a50b0beb9d5dbbf5a79d6c338bd5b32bb16c40d76f577bf01852b1a80fe055b9

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e002769ac4834212d5336d422d3aa50_NEIKI.exe
Size

87KB
MD5

3e002769ac4834212d5336d422d3aa50
SHA1

6ae2e50b6922e8a295bebdd8c4e30c85d846d281
SHA256

a50b0beb9d5dbbf5a79d6c338bd5b32bb16c40d76f577bf01852b1a80fe055b9
SHA512

5f34b9063dcf963b941a316a6af6db32664dfdcafc5f109927ae8cb59809631d1dddb0ef2f81324a4570f35f5ebc904ae673c3aad3a4e6692c6988a4826c0a30
SSDEEP

1536:mVZApu/3dGvVTn0MCQ3NWGKzTaREC6Ur+n33hNlPAsRQ4bRSRBDNrR0RVe7R6R8q:mVpQvVL0lLzW2C6A+nnrjeCAnDlmbGch

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpclce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajaelc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgapmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblmgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gglfbkin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3e002769ac4834212d5336d422d3aa50_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe

Executes dropped EXE 64 IoCs

pid	Process
2548	Dakikoom.exe
4752	Egened32.exe
4344	Gbkkik32.exe
3844	Hpfbcn32.exe
4740	Hhdcmp32.exe
1264	Hifmmb32.exe
2388	Ieojgc32.exe
4992	Iimcma32.exe
4948	Iialhaad.exe
3740	Jblmgf32.exe
3692	Jocnlg32.exe
1968	Jadgnb32.exe
3228	Kedlip32.exe
1368	Kidben32.exe
1656	Kifojnol.exe
3948	Kpccmhdg.exe
2684	Lllagh32.exe
2236	Lomjicei.exe
416	Lckboblp.exe
1384	Mpclce32.exe
4904	Mbgeqmjp.exe
4420	Nmaciefp.exe
3920	Nbphglbe.exe
4148	Nimmifgo.exe
3792	Ocdnln32.exe
4084	Ocihgnam.exe
3060	Oihmedma.exe
3672	Ppdbgncl.exe
728	Piocecgj.exe
1672	Pmphaaln.exe
5000	Qpbnhl32.exe
4912	Aimogakj.exe
3872	Afcmfe32.exe
2196	Ajaelc32.exe
4624	Biiobo32.exe
4604	Cpljehpo.exe
4596	Cdjblf32.exe
1960	Ciihjmcj.exe
4980	Cdaile32.exe
4892	Dphiaffa.exe
4332	Ddfbgelh.exe
4620	Dckoia32.exe
1632	Ddklbd32.exe
3620	Dpalgenf.exe
2428	Egnajocq.exe
4392	Edaaccbj.exe
4588	Edfknb32.exe
4748	Famhmfkl.exe
4160	Fncibg32.exe
4076	Fdpnda32.exe
4252	Fqikob32.exe
4440	Gggmgk32.exe
4092	Gglfbkin.exe
632	Hgocgjgk.exe
2752	Hgapmj32.exe
1004	Hkohchko.exe
4628	Hgeihiac.exe
5040	Hcljmj32.exe
1692	Ielfgmnj.exe
3044	Iencmm32.exe
2256	Ibbcfa32.exe
2272	Iagqgn32.exe
3600	Ijpepcfj.exe
1216	Ihceigec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ieojgc32.exe	Hifmmb32.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Bhnbgoib.dll	Fqikob32.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Jfbnnelf.dll	Ndidna32.exe
File created	C:\Windows\SysWOW64\Jpbhgp32.dll	Dakikoom.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Nlgbon32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Oomelheh.exe	Okolfj32.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Akpbem32.dll	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Ajaelc32.exe
File opened for modification	C:\Windows\SysWOW64\Egnajocq.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Nkeipk32.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Mbgeqmjp.exe
File opened for modification	C:\Windows\SysWOW64\Fqikob32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Kjekja32.dll	Gglfbkin.exe
File created	C:\Windows\SysWOW64\Jjkdkibk.dll	Hgapmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ielfgmnj.exe	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Acicqigg.dll	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Lomjicei.exe	Lllagh32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Hhdcmp32.exe	Hpfbcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dckoia32.exe	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkkik32.exe	Egened32.exe
File created	C:\Windows\SysWOW64\Glbqbe32.dll	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Mlbpma32.exe	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mccokj32.exe
File created	C:\Windows\SysWOW64\Gdgfnm32.dll	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jeolckne.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Lpiaimfg.dll	Hifmmb32.exe
File created	C:\Windows\SysWOW64\Dbmoak32.dll	Ielfgmnj.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Mkjjdmaj.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Hgocgjgk.exe	Gglfbkin.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Iagqgn32.exe	Ibbcfa32.exe
File created	C:\Windows\SysWOW64\Jeolckne.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Iialhaad.exe	Iimcma32.exe
File created	C:\Windows\SysWOW64\Kedlip32.exe	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnln32.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Afcmfe32.exe	Aimogakj.exe
File opened for modification	C:\Windows\SysWOW64\Hgapmj32.exe	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jbncbpqd.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Pofhbgmn.exe
File opened for modification	C:\Windows\SysWOW64\Dakikoom.exe	3e002769ac4834212d5336d422d3aa50_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Piocecgj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3e002769ac4834212d5336d422d3aa50_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhommq.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gggmgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mccokj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egened32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalpn32.dll"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiocnbpm.dll"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgglf32.dll"	Ibbcfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmgbngb.dll"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnggfhnm.dll"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpfbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll"	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojpkdah.dll"	Hhdcmp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2548	1964	3e002769ac4834212d5336d422d3aa50_NEIKI.exe	91
PID 1964 wrote to memory of 2548	1964	3e002769ac4834212d5336d422d3aa50_NEIKI.exe	91
PID 1964 wrote to memory of 2548	1964	3e002769ac4834212d5336d422d3aa50_NEIKI.exe	91
PID 2548 wrote to memory of 4752	2548	Dakikoom.exe	92
PID 2548 wrote to memory of 4752	2548	Dakikoom.exe	92
PID 2548 wrote to memory of 4752	2548	Dakikoom.exe	92
PID 4752 wrote to memory of 4344	4752	Egened32.exe	93
PID 4752 wrote to memory of 4344	4752	Egened32.exe	93
PID 4752 wrote to memory of 4344	4752	Egened32.exe	93
PID 4344 wrote to memory of 3844	4344	Gbkkik32.exe	94
PID 4344 wrote to memory of 3844	4344	Gbkkik32.exe	94
PID 4344 wrote to memory of 3844	4344	Gbkkik32.exe	94
PID 3844 wrote to memory of 4740	3844	Hpfbcn32.exe	95
PID 3844 wrote to memory of 4740	3844	Hpfbcn32.exe	95
PID 3844 wrote to memory of 4740	3844	Hpfbcn32.exe	95
PID 4740 wrote to memory of 1264	4740	Hhdcmp32.exe	96
PID 4740 wrote to memory of 1264	4740	Hhdcmp32.exe	96
PID 4740 wrote to memory of 1264	4740	Hhdcmp32.exe	96
PID 1264 wrote to memory of 2388	1264	Hifmmb32.exe	97
PID 1264 wrote to memory of 2388	1264	Hifmmb32.exe	97
PID 1264 wrote to memory of 2388	1264	Hifmmb32.exe	97
PID 2388 wrote to memory of 4992	2388	Ieojgc32.exe	98
PID 2388 wrote to memory of 4992	2388	Ieojgc32.exe	98
PID 2388 wrote to memory of 4992	2388	Ieojgc32.exe	98
PID 4992 wrote to memory of 4948	4992	Iimcma32.exe	99
PID 4992 wrote to memory of 4948	4992	Iimcma32.exe	99
PID 4992 wrote to memory of 4948	4992	Iimcma32.exe	99
PID 4948 wrote to memory of 3740	4948	Iialhaad.exe	100
PID 4948 wrote to memory of 3740	4948	Iialhaad.exe	100
PID 4948 wrote to memory of 3740	4948	Iialhaad.exe	100
PID 3740 wrote to memory of 3692	3740	Jblmgf32.exe	101
PID 3740 wrote to memory of 3692	3740	Jblmgf32.exe	101
PID 3740 wrote to memory of 3692	3740	Jblmgf32.exe	101
PID 3692 wrote to memory of 1968	3692	Jocnlg32.exe	102
PID 3692 wrote to memory of 1968	3692	Jocnlg32.exe	102
PID 3692 wrote to memory of 1968	3692	Jocnlg32.exe	102
PID 1968 wrote to memory of 3228	1968	Jadgnb32.exe	103
PID 1968 wrote to memory of 3228	1968	Jadgnb32.exe	103
PID 1968 wrote to memory of 3228	1968	Jadgnb32.exe	103
PID 3228 wrote to memory of 1368	3228	Kedlip32.exe	104
PID 3228 wrote to memory of 1368	3228	Kedlip32.exe	104
PID 3228 wrote to memory of 1368	3228	Kedlip32.exe	104
PID 1368 wrote to memory of 1656	1368	Kidben32.exe	105
PID 1368 wrote to memory of 1656	1368	Kidben32.exe	105
PID 1368 wrote to memory of 1656	1368	Kidben32.exe	105
PID 1656 wrote to memory of 3948	1656	Kifojnol.exe	106
PID 1656 wrote to memory of 3948	1656	Kifojnol.exe	106
PID 1656 wrote to memory of 3948	1656	Kifojnol.exe	106
PID 3948 wrote to memory of 2684	3948	Kpccmhdg.exe	107
PID 3948 wrote to memory of 2684	3948	Kpccmhdg.exe	107
PID 3948 wrote to memory of 2684	3948	Kpccmhdg.exe	107
PID 2684 wrote to memory of 2236	2684	Lllagh32.exe	108
PID 2684 wrote to memory of 2236	2684	Lllagh32.exe	108
PID 2684 wrote to memory of 2236	2684	Lllagh32.exe	108
PID 2236 wrote to memory of 416	2236	Lomjicei.exe	109
PID 2236 wrote to memory of 416	2236	Lomjicei.exe	109
PID 2236 wrote to memory of 416	2236	Lomjicei.exe	109
PID 416 wrote to memory of 1384	416	Lckboblp.exe	110
PID 416 wrote to memory of 1384	416	Lckboblp.exe	110
PID 416 wrote to memory of 1384	416	Lckboblp.exe	110
PID 1384 wrote to memory of 4904	1384	Mpclce32.exe	111
PID 1384 wrote to memory of 4904	1384	Mpclce32.exe	111
PID 1384 wrote to memory of 4904	1384	Mpclce32.exe	111
PID 4904 wrote to memory of 4420	4904	Mbgeqmjp.exe	112

C:\Users\Admin\AppData\Local\Temp\3e002769ac4834212d5336d422d3aa50_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3e002769ac4834212d5336d422d3aa50_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\Dakikoom.exe
  C:\Windows\system32\Dakikoom.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\Egened32.exe
    C:\Windows\system32\Egened32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\Gbkkik32.exe
      C:\Windows\system32\Gbkkik32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
      - C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        27⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        34⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        36⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        47⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        58⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        66⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        67⤵
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        68⤵
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        73⤵
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        74⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        75⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        76⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        77⤵
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1840
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        80⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        82⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        84⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        93⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        94⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        96⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        98⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        102⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        105⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        107⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        108⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        113⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        114⤵
        
        PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:6320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aimogakj.exe

Filesize
87KB

MD5
39e1f5ae711252ea667cb2a86db3ce82

SHA1
c172e380dfccf876a528f3406792277a7b8293f3

SHA256
5e96a8dd4b53eb4a7b060e9d27b8327a596a5db6b91ee78c4b1a0a676f57ceac

SHA512
831c11caa59f2c5e17fce626c61614be30853e8fd47c2c247787da549aa23214e2c0ee8a668eb50530cc4accaf170805ade479b4c04f57a6849d1f4f82dd34be

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
87KB

MD5
86d7103ab4c11722f23576a7c5326352

SHA1
8983103c9a6c796c1e725f1127edc2fd2e2f43ba

SHA256
ba60d7250d0c82354e68440fcacda96b1364abc8439b346e9a5ae542570055fa

SHA512
6fda687010c4ff1f39c298b266fbfb29650f667b7e4cf33ce90da79af958322cfc55a3011f504edb003b45118f57b702d15d2687a72b0cdc4c7e974deec8bbdd

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
87KB

MD5
1e05cd66802586f8066be38697181f1e

SHA1
deb16b08df029cbf59e8a4bdf605b9b0c44829ff

SHA256
41588d05d239405fceb20eabdc70b334422ae6bf22f21459ef85515f146fc8a4

SHA512
afa469e4f7345aec90d8865d2113ddc5059d6845556b8cd8db7a940c77435d8d18bdede9f204c18402cf70dde7d7818d238b78bad664668b7ee85f3ae176abee

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
87KB

MD5
ff41f93863ad78575c1705f2598e1fbf

SHA1
c4ca305c146246e175bb78dbe3b295a7026eb88c

SHA256
b7f063404d63ba130d2d41967d139d1fef4d41679c550c0b0fa8008bf6f06723

SHA512
481d9caf8d71171526c284b9253a620f445c413efb0b9fc556b76b5a179e356d50482c70d5939a33588c43d58538a12f70e01ac12961267ce8cc6f8568a8b258

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
87KB

MD5
52f9486e9b0f69524ac5e993aa3dac3c

SHA1
6b10dc7b14e65c3e714500728ef91009e5a92874

SHA256
b54dcc6921cb26eb3759afef0255ab3938ac421a16b2b4bc8a0f0a88379830d5

SHA512
83291cb66b01fcfeccf392629751ec95c3622b4b0ffc31172ab5eda96d6c3abde90535c7321fc4b9337bcb9d153f9a9d79b88daf8731b525e1467e5e347ff62b

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
87KB

MD5
8614aa6cece76ec2b5dbb3b8b504bdb8

SHA1
6c8d3c45a65834742f418226ee3e243ad79e2f82

SHA256
86ca5f02669884414b5b7eb806e3007edb6b6166ba3a6159fc836350759087d5

SHA512
701ff32068b2d0053f0e6a7de8f67a7f22ee6aa368d08d5bc2a76c671211e4b288671a266b951c9038da22bda4c84fe2c1234f190104b0544866cc9f5ac078c4

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
87KB

MD5
8db829fd3e12e3257cac3e847e1e5cae

SHA1
89240fb9c2aa7d1e08fb9458b03ffbe088dbc56c

SHA256
d4faebbbba09e473916e9313e72d474b221d3c766168e4499bea63bc33f8134e

SHA512
4fa0bd87d864c62a1d9bdcbbf4ca26020f2a77d7ce59a118a2921387c8382071983effe98dc585516608687058db074e84f0c34f60435dfba207b4b088e4f7aa

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe

Filesize
87KB

MD5
b482244403284f8719fdae76a4e38049

SHA1
4bf418c2d62d27b64b41a572f063846137d1dac7

SHA256
7df17ed68b432883e2a94531eb70b8760cf3774dba5935c9d8a06786ed08bd38

SHA512
038d8d5280bc0f92ca97b48ebc86b95bf2112685158c59e9322ccd82d5de759f869ddd072ca9306079dbc0b19beffcbda24db4bf4a5523a7aeb76e534aa2f25f

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
87KB

MD5
3d60a08c1ef490ca91fe31850dc146e9

SHA1
7ac6591abdf7c011f8377e78014d4561544cec8b

SHA256
d3609ac31848760b48420c292a687501e0dac9f20579b426d8d7183307eda148

SHA512
6f8e739280f31054011af4a6f98a4f09befd550952209759ad5b1facb8661c77f695eb1501d99532424f53e5979efbbee6f430dd55c08ed425e986687c104e92

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
87KB

MD5
512185bb28a3416ae37248ddc161c01c

SHA1
3e4778d3a3723b849076f75ee1514b9f4dac28bf

SHA256
5a33c788161c3155fe6f6eafd6e76e78a308cc3634cb7c77898b5a266820f699

SHA512
2a09fa1fd832f9469469e64d081eff16e9c271088c90e2597cc51341fa160c3ef52d8b4626316497a116e0beb8e988bd8621c5507df62e4292cf62f49ef2db9a

Download Submit
C:\Windows\SysWOW64\Hifmmb32.exe

Filesize
87KB

MD5
d8f8b1af1f4a5443bce3abbe1a0d897a

SHA1
b2e9a5b072ac85e57c0cfc8819a82a3dd9332570

SHA256
dec70327e981d03a09c6cc1eba5ca50f3feb457dc00146113bb9150e1a774205

SHA512
19860513357fda30d4dfd8008adae9227835e305705c6f9fdc94551d75bf5ec89fbbb72f7a430131a1ee43d996b7399b4c13e8d5e8df9a19304d5370f95071c0

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
87KB

MD5
5d9584ced832d17ba3454063eb15aec5

SHA1
4793fc17c390273c88089ecce1029e89b43d3de3

SHA256
af927311d03cae42cc89de0242fdb108574ac5947157e2541151c70e8e178039

SHA512
dfd9811d30310c252d2bea08082c114173e649f486a351897b92f92c2c1034306dbb2be4cec268e1796586d6290a6eb87e76551b1f080bc784c0297b2e854141

Download Submit
C:\Windows\SysWOW64\Ielfgmnj.exe

Filesize
87KB

MD5
d667628976440b61b2ed303572d598e8

SHA1
2a35a0c45b73d432846fa137fceb061b8c4ddfc4

SHA256
e82020f47f57b3536b3a7d216bd75ef834a9d2c7d2d72b6c874b1a00c442d7ec

SHA512
49b32dcd78f695f27f3dcdb928c95e99dd15b330a1035f8c16be58252a4d6aade51b09a5df8900866bd49385550f5078a3cf883b99e326c603482816994b2e7c

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
87KB

MD5
f339d76d893f405c717486d892842ad3

SHA1
e9aa488913415e8f1d0e02bec2cb1cd3c30ec217

SHA256
7178e5a7ec8475a05853051ae6bf022af81cbef1d99711c57c284fbce1cedbfa

SHA512
872e8a40905bd5946600361aab2566627d4206b473cbeb091b080bea231e7d30fca866576c10e70d0faefd1dde8b48d33cea5ff35b10bc3f8ae5dd249e570e0a

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
87KB

MD5
91234e7ba50505311c3b2ba74b8edf89

SHA1
c0158e7fa43ed69ba2caca62622795c0807b888d

SHA256
72e1a915175c73b6b3a73aa72f4df36e93b44924f97808fb6f9f10af36095a20

SHA512
584952d29d520a6dfc5dc45176a1a6e9c4656da40c0126816b68224df70da6d6fa58546c66ac1cb05f3fdef2fd7ef62530bb0afaa28f34de9dbc5084b7f90934

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
87KB

MD5
1ee8d3c44bb2282dccdb6ac3ba5e0baa

SHA1
76c3ee9ac2d555d3bacce5e9cf76f84b3aee75fd

SHA256
bbec862ae8d6fa8f0011b011e8b80a13b1c818576c15d04aa8c57cd9763d8e7b

SHA512
e149095e24b08c053192e448ae1a9c8019437178b044dcef9f3e63a79c051da3d8231fce8817211ae5a2b2e9f45953168d24255f074986a93c96ce3178aeee40

Download Submit
C:\Windows\SysWOW64\Inclga32.dll

Filesize
7KB

MD5
542fa64d8a47ebc04b4dd919460fd036

SHA1
0ce0c0de5298bffeeb626e2a4f34134c21823b58

SHA256
1c6997e291bc5afcdd65df2f2e732e10b9fb9351375cadbf1ff86fc6d27bf01f

SHA512
d991f8801869c0e9d0295e2e2b396a228d8f53240ac6536f435ec082309b77c83084ce95031b6ea07de8d415f3db3e7a7c9eab41f753c05d8fde1c2590971aba

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
87KB

MD5
8b6c92268d4f17b47e6d70b61b9b3149

SHA1
0158d07db1e917e38ed7cce82ff510500cacd625

SHA256
9afe8e74727649e96fc815e81723cfdad3e0d2cfc4b4e956efe76e2c84f1314b

SHA512
4a0cfda8f90f1359d03dba738db0145286410acdecc5f9c6befd5af37f5f9ef373668a4739416a333f3f1ea84674bc38a45af5375114bc3b2d34bf27b65b7346

Download Submit
C:\Windows\SysWOW64\Jblmgf32.exe

Filesize
87KB

MD5
4e212ed017a1a67b351e4e71f3401a2e

SHA1
52f4af9ee96afa0c729f7bc60e0e0d39836d20cb

SHA256
a90617383fbfd8dadff4f70972818d3a64599dda7bea4a72e25d7cdc501a1061

SHA512
6e52b87a21adbbbd22410b24a9e665ed75c4e0bf680806b0576e770bf6890aee1e6b496418f0de189c1ac80c29ba860c58ddf93e256f0a1fef3e2d59440fbdc6

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
87KB

MD5
aad6a7d682f7e70c365a2178d8f13b23

SHA1
2c589642c7e6fe393e275f0f26880ec398a2b100

SHA256
1eba1e137d4cd8ed9df41abb112e4fabae1aff98ecbd22988e0be926be708c06

SHA512
d05cf36f6380686c53a82a5733b57ffabb5692e906024e6ecdad53d73996f33781f76206ef6466c29aa38eba27903644247492347e13a031a4936ecdd8c34bac

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
87KB

MD5
b218b7ec2c48cae11238bcac7573d6b1

SHA1
8b502ba951bd76133611c588d0df27df53ed69b8

SHA256
ec8fa30dfe78ae662086ebec43592de3d6821bb28af68070e45f975730431ec2

SHA512
31e28b810d712b564218e993bd00ca1231a44b8927e194bb291bdccfb036e95dfa8c52e23e059dc7f6601127691b42f5287ed57ee296b5cb7862a40142cb1dbc

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
87KB

MD5
1b7cc82973cd62225e34fc28545debec

SHA1
d67736e7c08e49767d6069584992887a0be4eda9

SHA256
295f1669faee82f712e6aeb396ed67bf96fc7a7d426438c0c29274e2e128a578

SHA512
feb9ec468681ba0d7298c2100c1b468265942547f1783505c4f667d28f929204a340855988ea9d7ac445aa3a249f914761c87a5b6d0dd524277f0d5a6d7bf1ea

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
87KB

MD5
2778ea1330b3042aeed69aa4cfd54261

SHA1
8c9db0585932e1f166b8e37e61b0887376999718

SHA256
9829c32ad813ef75749510015973ea1231296c25d114c4bcf102739a34007587

SHA512
6cf588dca03bdf0ede5b7c2256d6bd158afa0864c9f014444441c920815ebb3d986baf51be19d05afebfa0edece683a21653888e39216034bb741a70f2a9f20e

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
87KB

MD5
4861efa224e317aa819834ffc102da2d

SHA1
7f55b32dfb42b370222156d1a40ae1876490ea92

SHA256
d38348fd1c7dacfa766a3f89687c8a31064a6c6026d7cbfebb48cd2e3dc9a443

SHA512
7140fda93cb542427786b23e087f9fea88ac7497e6b85f6f1c6e55e74d3ae3332b6ff56269deed212f03430133af11f1ca5e39da34714a95a1c5f7cda787fa00

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
87KB

MD5
670ee29992ee0a389e9e8c4ff06f0c34

SHA1
34729fa0cd0a4ee3e0c588789cd30623f3f00c49

SHA256
3103aa1d1b0d61697d8e711e5efbfed291bc7b58c2ee012580979c5ead1eeb90

SHA512
6d1392934cf469902573f0fdf89c4c9caefc3419720b27815be77a6c0cd995e448aec4aab830a02215756b7818f414b541e978114a30ee6e150826e0ee43cb5f

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
87KB

MD5
56f998f0bde4467c0f50c6002fab0dbc

SHA1
3489f9ec23f4297956859c559a5f8107a7f03810

SHA256
04bc5e3fa467fe2f81405ee363a615474c2bfcc2189328cce9ac5c57c8e93062

SHA512
7e06b339b56d60380317529326de6403462e1b6690901ee64c5ab4a63ab4492102db39ea5f1a8f954e7656efa8f55959d5877df743a8ad87351f67c79550cc73

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
87KB

MD5
72c699728c35b68fc24086dfe5415b23

SHA1
8da05312ad7bcd51d0adc7f8198dcd61baa98575

SHA256
f2d9dc05f0be48d4b83ac91d36a064ee054b7386a2307e7dab285e91b9f6e4bd

SHA512
5102432ecc3917e9ef053ccdf621670561aaf420390c4b55ed59f016d28c799a58ce0749cb9321d8afe4792b18fdf98265ac09cf37ddf98232c027d54436bd80

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
87KB

MD5
ea9e9f0f8f8ac3b0202385fb7b872dd5

SHA1
7bbf4724225d657ec2f18b18432cc0c746d10b0c

SHA256
7e5872130f0ab321759b80b765b67f9a4005751d2cb292bda94b2f7f93f82369

SHA512
3aaccc04cd84d7d1d2071a852a88f3488c344dc7a72bc7cd432f108704a7fafcf0ef84ad04ebf84aac201fdd2421e395a9c139a4d37dc61c32d001879e1d880c

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
87KB

MD5
fac2bd50bf439ae0229aec5ab9aa87f7

SHA1
992e20c322f8ec73845cb4cb55769f33951522a6

SHA256
1562e1aab3162cd5257de7b45e88e9965039394a4807ebe201cca1cf1dc736d4

SHA512
7237c43cffb58fa78c61a22b8fc87038355db7e5ddb0ee3a89784a9677f8a2005da44be9cb8fcbaab81305b40629d4f6b0523ba30ecaa6d9d25b0c82c6451546

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
87KB

MD5
49cb2a3ac8463fd078853ea0e2193df7

SHA1
172390643be03a8d21c51a11d5c1e7bde7e8977f

SHA256
510f66a53da9624e133f654627bb86ddb5cdcc2d7fa85eecd5e07f716445a216

SHA512
deaf7347b772ad6193abf139257e0e358fe653e88908baef4c157e5e6b2414156341ac9c654ab2d39dccb1ea7466c6084926ef5a59258b1bcaa75c55cfd6d07c

Download Submit
C:\Windows\SysWOW64\Lefkkg32.exe

Filesize
87KB

MD5
651cd8e16b7e3579bdf7acb4e4ee9b13

SHA1
c504ef1b8d9950c7cd1ed15681d7fa7feeb28a7c

SHA256
fa5ce9b167ec0d80c5d668ee51c653c5836519d9e68238821aafcae9ebec1778

SHA512
f9a41bd2f13499e92d461fe9e344161942c9e631366c931cbbf08c4489bd61e20bf7e340c4e441f107db0c8348e5ff5f21694f9292a8bc4f4c6b2cc983246a87

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
87KB

MD5
f2ed9a9ab6913cfcfcd64110d47af0a5

SHA1
b527b1bf04e6d205dde06d1a1d18879376b98f62

SHA256
8eeebf27ab1208ccf07148c518e48bd6b896ed1a27a1a3795a142a5c60850f32

SHA512
6ff629de6c5fae57a0984173b2d2adf2bd187cd029d5e302b3846c6934060ac2b969ea108abdd4a30bc7bf4b7e0d6b46c293bbb63aa3db13697a9fd8a5dbeb1c

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
87KB

MD5
5a7879dc02174ffa63fba4805ba43b76

SHA1
5b3b96566c1bccacb25b9bee6ca33ccc09470e15

SHA256
16ff20a95136d80e4d032bb29484b9781ef1ad6a06b70be7541a7f19fbf92163

SHA512
6e15b31692989f899dc5a8686d2b6b59086be75562fd2284b10b29c5bc886cbaca4a594836c61e1f4c918531844f084361eff3186470750a6692c10602d9711b

Download Submit
C:\Windows\SysWOW64\Mbgeqmjp.exe

Filesize
87KB

MD5
8ba4d9391f6e5cc9dbc403f54473b676

SHA1
a62c20e3ea739de878a7c62b208e150de351e146

SHA256
805658f2c3b4d1e8d1ea06c57c0e22352ec59c32f8e9eb317de2473e6f8d8f60

SHA512
80fd3c2c5a212a0a48ebd31c94f33963e37436d1797e5931ae90b4583b8a6d888163a169dc2b94c05d8551d9e5c129844a91c4b1522c9af21d23ebc07195109b

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
87KB

MD5
b4cd8eb42174fc02ad67cb1ae327c379

SHA1
aff76f6ead7f82f089a79e0f3dd352135824d99b

SHA256
17a34736111ba7db1e56b87e295196b1fd2b9a38124a70579cc15f72198666e9

SHA512
ae2077e8a5df484f51f05b1cc1c98ed91f17f3e97a9a88b776938be77b2503303b13464d963f35b9a5b20a2f0c183152fd58b3353eb2d372d62c7c310fa5fc55

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
87KB

MD5
45cb0a74c4adb44dbd46707ea8284eaa

SHA1
d809382ace345a81e2a0bc41831ca8b0e7e14cf7

SHA256
d10b111f93640f35d7401525625d506a2dda4e4ad39b15bfa4e8b4df60d9261b

SHA512
5bc73fd734750c1a2e6cbcedacc5be09306acf9357ac0f1ab2b237be04008195d89e4fab7877e48749a5b24f92f6681abb568673cec7cfff3edcc64ddd0ecfd0

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
87KB

MD5
cfb5e23a5209783f3b511787318ea1b3

SHA1
da945f238e247721383240bc2ecb5a0d72d4c46e

SHA256
cb3519023e07481f125d4c091998d28bc42b4d079b42d77fa110994d2837db61

SHA512
aa6770e08bcd4dfe0902fc9c76da6c04002ff11c6b755302b935c6073fd84384f7baefa7b047744674f35d118a0c5080686468e35c12318460b8a61b81165aa3

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
87KB

MD5
e651e99d3b80bbb3d7b7d37bf5796232

SHA1
894af6cd85a0992f8ebf78fedaa4723dc69c766b

SHA256
6f1aafe4c3d5f3099235bac8cfd101ea7b7a7c694beb276dfe7fc06ce58b9b91

SHA512
58e40ec08d3ab54f0681901157336b91865869a72b83b6e0de5ad0ecefdffb4e3c6051419797f3c00b01f816301eaaf0c05cf2ec752e9f4806046f200b333d8f

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
87KB

MD5
69b78fc6abf6a616448bae1af64fddbe

SHA1
c3c1dfe8e842ca012ed683d213419ace1af62cf1

SHA256
29b7e0a6502e36cf5fe3486c29c0fc6dd8c809a2e77136043693247ec2a46255

SHA512
1501106a04f0d83eecf3eb69904b134b1c5c5629e87e11a646e23d8264736e1122f1e54374c43a14f9398f3de53724119590061f00d6be97cd366f916d2b960d

Download Submit
C:\Windows\SysWOW64\Nmaciefp.exe

Filesize
87KB

MD5
35c9cb3782dc5710d32f639ae0100731

SHA1
6d80454d3f697f408598a0d08eab849fd4a35b4d

SHA256
543f3ab91e73f7f912e9cd76678889896cc764ae29ac59d00b1c1c0dcf511714

SHA512
ba24563bda334c708fb05519434c1296fd8f36d12a4e515f5e73051a011aafae982c5d9f54f259d2944a6a98338707c576a242a873f7b364d788c556dd78f918

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
87KB

MD5
3f9099861a3296b8fbccfd1ca23a35d4

SHA1
c4c7f81d58cf33d0b39350a4a574dfb2538468a9

SHA256
239e19f2a511fbd6843a70a263f86f517e1231391cd379c2f09a65f9e8e3d773

SHA512
bc126c810b46be8a3b92b66829222ad408665b3762a0d9a9ada535f34eb3f1a56d66d27a1af9df93397d0f512a4ebecb0f188cc89b19a54c1194f08da62e8f46

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
87KB

MD5
507793be6ee2f0682ce19f4426f2b2d3

SHA1
cc29c371806842643d7ca2fe331bacb46e4fef24

SHA256
73ef30bfda54473945fbc76bc96627d4d28c67ff978770145f9fa01dba83e9e3

SHA512
76789e4692df3c9ea5ca6f6d26cdeafa552357651ad7498b1f9c9dcf878fe48dcb6884bc4d30cb79204c09f50bd3b00fcf1e6a4ec51a16ea8ca7271d78d0f8b4

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
87KB

MD5
7fa032364e009091d54b04892d5b7d70

SHA1
ed0e45f40d70c6bf437c738b34637a7158a78b98

SHA256
e4d4f05f70aa97766aed79f560c3930db6bf3b52caf1be844e54063cd5bc702d

SHA512
ba49119fd8e77e041499f62372307859e6668d450acdd83d74b93fab3f0cc078337a311fbf89d560879e41422f4ae5a42e8ad46fb69c8dcd4e4a88682b5c3cb3

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
87KB

MD5
13cfe56b2e1558e1c5b9a7e2e24f77be

SHA1
737ea30a70e988c963e414b23c1f960a95ca2dea

SHA256
1f55e70fbfd7180abb154ed2f15dd68b15893874500c454ca9e801fc6c574d5d

SHA512
df5d0febfe7b97fffd94c87f9ce1b2d16fd2de8cbbc25e2401e6a4fa867b615e9150a741a61eff61db2cd8d492ad0772ff73271b5990cd30390795bc4baec95d

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
87KB

MD5
8f24033a86f455f85f1f97b435fb1c4d

SHA1
0ef42f5ef08972c4fc6e88ae6aa40dbdb3eb9e14

SHA256
dec8c62e4e171eb523f8cd8beb01566666a0b388bf162b3cef0c228f58bfe363

SHA512
39775543ec1f5bc6b9b79378a8339db9549bfbb8fbd6d877e1eefaca8e442a8a91d48d1d12526c5e84ac0169eb1ac25b9c75f06342f2478e056745947cfb97e9

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
87KB

MD5
d504a7bad25cf5b3d9c28c56f9f2a5e7

SHA1
23f2ba1b481d3c3ccce664f8dda8e897d8603e45

SHA256
24f4fe091279aa070683dd7339e0d2bfb8ebf66189c55b2180accf08102409aa

SHA512
05c163e73ba7b69822f39966e1823c46cdccbfeca434a9dd10d696d98ff50bd141b9aeb25a06765ea95eabae75cf7102a4b371299859cef3a5847a51cd0597a3

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
87KB

MD5
09ee8db47f24646c417cc794712afb0a

SHA1
66866cb512cc199af1a160b048c0971d610f0e8f

SHA256
8536012185d61187914130b98579d4c7f7aa1b181ba0c9867d036216f9c52b7d

SHA512
75cd5ca467cf1513a9b9becc9acc4d1cd2db8d0904272f4c10b9243c1b628fda6b190e9039b903583c13899cd67ea6c1c2a1ab4911eb2692aea34e9f82b5ef7e

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
87KB

MD5
b8a721ae6c4a06f2b499fb76d578c22b

SHA1
dd337ded45e1e19b73d870bfd915e6eaa1fcce1b

SHA256
1f26eef9413f398ca520b5065dd583685c395e5636cadb385d754a629b931de0

SHA512
b55e6efb5aad3616cecaf4bacdfb8794c4bf1853d6f7b6e5105ba1b505f0485a4dbd92fba0184f3b01e30e1a1026906a83af3501566e5364a61cca1598a135e6

Download Submit
memory/416-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/416-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3740-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3740-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4620-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4620-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads