e5170fab50d9fc9de71a39c1e1e6a5350e27836ddb3f11e68d03957aaacbdb75

Analysis

max time kernel
139s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe
Size

96KB
MD5

5f73cc8308efa2f2d6c718395dda2730
SHA1

c736d98b502ce65f1c6bb2303e45186dbb0f02c6
SHA256

e5170fab50d9fc9de71a39c1e1e6a5350e27836ddb3f11e68d03957aaacbdb75
SHA512

67f2e22a04a620c424d470e2d8e7f420e3fff138a92913cf49720f97727e71ba5207c9d7f364bd8b014848dee4f89152d32b7a107828fec0aa78fddb3729a3a7
SSDEEP

1536:HGHa52hmLbstEUxAl/FE7RUjqXkpg2Lk1jPXuhiTMuZXGTIVefVDkryyAyqX:mHqQmLQ+UxArEGu0ajPXuhuXGQmVDeCv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe

Executes dropped EXE 64 IoCs

pid	Process
5060	Liddbc32.exe
2556	Lpnlpnih.exe
4484	Lpnlpnih.exe
2904	Lbmhlihl.exe
2728	Lfhdlh32.exe
1280	Lmbmibhb.exe
3252	Llemdo32.exe
2356	Lboeaifi.exe
4052	Lfkaag32.exe
5032	Liimncmf.exe
968	Llgjjnlj.exe
3168	Lpcfkm32.exe
4964	Lbabgh32.exe
4812	Lgmngglp.exe
3724	Likjcbkc.exe
3236	Lljfpnjg.exe
4036	Ldanqkki.exe
1232	Lgokmgjm.exe
1812	Lmiciaaj.exe
964	Lphoelqn.exe
3592	Mbfkbhpa.exe
1076	Medgncoe.exe
1892	Mmlpoqpg.exe
2352	Mpjlklok.exe
1552	Mchhggno.exe
3772	Mibpda32.exe
4320	Mlampmdo.exe
4988	Mdhdajea.exe
4844	Mgfqmfde.exe
3784	Miemjaci.exe
628	Mlcifmbl.exe
5028	Mpoefk32.exe
668	Mcmabg32.exe
3896	Migjoaaf.exe
2244	Mlefklpj.exe
556	Mdmnlj32.exe
3496	Mcpnhfhf.exe
3332	Menjdbgj.exe
2392	Mnebeogl.exe
1996	Npcoakfp.exe
804	Ndokbi32.exe
1068	Ncbknfed.exe
1800	Nepgjaeg.exe
3944	Njnpppkn.exe
1640	Nnjlpo32.exe
1644	Nphhmj32.exe
368	Ncfdie32.exe
2516	Njqmepik.exe
1456	Nloiakho.exe
1592	Ndfqbhia.exe
3416	Ngdmod32.exe
1780	Njciko32.exe
2632	Nnneknob.exe
4592	Npmagine.exe
2296	Nckndeni.exe
4748	Nfjjppmm.exe
1516	Olcbmj32.exe
4312	Odkjng32.exe
756	Ogifjcdp.exe
3000	Ojgbfocc.exe
384	Olfobjbg.exe
1476	Odmgcgbi.exe
4828	Ogkcpbam.exe
5044	Ojjolnaq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6516	7108	WerFault.exe	270

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 5060	1560	5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe	85
PID 1560 wrote to memory of 5060	1560	5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe	85
PID 1560 wrote to memory of 5060	1560	5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe	85
PID 5060 wrote to memory of 2556	5060	Liddbc32.exe	86
PID 5060 wrote to memory of 2556	5060	Liddbc32.exe	86
PID 5060 wrote to memory of 2556	5060	Liddbc32.exe	86
PID 2556 wrote to memory of 4484	2556	Lpnlpnih.exe	87
PID 2556 wrote to memory of 4484	2556	Lpnlpnih.exe	87
PID 2556 wrote to memory of 4484	2556	Lpnlpnih.exe	87
PID 4484 wrote to memory of 2904	4484	Lpnlpnih.exe	88
PID 4484 wrote to memory of 2904	4484	Lpnlpnih.exe	88
PID 4484 wrote to memory of 2904	4484	Lpnlpnih.exe	88
PID 2904 wrote to memory of 2728	2904	Lbmhlihl.exe	89
PID 2904 wrote to memory of 2728	2904	Lbmhlihl.exe	89
PID 2904 wrote to memory of 2728	2904	Lbmhlihl.exe	89
PID 2728 wrote to memory of 1280	2728	Lfhdlh32.exe	91
PID 2728 wrote to memory of 1280	2728	Lfhdlh32.exe	91
PID 2728 wrote to memory of 1280	2728	Lfhdlh32.exe	91
PID 1280 wrote to memory of 3252	1280	Lmbmibhb.exe	93
PID 1280 wrote to memory of 3252	1280	Lmbmibhb.exe	93
PID 1280 wrote to memory of 3252	1280	Lmbmibhb.exe	93
PID 3252 wrote to memory of 2356	3252	Llemdo32.exe	94
PID 3252 wrote to memory of 2356	3252	Llemdo32.exe	94
PID 3252 wrote to memory of 2356	3252	Llemdo32.exe	94
PID 2356 wrote to memory of 4052	2356	Lboeaifi.exe	95
PID 2356 wrote to memory of 4052	2356	Lboeaifi.exe	95
PID 2356 wrote to memory of 4052	2356	Lboeaifi.exe	95
PID 4052 wrote to memory of 5032	4052	Lfkaag32.exe	96
PID 4052 wrote to memory of 5032	4052	Lfkaag32.exe	96
PID 4052 wrote to memory of 5032	4052	Lfkaag32.exe	96
PID 5032 wrote to memory of 968	5032	Liimncmf.exe	97
PID 5032 wrote to memory of 968	5032	Liimncmf.exe	97
PID 5032 wrote to memory of 968	5032	Liimncmf.exe	97
PID 968 wrote to memory of 3168	968	Llgjjnlj.exe	98
PID 968 wrote to memory of 3168	968	Llgjjnlj.exe	98
PID 968 wrote to memory of 3168	968	Llgjjnlj.exe	98
PID 3168 wrote to memory of 4964	3168	Lpcfkm32.exe	99
PID 3168 wrote to memory of 4964	3168	Lpcfkm32.exe	99
PID 3168 wrote to memory of 4964	3168	Lpcfkm32.exe	99
PID 4964 wrote to memory of 4812	4964	Lbabgh32.exe	100
PID 4964 wrote to memory of 4812	4964	Lbabgh32.exe	100
PID 4964 wrote to memory of 4812	4964	Lbabgh32.exe	100
PID 4812 wrote to memory of 3724	4812	Lgmngglp.exe	101
PID 4812 wrote to memory of 3724	4812	Lgmngglp.exe	101
PID 4812 wrote to memory of 3724	4812	Lgmngglp.exe	101
PID 3724 wrote to memory of 3236	3724	Likjcbkc.exe	102
PID 3724 wrote to memory of 3236	3724	Likjcbkc.exe	102
PID 3724 wrote to memory of 3236	3724	Likjcbkc.exe	102
PID 3236 wrote to memory of 4036	3236	Lljfpnjg.exe	104
PID 3236 wrote to memory of 4036	3236	Lljfpnjg.exe	104
PID 3236 wrote to memory of 4036	3236	Lljfpnjg.exe	104
PID 4036 wrote to memory of 1232	4036	Ldanqkki.exe	105
PID 4036 wrote to memory of 1232	4036	Ldanqkki.exe	105
PID 4036 wrote to memory of 1232	4036	Ldanqkki.exe	105
PID 1232 wrote to memory of 1812	1232	Lgokmgjm.exe	106
PID 1232 wrote to memory of 1812	1232	Lgokmgjm.exe	106
PID 1232 wrote to memory of 1812	1232	Lgokmgjm.exe	106
PID 1812 wrote to memory of 964	1812	Lmiciaaj.exe	107
PID 1812 wrote to memory of 964	1812	Lmiciaaj.exe	107
PID 1812 wrote to memory of 964	1812	Lmiciaaj.exe	107
PID 964 wrote to memory of 3592	964	Lphoelqn.exe	108
PID 964 wrote to memory of 3592	964	Lphoelqn.exe	108
PID 964 wrote to memory of 3592	964	Lphoelqn.exe	108
PID 3592 wrote to memory of 1076	3592	Mbfkbhpa.exe	110

C:\Users\Admin\AppData\Local\Temp\5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f73cc8308efa2f2d6c718395dda2730_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\Liddbc32.exe
  C:\Windows\system32\Liddbc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\Lpnlpnih.exe
    C:\Windows\system32\Lpnlpnih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Lpnlpnih.exe
      C:\Windows\system32\Lpnlpnih.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        23⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        30⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        31⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        33⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        38⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        47⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        51⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        52⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        53⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        54⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        58⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        62⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        63⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        67⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3572
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        69⤵
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        70⤵
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        72⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        73⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        75⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        80⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        81⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        85⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        91⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        92⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        93⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        98⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        101⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        104⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        105⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        106⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        107⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        108⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        110⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        112⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        113⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        114⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        116⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        121⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        122⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        123⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        128⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        129⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        130⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        133⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        137⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        139⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        140⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6384
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        142⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        144⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        145⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        146⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        148⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        149⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        151⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        155⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        156⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        159⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        161⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        163⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        164⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        165⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        167⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        168⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        170⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        171⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        174⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6700
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1796
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        177⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        178⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        179⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 396
        180⤵
        Program crash
        
        PID:6516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7108 -ip 7108
1⤵
PID:6424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
e1a9ace493bf445f36be06069f5e302b

SHA1
bdd954f88feb4047c35bef3f9048b0d213126507

SHA256
7f66de83bd24c996a48532060f81394ecc78131a7f9e6480f2c5facea61b5e76

SHA512
3bae58dc98a1cf57802afcc7ad11cc0b0dc1bb2c2e7530ee999816309cc0f2c64188a46b5ba556ae773a84eae50086d1e189f28e7ab28ff75b26499869b935db

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
75afcb7749c1551e84700ff15231e0f0

SHA1
bc7ac38d7f02743fc5dedb02dc86be23026241e8

SHA256
0a45488a3cefcbce44b3e496c4d3127f9e06bc6e512a857230c1d5fa0117678d

SHA512
4fbbd2a4a40d37ccab2292af9418580d8857c29e6def6248ad56e52bd1a09e5aaab5310b588c992c39970ccc64677b16fd61be917bd945fd96ae341e5690f950

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
90ad75cb27e44100c4a225028de29b79

SHA1
312366dd81dd533eb27508299a89e09eb63aa096

SHA256
747fbe85f3f5b99123842ca43c7f296019fbe3abac8a6fcc81f722be0be0d0a1

SHA512
8abf07fe86fa175acbe1a3b49ce6228cfd5130796ef86794ee4b396311905762cbe18da177f7b1370255762ea2191f7dbb233ef5dd6755e20cfb8b5111a0c72e

Download Submit
C:\Windows\SysWOW64\Cbeedbdm.dll

Filesize
6KB

MD5
71f5a10694364eac8010c05018ad1eca

SHA1
1e16540887946f668a370e18991f3d9dea1e8b95

SHA256
5bd664a604f5f8b82fbfcb35bd6ccb2ff8878e791f6e4ab6d0afc7044edc5afc

SHA512
46fa0d8e316cf66305a9effdcbdd98f0989b3f3724129e7252243f6b55fc023ef756cb36c3f1e9ac6ec3589172f4ef79c497ce174dfff835266269a3b714fd66

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
9e49f1cb5c6f914d3769f0e2eb7226d8

SHA1
36d51be15a99b68244578426a78e9397efbf6880

SHA256
6d10b5cfdf722c1431be5e47566e91770ec6e307b8783a90e7efe394415108b2

SHA512
a971f7b52f36aefe89a99365d119d36da71013c058f7d3da9470c01634ae921dcd38b796117d1f939ea158ff50affc35713e2ecd1ffca039fc1caae8ebcd811f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
a0fc9ce8e1e4c185910a2ba7e640aaa1

SHA1
0f841a1ed26897b4bd09d17a1ccb659dc9aef126

SHA256
506b31e69e78aa7d56368aa86c98b3e97c486f44b65c1fd5bb34cd77079ffc65

SHA512
5a7aba7142b8017ce1e97fe58751af1050493cdd36fb252a33032b04e7978172023cd12cee25c615ab1f9f93efaeed833beb5c5eb4def103bd677aafa7b4fa47

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
c0670475967d9d8f1a25ee07ce5dcf2b

SHA1
f6f81183015803660a662091b6e1958142c6bc14

SHA256
0561194b9d03817c773738bf2cc1e2cf53efbf05681f966ccf8a464bf58d9ad2

SHA512
c91f130f5e7662fca642d6a65039a2cd6b590677ecc8097a0c5dbad5ca76b2228f1eaed4cff1bcc395a7d6d0fcdb39219a0ba8d3d91c14000a4783c3dd7ff1a8

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
35377c58066f2b24f6a2bb4e4f13707f

SHA1
7af92926826c20fd94f8dbe7b3aae0d9b9004bfa

SHA256
cf76bfc97ca33edf762e705e6bac09db6762fb1461f7d9c2de1f5d22cb3d1c79

SHA512
d9c73b02c62b62d7256dc8539f702cb2b6f6e7b1a1bc475c7377ee8307ac4e6fd1effa9d08bc297db3a5543777caab76c175bbc3e61baf8bba38941a19179caa

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
e4c776f5b7c7ee5390e94d28bece9a24

SHA1
e8ce008588fd943d99f6c1c1537e794189085fc2

SHA256
c1a6f37585f02f2ce9e705d6540ca87221a65307ec20ef8fe2234f1a743d79c7

SHA512
9842a63af172b5e3a9be5860117a7728335f9df2ae75113d2fb31e587ada919cf2c1361e4ba8d1066117f635d47b1b12e156893eaa24ba3479eb55a5ad2dd3e1

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
96KB

MD5
bdd766a1d1bd464599ce524f768a9994

SHA1
d83a153eff921c10b881c4d247b1226e74933aaa

SHA256
369ffee3bbd3bc2c67fe7c0fd7455ae8f67962e1e237d5ebfbb26d15d7fc0d37

SHA512
5ab12dbd3209ef2a141752987446da36f6b0b26f01a7669016f98697692bcf7cf2a5cb5263f5f25db1218677d6062971b5516eb861f146427bb4d7221565c6b4

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
4b9cd5c0c234aa01cbc6449db8e69440

SHA1
cff702d02eb923e69c1e84ccb44aa2ab3e86666b

SHA256
dc8891af22d65afc0cf98dea0679938d00dc2ab11939013be6c8de596b39b90c

SHA512
08ec99bb9919629e71beee6c0d2d828ca4bc6db0722b9417e72fa404edd109d1cb3d9b578f2a337d7b0ff49b7a9d35d43f9ca3a429f85c45e4e72b5509cc693a

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
6c04e671e1111747039566aa6484f9d2

SHA1
5221ef5c41c2c1b4eef9d07be6b01e9f6a759b5b

SHA256
4d9932a664ee9f45c4e01fb6cd85f12bfb5529a5bc8ed29f848c328e63ae0bb4

SHA512
bf92280b549b756768c2f8f1bc0f107f732cb42c16cc091c146819379622f66433d6b9e308a98fac26859a56dda392d89df8f7b063c8b014feceb27b72f3a407

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
6fb31423dc2f8022172589285f06f4cd

SHA1
1c19b6ade1511670f80d2e44b0a6085f24099c69

SHA256
a9cf8daa882b26e6f0075c0911423947f3a164b55f05c5a7f2803b386a59ee51

SHA512
9889e1370d2c85c9093ee28a8c7e8b3a8acbc8f7f341702efa0683666a05e55328f2a1b686af5f9df3d878c49bc3e1f3180218a79bef54f8fd7ee1c13f01c264

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
9191e91744fb06626220479c8bbc064e

SHA1
77dcea22b340c7527ddcd6789a0af92b9d249fc6

SHA256
34979de2a7ba68bc6c683978817b71363858b13bbd32b12df21b27a259299be5

SHA512
3c809c5c21c9326e0c4a0999bc433197030dd94c43833edc791ec3fcc6a6223bb9995aadffaa3e1f2362fe8f22648f0e650f228b64ccb2ba534be48049257a9c

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
681b9dbfb336170cbb522cc3365be3f0

SHA1
714e67b7e82d1206e30c1aa571a0c2d8d3b169e9

SHA256
33718142fabb467566e9c8c498a9a4662c53fdf13fa0b5906709c9d6c60c39f5

SHA512
76676acab5b8cd87490982f1a5613cbba20ab3bb9d1ceccf61aa5b63b24b1f080672d454e2d056b40c830deb36a05374e44d29778e96e5b52f66b709b55e83c5

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
cc26a88aa1c193c1966c8f7ab2d6416e

SHA1
3bafc8d58d50c01511115842d2e465b7d4cae1ea

SHA256
55097e5bfe7eda86e2a8731236b20ffd966b32cf6e53697c4b817fd36f0d8e06

SHA512
79f4fba2b31ade801a3b916238bb811f76ce60e86bd53220dea6b3b12ef38abe32f6d96e31a219d39005f6866eabc97801f59ddd8c477c228a97c9701df33efa

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
dd6e76a412ae688ed6f9d50e2bdab943

SHA1
26f3fc72b5677adab0d7089c3db624b2b0a5827d

SHA256
41f98e2a2a8b6660a4bb01cdb017c9fe97b7aae26d064d2bc6c9224cc3821638

SHA512
c70630bf7ad9d045d24954c27f996aecc633c1a6a9c5829b6a4c2e3b7cff5f97d3d58966aca151986429b9f9ac39839233acbec157735c3b7460b185bc62d02e

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
7e2589b432c6a36719fc576e872ecc99

SHA1
722ab4bc875b4695072d2ddb1c681c34b7eeac5a

SHA256
efd9b45b9e75f4317112c3c07728bb6903d2cf887f7351ce3abdab7509a1ce44

SHA512
61af3a07df95172e45051b8779d085a0b8dd4636ee966ae0acbbe8b0fb13d302006e1bf4c51ee0cf6734a003a926f78180377dd45c09e8cd0ca1af68573480b6

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
96KB

MD5
d2332c0a85f0bc9ea5f516b0b776f0b8

SHA1
c99f6443e42015954c0528b5a7fb92305900cb9f

SHA256
cea1d3693a01b86a94771b0adcb8f1564c37cb8cb98c730a4a21ba304205819c

SHA512
ceed31a7e7e0fb9df36307145468d48e6c4597c157739e2a2a0553111590d64ea6c208063df1ee8f2016c38adb08afce529689bb9ec7b58e8347565b3b362d15

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
2ce9dbe5771bc31f73f0ae5060dac06b

SHA1
63e6779259ed0563aafe314f0cc35b5eec4aebb4

SHA256
f816cbffc9c847e79d38e3d637ea98204d9415476f0e3bf365e784bae856cb18

SHA512
acd92f4aba7ffc058863a1779e5c489a63200c19095cf6137bb9895c376fb6406b7445fd8c329e05d909e46e8d2f73830059d0e436b4567b7f083147624e0de4

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
96KB

MD5
06c9819c722addebdf23315bbe7b50f2

SHA1
a6ad9f59ca4661a439533fd64b47649809d1643a

SHA256
4e6b78a5a1fba6e6cff2d16bddfcdafaf7418a8336fede7ed9e87cf711c52d6b

SHA512
6a89d4f3a16be12ca190caab3625194a6beaadd9311414d408432f04c5c8f9bf30d2ab39bf65cab50c482d9ce6cccafe899034fc08e7e5779de4eeed71e89e8b

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
c6bdb1d1bf1f0c303f54138b884d8b4a

SHA1
4595fbffb165db484bfdaa3ea024bee0350296ff

SHA256
079f650364301d2e62e3c8744adefc5a662c49a44ae36b980abe5a0d20851095

SHA512
752d3510ad2e51da57a4bd48fed2889dcdf9ca0b3a093173550db2fa7eda86f18863a83809a7fcbab1094c6f822ae408fd9359f0cb4ff9c111e9ed243fb7199e

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
264c009411d2f640435cea6b9ea24b81

SHA1
b3ce7a4c74aa3310c2c6d70d250db51cde0b3b2c

SHA256
8bdc51697b5d73d665993528603e5d987c53eed62cce607bdee18865066e556e

SHA512
bdc99ac06c725be72275984e1da299dd3419fd881d2456997360ac3fccc4fea218a28d7acfbc00fade38c4c9636e815cb46c51ba9ec18f5ef704d662a9c68d2b

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
3cc1a66a024d26fc59efc9f84fe160ce

SHA1
eb0c4eb442714cade37afbe4c2695b8afd4e77a6

SHA256
83595a17fd5f6c7116f507faf67f97cf3a14c9836eeb9875f1e6299231cf9d7e

SHA512
f0c1b68ca5a6aab313cd4dbeeb300220ee7b4658bd25eb9c8dec2ea9d204991b7a5999ddd14c84f77778c56e54ed1744e45ddd14e16346a49c16ad7dacffad81

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
5ddada6011936adca726dd01150f4f77

SHA1
cf1d25b0c03082b8242bd92762201396695f773d

SHA256
60336270ff666fd1be3119674f54537c2c00ede64ee9cf725781b7ff56dca016

SHA512
9ce311f1cc2d346177bf4e0591bb7ee427a0f8792539d574a342acde6525aee8a6492c6fd87e27f2c0bceec24bc8b715870714e336ad5801618d80d1d9c7deea

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
96KB

MD5
12a6e562d537ec0f45b76725b42e3dfa

SHA1
b04da9bfec366684a22baaab10079def8a198b69

SHA256
26ca6068087674719f9e9ebc1019cd6ea783ebe60bce35fa31abd9018506b27a

SHA512
63120225e04bc0e578597cf75833c890b916f29ba389ef03fef28cb7a2358c22ee4d065c2c6771b21edc87aedc9f8f5aad1254f7b65da813d5bc38c99f68ba37

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
33ab20078d8d8fd04065b3ce2c3803f8

SHA1
ab2796b374d95df971b8f20b2135e81cf4ed374c

SHA256
535e68fbf53013c0fd3c52ea0b8a03a33d369ca5f2833fb834e8fcb9ff676945

SHA512
d21f24903a879c55bb393076f1c74579985e347de3b98cd5dbe69a9e48fc1fa6b815d495b9ff984b617ce469b9b44f7e9a3a7469d7b53ac46e3665b6dfe27597

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
96KB

MD5
9ee31063bb418acbe8ed99dddd77756c

SHA1
be5f149b497048300e535f53fb514f6cdc6065c5

SHA256
61d8c4d57bfbdf1137ff3e763f2ac78e2ecff681ae0714f16a1e7c108b940d76

SHA512
ea5f25fba2e59b79d2ac2638c2e49c0e5d0b5501f4d7f7b2467293e5860b5bbd80e582b57a934600022bed123cb51d2040242054f081b054a69c93fcd7705479

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
96KB

MD5
7ad120be87c1ec429ad39f9b41b6b4bd

SHA1
599072f33ad94d10cff6dd7f5a5bc5ed9b1fe0b3

SHA256
e1fc665da7f8bbc538c0890d077048d901bc2790bd0b1cb3128c195a5bb7d206

SHA512
2b2d7262dc669790814fc10e8d7cf29ed3d2d755c144cf671dc13d77f205410f3647010aaabdd9a6f6c4a8b46967836d2baee16e6b937766128dbe49b2843117

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
bb4d45b860552b4645af25bd20cf8566

SHA1
77d23c2604867172d477b661dcadfd4f42cd49ca

SHA256
3262db0cf31508ecd04c0daec17a20ce1b3855c54351adae72d6a4866fb315a9

SHA512
5eb0410f0c061aff2ab00b5edffcc5a99ece877b0fcdf225a9ec54ec0bb232c4701d2fecabd37a0efe44ead96c234f1e1aaf7f2fa11d627c0e665354520d66da

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
96KB

MD5
81894f796515904c098a1e3f89c28acf

SHA1
f75d2e0e080a25b37ead8026580be7b1024251e9

SHA256
581c4c1c48def8978953aed9740099b8de024350b8c805c77aafd859f0f7b082

SHA512
c8b900bca1da8884e682237dc60936864f52fe93876f567c560248ba5dcf78117056bab7060ae2a87c4c9f30b8bbebed45ece59c9929d3b1916da5c3cbeb8424

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
64c22ed7408bad4ccf85cbe41c435827

SHA1
7daddcdd1f7a7d66abd1183cffecd86ddc271e3e

SHA256
ceaf95a19b686ae1529eefde79bd71bfd18ae293125c9b91e3e196fb328e13da

SHA512
524c10e2fecb2c4fe4a3909d2533026678db1e5d11a56f14e5cafac63930454bc3d123126fff70cc60a41908f9076121e446c9d0980862b5b721f74d5575fe31

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
96KB

MD5
bc1ee8fc6949559f5ff98d6a582c1678

SHA1
8b7038ae59a1009f1e0b5ddd080550d8c0ac17c1

SHA256
3b34432b824b247a6a3f4b7c7c40fa5b94e5e59bcd8b7105b9a5a119e478c4d1

SHA512
dcc6d87a922e4ed2e0dfce96ed2ec0cf1412dfc7a7b1f209516d4fbdf90d494a7efee90e3e3dc4c77fe286b4785a1de5cdfdec2234c68ff90bdf61f7581b0642

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
2c1f463a550ed4cdd455d4aac9d15a29

SHA1
55bacc98b49c47d77c835fc077b8a4d1a14c97aa

SHA256
a8a7852b761e26b1d3955a4c820e1fbea457d08dbd9f611c9002ad4154010199

SHA512
9db9fc5375ac7f5ceb77f3212d2e5e18fa3d659b39e37df625993aa2b744e166cf33bfda2e39811d5c5f380a58011670ff2afa5752e2ed9765730d5b1bfe9e7e

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
d23fcabb260110327d2d17e07716d863

SHA1
ced86be138064f51f2d63b10f3d27b1eefa0abbf

SHA256
aecb50b717b4d507d5a374a2c25101ca273e2e63cda084160be7f4b4ec14b5b3

SHA512
00f570651254fa57a4f1bfcbda4042a80be54b74ecb6e201aa3bf7b98ae602591d100ef62601f456ad01a97a397c1e25308d2ce301ec6476a6c087679c56ef1a

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
96KB

MD5
64f56a52c893761ec2ee625baf70be6a

SHA1
26f7397428a59a1307562c9ccb6e1139a0d64ec2

SHA256
19004f6cbbca4b923d20c77e9cd59c0d1d7173ddad2505a83be0ab37a787ad82

SHA512
af552d386d029eaba18cd9d2da644a77783dd606c67ddc1fb4920fd264573c5642f65752d5fff01b5a3d7b59f8759f24ee71049683fb09a526b0ba33a9de00c2

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
573ea7c0f63f74df5390ad4fadf95783

SHA1
50525c04008ea9aa36b0eb08efc5afafcbe36f54

SHA256
87917693ad3dfa526da1b4da3f22b75d3d61394a3fc180333b0a191856c089cf

SHA512
7e20f3762886043d0e8dcf9260838f64c78050a75aa98298327e3a8514c35985c2df9c8f2a3e01181be9e89a0aae81998121b0637884349b1ad28e392bef73dc

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
851106e3c5562ed55ea881d381a86a99

SHA1
cbb773eabfa771674ef13b2fe7b30c4a5a942f36

SHA256
85d1a2ac7d30204c8c841373927152d407307893670ebb1ecdc47f58bc7c3307

SHA512
d2e998142b7f5a73881021444b902e754f56e55430ab6cf1907685ad3993e5e5d335f97fc5b07619ec84c1cf5a6a830e1d66449bb4714ba846798de5e30e5fe9

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
c67e855d4c7a71273ace792a3ac728ee

SHA1
878ff10796a397d0afdc651d3e2401b5d065b9cf

SHA256
a15992c435f24c2e45ed0c0c59abc42efcb47c5e4d8d8b205186351fb8d76604

SHA512
5d0b847cd1b7a6de0826bf0638e7b54c989a17b2e2e15ee7cb1dd3409a9976deee0050486920e302eb95dc0c705bd8e403cdcaea2f8621ddf55242264827bd0a

Download Submit
memory/368-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/804-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1560-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-595-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-517-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5140-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5176-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5216-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5264-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5312-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5348-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads