1276	Hfljmdjc.exe
3100	Hikfip32.exe
4548	Habnjm32.exe
4852	Hcqjfh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Debeijoc.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Dhcnke32.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Impepm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7140	7148	WerFault.exe	283

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4376	4368	f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe	85
PID 4368 wrote to memory of 4376	4368	f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe	85
PID 4368 wrote to memory of 4376	4368	f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe	85
PID 4376 wrote to memory of 3644	4376	Dcdimopp.exe	86
PID 4376 wrote to memory of 3644	4376	Dcdimopp.exe	86
PID 4376 wrote to memory of 3644	4376	Dcdimopp.exe	86
PID 3644 wrote to memory of 2576	3644	Debeijoc.exe	87
PID 3644 wrote to memory of 2576	3644	Debeijoc.exe	87
PID 3644 wrote to memory of 2576	3644	Debeijoc.exe	87
PID 2576 wrote to memory of 4024	2576	Dhqaefng.exe	88
PID 2576 wrote to memory of 4024	2576	Dhqaefng.exe	88
PID 2576 wrote to memory of 4024	2576	Dhqaefng.exe	88
PID 4024 wrote to memory of 4176	4024	Dokjbp32.exe	89
PID 4024 wrote to memory of 4176	4024	Dokjbp32.exe	89
PID 4024 wrote to memory of 4176	4024	Dokjbp32.exe	89
PID 4176 wrote to memory of 2960	4176	Dfdbojmq.exe	90
PID 4176 wrote to memory of 2960	4176	Dfdbojmq.exe	90
PID 4176 wrote to memory of 2960	4176	Dfdbojmq.exe	90
PID 2960 wrote to memory of 4248	2960	Dhcnke32.exe	91
PID 2960 wrote to memory of 4248	2960	Dhcnke32.exe	91
PID 2960 wrote to memory of 4248	2960	Dhcnke32.exe	91
PID 4248 wrote to memory of 4848	4248	Dpjflb32.exe	92
PID 4248 wrote to memory of 4848	4248	Dpjflb32.exe	92
PID 4248 wrote to memory of 4848	4248	Dpjflb32.exe	92
PID 4848 wrote to memory of 3116	4848	Dchbhn32.exe	93
PID 4848 wrote to memory of 3116	4848	Dchbhn32.exe	93
PID 4848 wrote to memory of 3116	4848	Dchbhn32.exe	93
PID 3116 wrote to memory of 1492	3116	Efgodj32.exe	94
PID 3116 wrote to memory of 1492	3116	Efgodj32.exe	94
PID 3116 wrote to memory of 1492	3116	Efgodj32.exe	94
PID 1492 wrote to memory of 4824	1492	Elagacbk.exe	95
PID 1492 wrote to memory of 4824	1492	Elagacbk.exe	95
PID 1492 wrote to memory of 4824	1492	Elagacbk.exe	95
PID 4824 wrote to memory of 1704	4824	Eoocmoao.exe	96
PID 4824 wrote to memory of 1704	4824	Eoocmoao.exe	96
PID 4824 wrote to memory of 1704	4824	Eoocmoao.exe	96
PID 1704 wrote to memory of 4604	1704	Ebnoikqb.exe	97
PID 1704 wrote to memory of 4604	1704	Ebnoikqb.exe	97
PID 1704 wrote to memory of 4604	1704	Ebnoikqb.exe	97
PID 4604 wrote to memory of 644	4604	Ejegjh32.exe	98
PID 4604 wrote to memory of 644	4604	Ejegjh32.exe	98
PID 4604 wrote to memory of 644	4604	Ejegjh32.exe	98
PID 644 wrote to memory of 812	644	Eoapbo32.exe	99
PID 644 wrote to memory of 812	644	Eoapbo32.exe	99
PID 644 wrote to memory of 812	644	Eoapbo32.exe	99
PID 812 wrote to memory of 1740	812	Ebploj32.exe	100
PID 812 wrote to memory of 1740	812	Ebploj32.exe	100
PID 812 wrote to memory of 1740	812	Ebploj32.exe	100
PID 1740 wrote to memory of 620	1740	Ehjdldfl.exe	101
PID 1740 wrote to memory of 620	1740	Ehjdldfl.exe	101
PID 1740 wrote to memory of 620	1740	Ehjdldfl.exe	101
PID 620 wrote to memory of 916	620	Eqalmafo.exe	102
PID 620 wrote to memory of 916	620	Eqalmafo.exe	102
PID 620 wrote to memory of 916	620	Eqalmafo.exe	102
PID 916 wrote to memory of 3628	916	Ecphimfb.exe	103
PID 916 wrote to memory of 3628	916	Ecphimfb.exe	103
PID 916 wrote to memory of 3628	916	Ecphimfb.exe	103
PID 3628 wrote to memory of 4544	3628	Efneehef.exe	104
PID 3628 wrote to memory of 4544	3628	Efneehef.exe	104
PID 3628 wrote to memory of 4544	3628	Efneehef.exe	104
PID 4544 wrote to memory of 3932	4544	Elhmablc.exe	105
PID 4544 wrote to memory of 3932	4544	Elhmablc.exe	105
PID 4544 wrote to memory of 3932	4544	Elhmablc.exe	105
PID 3932 wrote to memory of 4036	3932	Eofinnkf.exe	106

C:\Users\Admin\AppData\Local\Temp\f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f67d3c68a8cdec557a8b37c8f8db8160_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\Dcdimopp.exe
  C:\Windows\system32\Dcdimopp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\Debeijoc.exe
    C:\Windows\system32\Debeijoc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\Dhqaefng.exe
      C:\Windows\system32\Dhqaefng.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        24⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        27⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        29⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        30⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        33⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        34⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        39⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        43⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        44⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        50⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        56⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        59⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        62⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        63⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        68⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2432
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        70⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        72⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        73⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2568
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3872
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        78⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        79⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        82⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        83⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        84⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        85⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        87⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        88⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        89⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        90⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        92⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        95⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        96⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        97⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        103⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        105⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        106⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        110⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        111⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        112⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        113⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        116⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        118⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        121⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        123⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        124⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        125⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        126⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        127⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        128⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        129⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        132⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        133⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        135⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        138⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        139⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        141⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        142⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        144⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        146⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        147⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        153⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        155⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        156⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        158⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        161⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        162⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        163⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        164⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        166⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        167⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        168⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        170⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6900
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        175⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        176⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        177⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        178⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        179⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        180⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        181⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        182⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        183⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        184⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        185⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        186⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        187⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        188⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        189⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        190⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        192⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        193⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 400
        194⤵
        Program crash
        
        PID:7140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7148 -ip 7148
1⤵
PID:6776

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6840

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6692

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
49KB

MD5
bbc1dbd26ce24acf32a0e967ea7268ea

SHA1
f99bc679924025af681ca2957fe2e577538b5984

SHA256
2fbcb7706f91f30324e51d151476b19591db71488d3a411a887d1b4e94c6b247

SHA512
b54821f0a989c8cf26c69b1517389cec02eef53c7a03bb7955f7e6a1c67b0c30bb8084188af3d036cb3e896a392e3d8f9731ee2a2c7091550f8b56ceef25db44

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
49KB

MD5
2d59d2c4f5cc316d6fcbfe34f0ed4bd3

SHA1
48015308210ca12ebc2bd1d4a9b0d62c504b6bdf

SHA256
e91181620fe461034981ff601501f91f51593eaa7d184974d8d85431158849af

SHA512
79dfe5e48a038f6fdcd783623a57a0e3af4e4935466939352f4525ebe5642dd1e900a6afb2f682553143667acaa9f3d3a54ef92fb477bf8534904a94293e66ce

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
49KB

MD5
95634773a39ed78d62ea9a4f0ffb3e87

SHA1
af22385fb36414d7aebeb3aa44816e42386002e5

SHA256
971e6c5bce9911078562658f8800349985ab22e6178309ab4ae1fcf89823be12

SHA512
a770d3b34e086362d5c8e65111a3b525d5bbf9a2d87a18ff765305a994ef9249285dffc41187389e6f3fc708bc5c80dbf0cb5b3c7a6608ba920107819475a934

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
49KB

MD5
0231f2775532b2e1754ab97a4e0f62b2

SHA1
8ff9372f7c9eff3c96628fb774108d2051bb5fcf

SHA256
999c492286529fb6623c9661536c53ad8c1357723f5f331334853b79965cd637

SHA512
918f7b0cbb671d00b8d6d359b9c97e18adf6e53cc36078e78fcdb6c11bec6fba594793ddf639356748b6187b0499acb75dc8260091ef49bb283fa240a6a716f2

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
49KB

MD5
7c7e3ef3f2cb1c4f7b7f9477fb0dbe7d

SHA1
2cc81d5299356ba681d589046b3449612ddecc2f

SHA256
3e132504b82a1e7a62e581d6663fdd33f475b8e86c343df8272d2796f6cd33c4

SHA512
4c70ba6ad3969a33890adf1b7d9c2473de2f845e20288f51acc50f0042e67b54d63dcea86a915141c222e609c08cf49c8741b545672252ce72a7a19ab4e584c9

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
49KB

MD5
9bbc12c9f7ed9c9494b64a7c26d92926

SHA1
aacf65a971e5bc893c93b6d4bcc9623f3bd55ce3

SHA256
7b6a17a5d32a957eba39445fdc459b0dd9fd079ec9a8df8b1a37686cc2cecf69

SHA512
f21d67d005358a7837d7e2fa973638f59f8521cc02befabc6d3d678c509ac97d4b3b581a97ac6e1f977157ab41fec9da9d6dcf0b952c13c35c8ce29da93b5c29

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
49KB

MD5
385816a786ed07eca5e81636704aa24a

SHA1
71d96113b544da3d5e9c01f38dbb76b32b698f04

SHA256
5f03631dfe22b2f547771b4f6c5c363b5e717f5cac5a4e63acf4badac41b76fa

SHA512
2e6d48cd46b7571d11d53a13fa0151f284a65cf2fc2b3bb24f99c86ba077e2f61d6698b615bd1ad6bfbd51ae660ac8a76562ba7ba909ae4c35bcf9188ec70723

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
49KB

MD5
30a905a90fd0520b540bc954c46ea0b1

SHA1
34839714e2b895ae0320b90c1759888d671a98af

SHA256
f52af5b0fa2ff081e89371463a455623e07c292322bc264cb1fc95b0c3d7c8dd

SHA512
d7089d139e027c3da8f2fd32aa4c94103df3bc4f88213d7daf347d7d00b0c8002f35e32fd5058ac530596634cd873fca28a84dd903229d9d7ce73face33503b4

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
49KB

MD5
935e083f3ab8c4e5b87a04515f73c8a7

SHA1
0596693513d5883d993dd13ebe0225f5911f4f64

SHA256
6f2e7100d4518b370cdc58158663f275618a546df9108a7cadd701734dfac726

SHA512
932b46360390ab65cd1b7b1dc8d6593d01ece01dacf6df868b6752cbd5cc089728b780a8e73545103e9633cd39e00988aa678650d57404ba5c7214a0a3ef929f

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
49KB

MD5
e254b55700d61eae7c180f51903d93a4

SHA1
c12ab170aacc4a24b633a0eaa504c0c1c52122f6

SHA256
9326a4157b95d283745b0835bb05d8386c0870836d14fc694943e9acafa7490c

SHA512
231eaadd029618dfed4c48cfdb3c54cee146ef51cf6c3ce1cb60d446a28852c7556034d571fb759fed0c537ac4d82f716da979fcd0319df5c591d3a8acfecf8d

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
49KB

MD5
d76c2b923217be3875eb75cddd7f720d

SHA1
fb8732b39113f4f3c88c8f265b6edb6cd16f4fc3

SHA256
ed445c125d1eeeb4313f9d08f46863a652d7b9a9c97236d606020ea689064e63

SHA512
fbf4ca7da1d4c7cbe17d7a1e2ec4c047d7bdd6eabbb7dfd685d57ea5b821328a1131215b6d7473e4bd48ce4b144d76933531d247a0fc39af1894adf35df2ad94

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
49KB

MD5
5ef1a80ef2f221c0e75709191b922659

SHA1
c90f35ce2d52737391a5558f063171d3109d4314

SHA256
f193a98755934bc9c05a7a8dba137c074a527f1ee56bcee86bc3e5edad6b8cde

SHA512
515e7302157172f76cff3c30691c4fa019e414f5ec45c8a09662fed38e53bf40a954f2de22096c92b567d5804185471b1a2ec7f29793bd5c64f621b37319fad5

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
49KB

MD5
20963ff466c8f27b7a6f6fe3d9e1084e

SHA1
003b3accbc9658f4ae1032c50cbb201773a63acc

SHA256
a6fbab03884dda16fba03f6afc2764df928ba2f10e39ec11ef9814f99f11d3e1

SHA512
8372ff2758aac858194fe1284444d43c4e88f61f6752449751eb677844e87c12824a89fe02ac5c6154ce55bba155baa12121ad632be53a197b62705fe642aae8

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
49KB

MD5
b93722b4fdc793f097d0ae5f82638278

SHA1
33fc4134ee5b9055723e47ac09f70fcdc3238ce0

SHA256
8a5040f660ef04a8314f802421c9206f47daeac0f4d27ecb2b9767429af22229

SHA512
d1f7896cce8621434efd028a05a7d1957cebcb4f11199de84c4b4ab895bd0808b3634c65da13059c24e7ca7526cbbc6133d587a7284c63b5e9af475ae8405106

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
49KB

MD5
ec83dc1b9fd0e9e9572a2f4eff8b13dd

SHA1
83cedd219449e8d9e65aa433d0030daf3b4d34a4

SHA256
cbbda3a0a70f27f19e56f75caefab9ad5627a58d6a96c92984762f2e63d3904c

SHA512
db282a8bddf0131b9c58424b042ab5753470953ad75e855d88dd8bf300bd03f7575aa2ed59fc5ac21fbc49ec829bd356c7e323a1c3fcd123119bd943c90b96c7

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
49KB

MD5
505dd3ff5c0140210d5f1e3522fc0f58

SHA1
86cd3b76d361822d09e6e212c627d8b12b79097a

SHA256
3e4893035c2ef5137244262677a48e790ee4d8ea4b1707a7d549d34d5177446d

SHA512
aaf6d07d91de376acc6ba901ed7ec9e1390b05dca9b89b1272af0abfe08d4b422df6ca50b1f773cf6ccc4fd9ae8736cee11e91c3363a90e1bb52a5ec8ca8f59c

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
49KB

MD5
0b902b71eb8f7cd7f3fde021a3117905

SHA1
1f9ac884c889ce3f443e9815f8f97691483da463

SHA256
6618610feaa94f0f48d9a1c8a69da15249877e79706118b0e12c8fd3105829cc

SHA512
eeb5a6b932441dd5c4d33aa6cbc29484abc81638139ccd269bc42c3483f6d8b14b662a1c39ae16ea76da653c9e5df92c77748cf06d59e7c7781bf625c3449cd8

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
49KB

MD5
5ba40a13e3aa0757165239d42895a36e

SHA1
e39aa0b8e647be450fbb7c051c757ac7369e92a6

SHA256
ecd99ee4607582eeeed1c3732dc1d1f46a743724740d42fa50d3a9f8032c2f8f

SHA512
fa338be76770d4cf12742a7abed03fdf3ab201b03b3b0b611d1be50e22e7ce435f230d9fb1da231711229a005671f90e4028e5c453938029917121f611824771

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
49KB

MD5
e9c0eb498326e9be7697b8e9f8a79f89

SHA1
6ac0da197637690478ba76c1e9b5b80009c9f87b

SHA256
a6256a100948ef4cd82dc22de839896c3bc81d05a497b7bfda11371380627763

SHA512
839bd49955fcd289f4548f9e61d2bf4b5055a0f1ea8a617c6d46fc76ffbaa2187a9dc2749aef9fe3bf16959848782a6790a5bbe86e0b0d867b38a6650a58a8c1

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
49KB

MD5
e16724afc12cc1d63a73c431c1f93d30

SHA1
ec352397153ce7459f840d1605754d8881457071

SHA256
fd9bcc0529f9efc5e991804a2413b6a6dd77db9efe3f905aba500301d933d723

SHA512
fc390c895e12e531d346bc879d39a6afa011910d362acc4deab6286f45bbb922b85d769efe1e48363ef7aa30d00878720670f4bae382034df88f0d3c229f6a98

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
49KB

MD5
d4d287b51ca1f7d8392a7f9ab7683e81

SHA1
2c1551641c98cd85bc7f0b5b5537f4dbad0b50b6

SHA256
c54e6bc44a17fe8d86fb4b89025f840c147bd6c7e424f99eaae077d6cd2da09d

SHA512
4a861fcb004198503ca49be7ec98aeb61da22d95f9f32040404e4510fd05ff0cda850a082471942d74787f5f64400b6235c9935e6d0e8c8ac0eb642dc158b897

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
49KB

MD5
935755963050d5088439c70d54764650

SHA1
958dbf98ff4f7ff4240e91eea083c8f6f1394304

SHA256
4e1cdf96cb8563131dad64339b676dee25b1fb44c9ab4b4f8b64d90fdf15b906

SHA512
31ec7d07475441451f84bf14b49e95673a9f0a252a56765ecf58ca00c782cff8a26c3e0361e22ef578e0be65573c409ad19530a1dd66013c05606c9ea7261f5f

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
49KB

MD5
f5a6f2e58060cef900f7a890ed990c34

SHA1
e08eaa29cee6d86384e0458801e3ba5f47ee0b33

SHA256
4b8de514c8a12e431825f826ffec21ec976af21c3e22bee808f961950b2e533a

SHA512
27b69205a78da7c79e646fc6db23aac4550da825121cad409928e835384bc84eb4664c08929486f050f9cc11119b121ecd847278a793b9d240de29d62c106a96

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
49KB

MD5
8bbf7fec9906832728599c7dd094351f

SHA1
ec804a01de476cbaacc5b0a3fa66cfa9bb9d1be7

SHA256
b62276c39a85dd5df5b6171fb66068830780d90af09527bbc315307060cbdbcd

SHA512
d97d16e578d8f7edcecc6660228ea7bcf7d2a255e1d83cbef1f856a511033ca9abde6b6c7302eadb97e2bc2bb7d87fbf4159f81e1ed3e64c96664c312dba7cbe

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
49KB

MD5
52e5a20db0f2871ea91ec4302ba0e87e

SHA1
5e31b7ebcb99a97c218b1d36391a74490f213ea1

SHA256
c09260c72516cb08e66086f35dadeb56166f1d7981cfdd19e76940068f3d4654

SHA512
15a3f0fe0c9c51cd44029cb4ed357067470632c3638f163f55c3617c96f63f2594085dca42c8958a021da7ad809c966e18be158afcdd3c8d77328bed2ce119c3

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
49KB

MD5
3549f21669e3cd508b20d21073c0eb60

SHA1
8379f11d0fd61b4769230db7b691905461245b30

SHA256
15c56d0714bb55479830c04cd4ad2996b93eda7ed2276764a16f8b57c48facc0

SHA512
e63492674dde79b43812cd22cc01b51ce28b924a968deefe4a0545c969774c170e922d69beedef5934847dc4da1fbaacb05f8ec5b06a29e4e551d98be0da5a00

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
49KB

MD5
f33ef8d9228ca39043e929cbb9cb42b2

SHA1
fea6ee8870119f7889dcb7d39ba667fbf7c7c023

SHA256
544adade3da1bd60c7ff24d3d18081621b0d83e703d279e59a3fce2763ec7919

SHA512
73044f3e005ebcc6058e125388adaf7aa355c378c0d42454fde64c7feea13f397f911ade27f8f066594937f824d4fba713ded9ee70529c081408f8f93d1f11ad

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
49KB

MD5
2394ad4dcddfdb57eb8b877ebdd33654

SHA1
769c867cd1b5e0aefc39f5b4b39dcfba8632ea54

SHA256
b83ccf7595bf27aab5487efae428630a561dd84f7e4883a7fed94b92af276abc

SHA512
94cb0d3f3557d6d28ee65a3bd8b63285fcdf1adaa7b4d02ca17430af5eec29819e385114c539071c1227f8bc08941ab9c9ac851f410e33521a40a5a90716f527

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
49KB

MD5
b76682fd92a3712bd2300d3c2bca1bb5

SHA1
73113ae9947374ec3b2d781a282e35586c528844

SHA256
c8de96851c6468441da42e01812a557ec8c7716b462f2a5f3033aa10ba306cd0

SHA512
36621dd5dd89b4c68fdff8acae16649960f8211d7e89b7e2ea379c5eeb5a6888560f7cf61f1ccccadd8753702345d001f5ae51508c55226e57cdf6c21b315394

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
49KB

MD5
53eb4b9124ca555fbbd1016ac4576918

SHA1
8709dbd8bba0362208dbc5a54af5d91d0b3c88b9

SHA256
aff3da34c128e5f207bcf0e3af5b70b85f8c784334ac26029d1c82a053dbb009

SHA512
2cbb7bff8098b65389e247f9dd6a8969c738ecba3cab9ad43f6ee50c34582fc6d2f88b5be4c7f9fd27901762a952acb446fd58d41eed2b3967cc35e95180456b

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
49KB

MD5
65a7968f013414d291f5308eee33b6dd

SHA1
4a8c77b378b3bf2a20bd75fc45fecbe67c97881b

SHA256
9c4803e3fc709c3aa733318aa472c943a63474dac780c522dcdec2056e261178

SHA512
8ac77fa23a49a77f496fba0f248faa815c4564c69202b29674d16defee43a796461a5363708aab494689e1f27f9a1203a265c1ac30d7d7b6d9174214e68e37da

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
49KB

MD5
c49072c961605689acc5f073c15c1604

SHA1
d500a345c65ffa7fd90f2e63c2b8109fde60f83c

SHA256
e8f6c090a691f60dd40365abaf4972ef377d4dc15a10c23d535e536f4e5c5ecb

SHA512
7469df4fbc5921022a63ea851cc6065a241cadde3c232d000ad57a9c42b3b78d16569d3394dd274e52975b268ec64c1a421fcaaf79710fd652df94f3e1a29998

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
49KB

MD5
12c9de44b5d2428f64922a03470d6f36

SHA1
731405885998bec56d9f14ac54a38ef90f706d1f

SHA256
de0d2647ff624481556b6b42603aaad2e1ed82fb9774121164d4251d101bfddc

SHA512
f0d54d21521a891b56e77192a25db08b59162de9c72be157a0eb1935e5eec9ae4b9d8e27369b9ad5e455d171b43ffc8ecc443db7850b6257d34062d17aa8eddd

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
49KB

MD5
82d571f1d9fedeab35f2bad5bd413cac

SHA1
e8be7385a4bd69812bd7910fbb68ac40a9af703a

SHA256
7ec3f8f1dd56bd3af265bcf36411d175f9120dbc2ae145aed55f8097e8bb4fb4

SHA512
36e340d990edd652c664747c57383b0da922dfb2da6004cba3670d0dcd193c88443f513d69065c81988b88fccb535c83f83680d4fa85a41332a3e6c609e07508

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
49KB

MD5
34bd313f5c64b3e8ec22dbfb2bd58684

SHA1
45b41cf70019894261f2eb12abe4ebee80ee962c

SHA256
4498aa751bfb60b98f5659725d082761e83e828426322d055921ca3b08c072ae

SHA512
13cd30189393edee22d23c9807de96b21eee1828ec9bd7c70d08e7274afd97f73a5a34b5f0a503c92cb4c5a98f87e61556246a5bd112e7fc6d00ba96cf00fcf1

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
49KB

MD5
d1b2db23e3251a0e2bca683dc5c3198b

SHA1
e20a9870f85296015d93091f16cea9661051b532

SHA256
3aaf3ba19ebe2571c5af82866cef5e412b080ddd72e195d6c51c61c3a4aebe4b

SHA512
3727a3e0514d1fa8465c15821d9463c6ed5495f063442daae198360fe810430a0e1e3b4948674d0ad416ffaec090b143b915114f4624ab6934d0eede944b627f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
49KB

MD5
383a40a53d1a18447508b5016512da04

SHA1
f36c4b836bba9e31c2883108c70a9265b8ee2efe

SHA256
74dfaef7e74fbfbf6b036a55c7dffe9e88b39e70a99bcd0bb23f967174e6d86c

SHA512
fd50d230ac58b0d6a888d0f17894bf32cd7c33e5f7870716b3381219efab57717502cbb335b584c29df453fe0bf61ba500f5e920223d3570f1824b57efe64a35

Download Submit
memory/392-267-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/448-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/620-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/636-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/644-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/812-121-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/840-389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/916-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-567-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1104-419-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1184-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1276-431-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1348-520-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1408-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1492-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1612-564-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-484-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1684-521-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1704-101-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1740-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2092-351-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2208-539-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2416-375-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-473-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2488-369-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-248-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-507-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2576-566-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2576-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2864-262-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2920-497-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2960-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2960-590-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3000-329-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3016-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3100-442-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3116-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3192-229-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3388-553-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3492-527-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3628-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-580-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3644-559-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3644-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3676-455-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3700-299-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3744-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3800-346-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3872-514-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3932-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4024-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4024-573-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4036-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4044-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4052-395-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4172-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4176-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4200-275-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4248-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4352-209-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4368-545-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4368-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4368-7-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/4376-552-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4376-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4460-465-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4504-418-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4536-383-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4540-533-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4544-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4548-443-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4604-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4620-489-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-363-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4636-241-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4664-381-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4672-335-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4760-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4824-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4844-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4848-599-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4848-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4852-449-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4864-472-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4924-574-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4928-311-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4976-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-193-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5052-323-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5060-425-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5068-546-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5144-592-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5196-593-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6196-1357-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6312-1390-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6356-1389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads