a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512

Analysis

max time kernel
137s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe
Size

384KB
MD5

a376a7d8bec5d65a731607ae80c6b6ce
SHA1

e33ba6b579864ec31110574fa92dfbe6b6f6b753
SHA256

a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512
SHA512

07d9491e55471e4c86eaecfa9283286eb828cad7fca7199494c7e55c5adca363dd1af591bd1472f655b2406997aa345475b4d42f0183636d53bb684c520fd781
SSDEEP

6144:tUkZ887VN/kJ9owtu1DjrFqh/QO+zrWnAdqjsqwHlGrh/6:JrVNotuFjAh//+zrWAIAqW5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe

Executes dropped EXE 64 IoCs

pid	Process
4668	Fokbim32.exe
4840	Fmocba32.exe
428	Fomonm32.exe
1824	Ffggkgmk.exe
4516	Fbnhphbp.exe
464	Fobiilai.exe
2316	Fjhmgeao.exe
1416	Gbcakg32.exe
4512	Gmhfhp32.exe
1904	Gogbdl32.exe
3192	Giofnacd.exe
2524	Giacca32.exe
2328	Gmmocpjk.exe
2820	Gpklpkio.exe
4680	Gbjhlfhb.exe
744	Gfedle32.exe
1004	Gjapmdid.exe
3516	Gidphq32.exe
2104	Gmoliohh.exe
2352	Gqkhjn32.exe
3696	Gcidfi32.exe
540	Gbldaffp.exe
4956	Gfhqbe32.exe
808	Gjclbc32.exe
4288	Gifmnpnl.exe
3068	Gmaioo32.exe
4020	Gppekj32.exe
2240	Hclakimb.exe
4492	Hboagf32.exe
3376	Hjfihc32.exe
4360	Hihicplj.exe
3172	Hmdedo32.exe
1492	Hapaemll.exe
952	Hpbaqj32.exe
612	Hbanme32.exe
3340	Hfljmdjc.exe
996	Hjhfnccl.exe
3044	Hikfip32.exe
836	Hpenfjad.exe
4416	Hcqjfh32.exe
1324	Hbckbepg.exe
4776	Hjjbcbqj.exe
4080	Hmioonpn.exe
4204	Hadkpm32.exe
4788	Hpgkkioa.exe
1832	Hbeghene.exe
2732	Hfachc32.exe
4468	Hjmoibog.exe
1996	Hmklen32.exe
4392	Haggelfd.exe
3832	Hpihai32.exe
4728	Hbhdmd32.exe
1584	Hfcpncdk.exe
2024	Hibljoco.exe
2448	Hmmhjm32.exe
4176	Haidklda.exe
1008	Icgqggce.exe
4232	Ibjqcd32.exe
2072	Iffmccbi.exe
4028	Iidipnal.exe
4552	Impepm32.exe
3432	Ipnalhii.exe
640	Icjmmg32.exe
4520	Ijdeiaio.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fokbim32.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6216	5344	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4668	4960	a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe	84
PID 4960 wrote to memory of 4668	4960	a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe	84
PID 4960 wrote to memory of 4668	4960	a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe	84
PID 4668 wrote to memory of 4840	4668	Fokbim32.exe	85
PID 4668 wrote to memory of 4840	4668	Fokbim32.exe	85
PID 4668 wrote to memory of 4840	4668	Fokbim32.exe	85
PID 4840 wrote to memory of 428	4840	Fmocba32.exe	86
PID 4840 wrote to memory of 428	4840	Fmocba32.exe	86
PID 4840 wrote to memory of 428	4840	Fmocba32.exe	86
PID 428 wrote to memory of 1824	428	Fomonm32.exe	87
PID 428 wrote to memory of 1824	428	Fomonm32.exe	87
PID 428 wrote to memory of 1824	428	Fomonm32.exe	87
PID 1824 wrote to memory of 4516	1824	Ffggkgmk.exe	89
PID 1824 wrote to memory of 4516	1824	Ffggkgmk.exe	89
PID 1824 wrote to memory of 4516	1824	Ffggkgmk.exe	89
PID 4516 wrote to memory of 464	4516	Fbnhphbp.exe	90
PID 4516 wrote to memory of 464	4516	Fbnhphbp.exe	90
PID 4516 wrote to memory of 464	4516	Fbnhphbp.exe	90
PID 464 wrote to memory of 2316	464	Fobiilai.exe	91
PID 464 wrote to memory of 2316	464	Fobiilai.exe	91
PID 464 wrote to memory of 2316	464	Fobiilai.exe	91
PID 2316 wrote to memory of 1416	2316	Fjhmgeao.exe	93
PID 2316 wrote to memory of 1416	2316	Fjhmgeao.exe	93
PID 2316 wrote to memory of 1416	2316	Fjhmgeao.exe	93
PID 1416 wrote to memory of 4512	1416	Gbcakg32.exe	94
PID 1416 wrote to memory of 4512	1416	Gbcakg32.exe	94
PID 1416 wrote to memory of 4512	1416	Gbcakg32.exe	94
PID 4512 wrote to memory of 1904	4512	Gmhfhp32.exe	95
PID 4512 wrote to memory of 1904	4512	Gmhfhp32.exe	95
PID 4512 wrote to memory of 1904	4512	Gmhfhp32.exe	95
PID 1904 wrote to memory of 3192	1904	Gogbdl32.exe	96
PID 1904 wrote to memory of 3192	1904	Gogbdl32.exe	96
PID 1904 wrote to memory of 3192	1904	Gogbdl32.exe	96
PID 3192 wrote to memory of 2524	3192	Giofnacd.exe	98
PID 3192 wrote to memory of 2524	3192	Giofnacd.exe	98
PID 3192 wrote to memory of 2524	3192	Giofnacd.exe	98
PID 2524 wrote to memory of 2328	2524	Giacca32.exe	99
PID 2524 wrote to memory of 2328	2524	Giacca32.exe	99
PID 2524 wrote to memory of 2328	2524	Giacca32.exe	99
PID 2328 wrote to memory of 2820	2328	Gmmocpjk.exe	100
PID 2328 wrote to memory of 2820	2328	Gmmocpjk.exe	100
PID 2328 wrote to memory of 2820	2328	Gmmocpjk.exe	100
PID 2820 wrote to memory of 4680	2820	Gpklpkio.exe	101
PID 2820 wrote to memory of 4680	2820	Gpklpkio.exe	101
PID 2820 wrote to memory of 4680	2820	Gpklpkio.exe	101
PID 4680 wrote to memory of 744	4680	Gbjhlfhb.exe	102
PID 4680 wrote to memory of 744	4680	Gbjhlfhb.exe	102
PID 4680 wrote to memory of 744	4680	Gbjhlfhb.exe	102
PID 744 wrote to memory of 1004	744	Gfedle32.exe	103
PID 744 wrote to memory of 1004	744	Gfedle32.exe	103
PID 744 wrote to memory of 1004	744	Gfedle32.exe	103
PID 1004 wrote to memory of 3516	1004	Gjapmdid.exe	104
PID 1004 wrote to memory of 3516	1004	Gjapmdid.exe	104
PID 1004 wrote to memory of 3516	1004	Gjapmdid.exe	104
PID 3516 wrote to memory of 2104	3516	Gidphq32.exe	105
PID 3516 wrote to memory of 2104	3516	Gidphq32.exe	105
PID 3516 wrote to memory of 2104	3516	Gidphq32.exe	105
PID 2104 wrote to memory of 2352	2104	Gmoliohh.exe	106
PID 2104 wrote to memory of 2352	2104	Gmoliohh.exe	106
PID 2104 wrote to memory of 2352	2104	Gmoliohh.exe	106
PID 2352 wrote to memory of 3696	2352	Gqkhjn32.exe	107
PID 2352 wrote to memory of 3696	2352	Gqkhjn32.exe	107
PID 2352 wrote to memory of 3696	2352	Gqkhjn32.exe	107
PID 3696 wrote to memory of 540	3696	Gcidfi32.exe	108

C:\Users\Admin\AppData\Local\Temp\a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe
"C:\Users\Admin\AppData\Local\Temp\a1c02a593d1b568d0b443fb7f6f000a8abd256d2a9af6b8e875f9628ebbaf512.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\Fokbim32.exe
  C:\Windows\system32\Fokbim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\Fmocba32.exe
    C:\Windows\system32\Fmocba32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\Fomonm32.exe
      C:\Windows\system32\Fomonm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        24⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        34⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        38⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        40⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        44⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        46⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        49⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        58⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        60⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        66⤵
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        69⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        70⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        72⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        75⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4944
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        79⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        80⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        81⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        83⤵
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        84⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        85⤵
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        86⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:772
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        88⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        89⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        90⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        93⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        96⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        102⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        104⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        105⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        109⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        110⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        113⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        114⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        115⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        119⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        122⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        124⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        127⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        129⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        130⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        131⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        132⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        133⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        134⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        138⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        142⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        143⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 420
        144⤵
        Program crash
        
        PID:6216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5344 -ip 5344
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
384KB

MD5
66e40e4fbc73019a7f34c67bf2daefe8

SHA1
3bc4b6ebe3042792d9ebd17abe068ad02f6378b8

SHA256
22f3e84298afd94261ab0ca49cd30d5b6c5db0ff57b5fab86a6c98d9ab19d806

SHA512
006ffb015de18216e9f24d1f95e508739c5a8c40fcd4298da35eede9b84b1aca5a255989636c9a37c41757ea8d9c17806ebc3bac9f4ea90a01b74609f0498ad6

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
384KB

MD5
7210b71f9972bf295a19b7d884bfdf51

SHA1
5b1717764b56d219134e196a1ad98e2bf18b6f16

SHA256
8f474f8187a3ac57c88846616a55d5fe9889b02fc6ec2c586131ffb3414cfcf4

SHA512
ff737d6e6847e1d1a47b1d3585863af405a127e99e2b60c22d0231d525072bedacfc96c572b59e00ce93ac8cf58f85a1e8eaec7d6a506f5b01ae28a882a929bc

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
384KB

MD5
f5c89e23e7745c1fd8f094676d8b6897

SHA1
e8b3a1e61950f5a42efb500ce64a7b0e30e7920b

SHA256
b59a5e69a8827c84a1786362be2c9a80d22f6e7648c9205a9ab9c9a8bd69f644

SHA512
ed9947be6d451016950ced63704597634db7bd75eeedc8e3989c3ad39d835c43e8f17fa13090cc30c07a67bc0f4e67cf5f1c92fd9c91143b4b4bec0f3a01c311

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
384KB

MD5
6d50889dce742f1013dd25ed566c50a9

SHA1
02fb1e70778af864af62c42daa33ea71c0eddd4d

SHA256
2a02c3fab425360c6366bf9facfed7a9d138087233f37cbfb81088c23f5abeda

SHA512
f35b52e649959f3898129a8625d811e1a144f10f627d9e371ae6fbf63b218d60bcd309fc7ba2f9603ca6d8fc5db81398c3185671277d9c7fae905812feff2c47

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
384KB

MD5
a4d9a0f239d98a7334c18cbe6da1b1d0

SHA1
1b925b7eda99531b3dd4bd732718e38e8187f108

SHA256
a21d82442f7bbbb10b7dedc067d0d2d12a539100304b4690e6d1b78e6e4017d6

SHA512
0344ed4facf65a6c8d49d2f8f7f9cc1178b0e1ec22d5b9f1a0739920f7e7cf6fe23c52f1a10465bd5057882c7bab93db77fc0cc970ea1827ba94dd05320aca6e

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
384KB

MD5
c1bae54a760b1b18d8ecf22f2d552411

SHA1
84aeea8c67ba707ad1b13fa96f24348a0cdb15e7

SHA256
3a2db515a58f64559e20104cc72086d314f595ea7ed9bdf715f8b2a8541bd043

SHA512
0915fc8d2b32842825ab4ec79d5ac7906c18d2a33705c00f0100cd01bed5cdac4f0205398d1b3fc4a42ec5f5fa703c8a4ba662506222962e45f07f4f9543ac79

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
384KB

MD5
0d095d83af054a351b64178eaea2f829

SHA1
84bcade9288790a839f8165cd7d2f3cd3d5c8bf9

SHA256
ab08d757eb16b7a1ceabfbfa8f21c3e1d2a9e8781a2daaac4ca9a6aee27c3d97

SHA512
e57ae9839f4da10e170f3af5ac5fdb8e17725ec4ac1496c1f597655e554fa5dfb8936faaeabfcd5bf8cd72075fabe141d246f3527811aa3d3f65fe4a953c33b5

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
384KB

MD5
d41015b14f6b1d092df03bb38cda0045

SHA1
b39081324c63aefcdc2ffca4b9a4365eac1ad7b9

SHA256
fa4c7a50a97ee5425b4704c2f378f50322d536ea223de82a4a5adb16a8a2db1f

SHA512
8dd0061c7ede57fb881af898853bb7428f6e8cc2dc85f7667e2290e71b399d4917007e76beb65b03526f16aa3266516f1c77d21d5cceb673f28fa9c5c26a6e25

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
384KB

MD5
d798bed6e8d629fa275ae251666ddf83

SHA1
33136d6b6c13f55735b0e5fa169154cca7867ba8

SHA256
66b8c42726a74a0e878bea40212f95df400fb540383fa17ce678b338d1c9c669

SHA512
3c72e32bdc8bda3fd03a4b041572ed52ec6df919edf484202f19192251e5a475da514feba51c4edcd03a926c2a3e51a3e03e49a331da6d14caf71a19e87041a5

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
384KB

MD5
7fade02639662cc5df307cfe31342be0

SHA1
26cf6c0a6ca34ef0d353746261f1494ed25ea4ac

SHA256
5386b177108297bd47c70b6033d9c289c73519b2237d82eec83bb34910acda9c

SHA512
fc8660eca49bde7d65fb4a0581ea024ce2df1bcea0ee0c623b833e08405a59ec43ee04b14bb636d34f1cd2861f3ea8d7daf72d52c14af846e86b238433acab75

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
384KB

MD5
7af078a3ed7b63d3e181aec17d463c3a

SHA1
dccbfd5faec2726a59f188632f7dc06d467d0b8e

SHA256
ab35c3c52b8d54d547b85546423344d77687da34aaa201aa6ce5455825a3ef66

SHA512
2464caa335829b46d90224d131eab104d72d06afca766e8a8ea5bcd78bc2fe3e9a358bbba3c0eaab70f3a8c613a67b89ea4bd894455f3a58e91dcda11298ded0

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
384KB

MD5
b407f62cffbda9e025a714a6a4068f8c

SHA1
7727dc14516e023b2fbc585d9de59187e75565e7

SHA256
ea5c7f52243204c368b12924c517f14630b791e847f54287fb97195c111b8f22

SHA512
d5c2f811e3f8d3de72df854ee12b013c95cc65405c2b5423b8d786fa829fefc99e767f5fdc3745de9d78ee695c620b537754c8f17ef31f1eb43dbf29206c8208

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
384KB

MD5
88e7f5292d9fe8f181ebae63ed278e2d

SHA1
43ef3d95e00f6f56f176689dea8ddedd8ebc4775

SHA256
03512249fa177162fba981f5a8f2364c27c8eab426a749e5a3dd3cfcce03fccd

SHA512
2d619845976bb40726433279875563eaa3657afb81bcf02adb1095a1d09a9dc697919cf59235dde2bc56557036b32070431617b3078768691018da5f4b8dcc97

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
384KB

MD5
f3f1d55e40367162f5bb64a1f6fce870

SHA1
5b3159b96c60eb6297d83b027d1dc59257409c0e

SHA256
28d5515bfb58aa09bceb44eeb8616822bfad6a6a29a2925e4a83db63f9f4ae1c

SHA512
be4f2fa6b291a90f0132e9fbe14579d017e27c84c39739a3ae6217cba4a53a586f1dc267fb6d988b28acf45cb0171fdc76f2245278191257d13b6efca069956b

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
384KB

MD5
31f2b63ea65f4eb3c4116081c787121f

SHA1
28e5285b227fa2c77777eacf327892371ef06f64

SHA256
7f4d1ee6418a4ab27a70b33c6552f13fad5690c119f8f7828f88f27ba1fdddad

SHA512
c465b92dc66abe36c10ec8d495368b420f21a1d7c9e9b015b2042303b0407ceaad1d391cc74721c8f2341e8db059fb57948d94936abe0e1ad0254c5333d54662

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
384KB

MD5
34a2b2c35a45110adb12d8e6b3a29939

SHA1
fe0d046b062d6bd5d1a4323339b61d42adefe16e

SHA256
7a503a1ed0154f14464a4c690c0456f217ac4305044114e121bd8f2960281913

SHA512
05538cbb66c0eba87d75eb489fb11fe3043a0437e0a5d2944d3961d40bc6396ced9bb7f0b73392cd916bbd01ad80112356dec1fa04c7458461ba2a535582c2ba

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
384KB

MD5
c3efd68e9902a1492c0f2ef60b1a4a95

SHA1
2e4333bcff9bc5c4e0d189a7f44802f961314eb2

SHA256
d262740a3f6d8f76cdca5c0dbd028843bdb7ab695490af767bc50895b991e8d7

SHA512
9f1340c693dabdb2b6f675a32ff2e607189b69f7c0086b3974ffe2db087ec74bae5ccb9cb61e5a9e700f01297a5be840e08b8a47b6929276641d276d902f63af

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
384KB

MD5
e273998f45b88adb27ee2ae99876bc38

SHA1
484902df7d340ea8eaf84905cf7f48843acf6d4b

SHA256
ad6d92e0363cf146b1ac9af4c78fbe769eb3a6d18d85b533aa34efc5a0649f13

SHA512
b163a88305aed68eb03781951971274b8d078d4b846ec04cddf5551c46f87a8558e830e8b81836f0b266582c450fef56f968d8018d28583fd198da81eba767f5

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
384KB

MD5
aab97ad7c6404e894dc39d611b4a57e4

SHA1
0635b6ea1f095d2e47b888b3e383d844bffc013b

SHA256
e7a5dd6bf6d250a6a27b133de6cbda2ed73dff18add46b7a65e80ec72368715a

SHA512
92bc9e0002fd5fefab0681b09e95d9e3568d7652e44449f453c036190b590df8d7c0ea5570ef0f125ea86920a3c163a714804cec9af96e1054e15a03e820e29f

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
384KB

MD5
23caa60ff9a4e6f44d019a4f1fbde61d

SHA1
2e6dad5d0ad8a9de30838ab8fa056e1ec178ea6c

SHA256
e2cc4d97cadcf754268d8b1f7cbf458655d362f6ae51e75636d49d86e61cc51c

SHA512
519c776e8cebcf38dce3c47dc725f6861b085df64674758794ba6b07d788538f92b1351b4243522a6a21c7f5680770858f7fdea55f63615dc398cd54d08ed7ec

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
384KB

MD5
7921c7b50ad573ee6efdbf4a1f609a0e

SHA1
6ec7f1a8c04f4b37a9f6e15f8dc1e7e791a4974c

SHA256
88ab80d08e7ffc1d9d8507b845a9dc1dcf76d002b7c6ad33931b33f3eba4a799

SHA512
c79dc5b8fe7ca4d7900e6cd87328b9f5af98ef7d03806d38e92b9cb5153233e3e53073a2f59ae703a521d38546e52bccda7599a800b015c7b6b617e089132939

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
384KB

MD5
d230be576a0b9a7134b883aa9adf5476

SHA1
671b821d5864d400d9707729ac79ff7eb3ae26c3

SHA256
59387589058d9a26953f9bc6e31ba018c30e975c5045e865731e523a011cb0a6

SHA512
456c7cd72e69d28d918e8a096eb68d84e3ccb81b03dab75dbaeae74bafc71b77cad9e4748f1baeeffac5576b43c2c5afc213aba9ff083af2f9b739093ce7d849

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
384KB

MD5
cfe3ad047e06efc399a3e1d5724f6f5c

SHA1
4c9b80364c370ac1c1cdbd6527f1184885efcf03

SHA256
d862f5fc44332f772b32046175f26ce7d73bdc4f0886ebf15af3121ef1d92931

SHA512
97cd7540eabfd2eff61d040e65067138e71d549c3adcf158f807c7e3a80c1679b8d873826a02899c07a7bd9a7acfd79f07822b56e28487df3ee399db2728e5eb

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
384KB

MD5
dae93761582c08908635e7be3bcadd87

SHA1
655453b4383b95f8493dde90a4b1ee7dd02a83cf

SHA256
04383e3997f38e7c80ec83a5917326c0a10c1c6ffdd0ee64b9fc6f34d776bcf9

SHA512
692bb976ae80456209661fb49fa4774d9c721ab59bd6c7e6a4ad4d4d7af207f66c6b0a511173427354f4818b53f084b7ff13c5cad5f3e15cf9e17126e006b09e

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
384KB

MD5
75f34a3a4a186515fcda2e8d13998c55

SHA1
84b1f496c21f657dd1ae002c121bccdfb18feb0b

SHA256
c139194c223879bfca70d42453802689e8f679c42df105f1c0ec4fc7b9a39008

SHA512
9e9a0330afd0f29d33325cc2ddda3ad1e0ddec5f164097976c2ea838f6a37284b1fc2b28006a39188d2bfe2baebd0ec140c8f8874d09f9fe4f49735c978232b1

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
384KB

MD5
4253ee293a1ba9d5f0306eee52e6d3ca

SHA1
601ac07ee99ed642051ae488fe3df1ab1793dd6b

SHA256
9d1887bc67ec1c0226fd8fea3455044bd7377c03518d287a2460ae6071352d99

SHA512
dae0109e2e0281f27a066615d1ef3e54f3e40e437b8d51c8078633ce9f017904d62fccf5b699f49ca9eb2dfd2e059d3c3d7d11fba202e8b6cc896cedfacd3d8c

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
384KB

MD5
82dd6c7cc844d5fc0bf610cc25471332

SHA1
1e5e369164cf4e262125271a009acb24e789bbd2

SHA256
3b59fad0b4aa2f97cd1063e70851076db21e77a415108812e52b2151c03d7290

SHA512
4514010c648a04ad137383d84a71271fce5677018d6b20eab6c05c5515f710350b14e4717d16edabf618c493fddc182bf86ec1411c9a8445294bb7fe73ebfc1a

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
384KB

MD5
eaa34958af2813c78c938c24886f6236

SHA1
3e5ea63ad47badde671cc14a577bae8634889d9c

SHA256
7d8685212eceb72b7213e2aa8a8cfa9778114609a92678cb25b75d6fa151d2c0

SHA512
3fa24803d9767b2883424adf34125b218cebf117e2d0141a4a34b3c4b017e1b501e3dee848c073a59b51c5634530d7d50393452964879084d4c284e4e8cc8b33

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
384KB

MD5
49f0ecfc555feef990a7d21b89ca7aed

SHA1
e6159ac9207a9949f41f6a0cad91f6b1ee4155d0

SHA256
0c54c18c15fa2b473adc17ceac47efca60cc2fac9db30c95e36dae73343de862

SHA512
909adb5d7b5882ebb3d997f5fe7d95c33f31d53999a2cc04e50f30e86b3396a976fd0f2a29ab5e7b4bc5130940621146e0d584b14b1136b2eb00e0b6c465ca68

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
384KB

MD5
d779b807e57306b1e68e1a27fa86f27d

SHA1
7cedda6463821791b93cf57ef778c8aee55d57ad

SHA256
0d100806261501c53daff0961cf7ee6ed481054d9602e203b17bf3c7b896fb1c

SHA512
b4c0c6e6c0c654a8ac26d6dd8c1718d900ef83b0d9fc731f7fb313a3f2240a7af90f49e29d5bdb8c75f14dd3d6c875081eb38e5441aa91394d015dada475edc3

Download Submit
C:\Windows\SysWOW64\Hihjpn32.dll

Filesize
7KB

MD5
37695341e4cc6b7fa8c810089e2aa4e7

SHA1
5a61dbdab790c50ca6079359c663de9c1f025896

SHA256
0ab9b8f1c24e9786d9d11debaf3dd6299ccc2d6e3c4b2fe52fd4cc7371fff248

SHA512
fb5f7046fdad667291473a6cc1b20c5749b6b0fc47236b7df9262581b8589339963daffb090f353ef74448e50d98158898e9604ad88884fd64c9702d6a526356

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
384KB

MD5
a37a462ffc3d3c58ed34f8fdbdf67e9c

SHA1
ec73af677056912ab93283952a2a17d36c7abf58

SHA256
9c9a4aa57d9c00445a8c47757b4aa8d728cbef6cef051cc96a1d94a82d780f57

SHA512
bd4aa81a74a6e8173d7790dd30a056bb58af553c97ba6c6dd6bd841edc8b0cf639dcc06dd42c6107c2af8c449439df3a8d90f0621196575803267983dc033a28

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
384KB

MD5
1569185648d64fe85cd9b31b651b91b7

SHA1
40d8d5b32e66130ca9e69f472acc27a30a703f49

SHA256
d2db586be7c05afc98149eb88e3ac831c5cd92e108ce6c03362c1ea167c224fb

SHA512
fcaf39153231887a14ceb2f1403f45820ffe69c0f28934575889a82a70305c99ec30fd1d0acecb12985cccbc1abc64f9b375fa017b3dce283082ab586579ace4

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
384KB

MD5
44db9df7d453ee1272e570c6adc7da67

SHA1
bcf1e797d8c0815d14078739564d678d66363faf

SHA256
a4b7f97a6e4d90b62796e5e4b02836cee2caecd024e8533bb65c7f948ef9238f

SHA512
d598fff0dc032354de525940584dc2401b04ee5d1535f150d4afc214394df19c3435319d1c9e5cd301a99c0a491eb0f297f75a387df8f64d85f33cd4dc5379fb

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
384KB

MD5
9d0c16f93cb235f59b3cfcbcc2c8992a

SHA1
d7c83d30e434eadcb275c52bd0ee3ee496a42581

SHA256
92d262a00d3d08baff4a8646cab84d49dcec7762f44ae97240bcf19e39c49be7

SHA512
34219a511b4beb8640a5d3b231796edb844271d4089b826473312fa9697763bb277e24c8b2bc703bc74d5109311d4090e48f4d8aa83ad9712502cf388289cefe

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
384KB

MD5
1cbd36d12fa65a0ed457b4e6fc5e451c

SHA1
62a0e8ba5a777ce8a87544834fb2a85d4f591f21

SHA256
12f0556957ff1dcbf6150e14b7fd78567745a11335e521c4eb9f51412d58538d

SHA512
335292ad0758c6cc557119e4de92214fcf06a7e6ea609dfda0d8189aac21517e1b6f30933e2bdf1770c0bd222e4fb6d2a2580b2c3277e5a21db70ccb4e062787

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
384KB

MD5
84bb5a43778756d2409c07bd8ce67529

SHA1
1444dd79e24f11d3f0b694a49762a8d7f1101118

SHA256
5a990f3a55b3a838073883eadd15a9df66f4abdb9bd8f88f16e157836a880492

SHA512
6dde550caa77bc99466b981cf80bee7f2276e5df552388f4f34e53afa073468cf0e79fc677a700f7394a077bdd7a15fd06fc03ba72beaacaa529e760c111bef4

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
384KB

MD5
abae891a0e3bf743850d177359274543

SHA1
d99945e0dcb9c23b4b59f6b5e12bc02753ff5810

SHA256
d077e69265db0cfd43cb70254a72db90e6051543389e92140935f924873f079b

SHA512
b49e8dce2cad1c5bb735574963a98be07054802f90660f8ce44c122ca115a723b23907949f21551c1936b78b54d1dcf1def4c1ca989eed6d22596daa3fc4c053

Download Submit
memory/428-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/612-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-462-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/744-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/952-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/988-568-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/996-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1304-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1324-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1552-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1584-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1628-562-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2024-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-602-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2104-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2240-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2328-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2352-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-488-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2968-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2984-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3172-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3200-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3280-575-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3340-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3832-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3984-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4080-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4204-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4288-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-524-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4360-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-470-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4412-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4416-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4468-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4512-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-463-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4668-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4776-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5136-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5176-610-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5216-616-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5256-622-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5316-632-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5352-634-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads