d991fad0de12e835eb5770c692be5a5c3f084cf510b93218e723cb9cfdc70025

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe
Size

172KB
MD5

c721a81292bdeee40dc2a7e7ce085e00
SHA1

d17a43c98e15dac40f823d785aa97609192f5f4f
SHA256

d991fad0de12e835eb5770c692be5a5c3f084cf510b93218e723cb9cfdc70025
SHA512

fceaff8c33aa5ecccb079fe3ba9e3936c495ba7c6905ebbf0242aeea63f642fd791a5504454a2006567ecf2660da70ed25d0644fa52ad5db1459f209f35ac103
SSDEEP

3072:sJj33rg9xgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ:en898rtMsQB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe

Executes dropped EXE 50 IoCs

pid	Process
4716	Lcmofolg.exe
1196	Lkdggmlj.exe
940	Liggbi32.exe
1692	Laopdgcg.exe
1032	Lpappc32.exe
3296	Ldmlpbbj.exe
640	Lcpllo32.exe
1680	Lgkhlnbn.exe
1400	Lijdhiaa.exe
3464	Lnepih32.exe
2892	Laalifad.exe
4520	Ldohebqh.exe
3532	Lcbiao32.exe
1768	Lgneampk.exe
2484	Lkiqbl32.exe
4924	Lilanioo.exe
3520	Lnhmng32.exe
4980	Laciofpa.exe
3656	Lpfijcfl.exe
3196	Ldaeka32.exe
1064	Lgpagm32.exe
2100	Lklnhlfb.exe
2464	Ljnnch32.exe
4584	Lnjjdgee.exe
1672	Lphfpbdi.exe
384	Lddbqa32.exe
4212	Lcgblncm.exe
3572	Lknjmkdo.exe
4852	Mjqjih32.exe
1608	Mnlfigcc.exe
3380	Mahbje32.exe
2652	Mpkbebbf.exe
4120	Mdfofakp.exe
1580	Mgekbljc.exe
1612	Mkpgck32.exe
3432	Mjcgohig.exe
728	Mnocof32.exe
680	Majopeii.exe
3776	Mpmokb32.exe
3904	Mdiklqhm.exe
4672	Mcklgm32.exe
4380	Mgghhlhq.exe
4432	Mnapdf32.exe
1920	Nnmopdep.exe
4608	Nqklmpdd.exe
3120	Ncihikcg.exe
4908	Nkqpjidj.exe
3948	Nnolfdcn.exe
1104	Nqmhbpba.exe
4692	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	4692	WerFault.exe	131

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 4716	672	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe	79
PID 672 wrote to memory of 4716	672	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe	79
PID 672 wrote to memory of 4716	672	c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe	79
PID 4716 wrote to memory of 1196	4716	Lcmofolg.exe	80
PID 4716 wrote to memory of 1196	4716	Lcmofolg.exe	80
PID 4716 wrote to memory of 1196	4716	Lcmofolg.exe	80
PID 1196 wrote to memory of 940	1196	Lkdggmlj.exe	81
PID 1196 wrote to memory of 940	1196	Lkdggmlj.exe	81
PID 1196 wrote to memory of 940	1196	Lkdggmlj.exe	81
PID 940 wrote to memory of 1692	940	Liggbi32.exe	82
PID 940 wrote to memory of 1692	940	Liggbi32.exe	82
PID 940 wrote to memory of 1692	940	Liggbi32.exe	82
PID 1692 wrote to memory of 1032	1692	Laopdgcg.exe	83
PID 1692 wrote to memory of 1032	1692	Laopdgcg.exe	83
PID 1692 wrote to memory of 1032	1692	Laopdgcg.exe	83
PID 1032 wrote to memory of 3296	1032	Lpappc32.exe	84
PID 1032 wrote to memory of 3296	1032	Lpappc32.exe	84
PID 1032 wrote to memory of 3296	1032	Lpappc32.exe	84
PID 3296 wrote to memory of 640	3296	Ldmlpbbj.exe	85
PID 3296 wrote to memory of 640	3296	Ldmlpbbj.exe	85
PID 3296 wrote to memory of 640	3296	Ldmlpbbj.exe	85
PID 640 wrote to memory of 1680	640	Lcpllo32.exe	86
PID 640 wrote to memory of 1680	640	Lcpllo32.exe	86
PID 640 wrote to memory of 1680	640	Lcpllo32.exe	86
PID 1680 wrote to memory of 1400	1680	Lgkhlnbn.exe	87
PID 1680 wrote to memory of 1400	1680	Lgkhlnbn.exe	87
PID 1680 wrote to memory of 1400	1680	Lgkhlnbn.exe	87
PID 1400 wrote to memory of 3464	1400	Lijdhiaa.exe	88
PID 1400 wrote to memory of 3464	1400	Lijdhiaa.exe	88
PID 1400 wrote to memory of 3464	1400	Lijdhiaa.exe	88
PID 3464 wrote to memory of 2892	3464	Lnepih32.exe	89
PID 3464 wrote to memory of 2892	3464	Lnepih32.exe	89
PID 3464 wrote to memory of 2892	3464	Lnepih32.exe	89
PID 2892 wrote to memory of 4520	2892	Laalifad.exe	90
PID 2892 wrote to memory of 4520	2892	Laalifad.exe	90
PID 2892 wrote to memory of 4520	2892	Laalifad.exe	90
PID 4520 wrote to memory of 3532	4520	Ldohebqh.exe	91
PID 4520 wrote to memory of 3532	4520	Ldohebqh.exe	91
PID 4520 wrote to memory of 3532	4520	Ldohebqh.exe	91
PID 3532 wrote to memory of 1768	3532	Lcbiao32.exe	92
PID 3532 wrote to memory of 1768	3532	Lcbiao32.exe	92
PID 3532 wrote to memory of 1768	3532	Lcbiao32.exe	92
PID 1768 wrote to memory of 2484	1768	Lgneampk.exe	93
PID 1768 wrote to memory of 2484	1768	Lgneampk.exe	93
PID 1768 wrote to memory of 2484	1768	Lgneampk.exe	93
PID 2484 wrote to memory of 4924	2484	Lkiqbl32.exe	94
PID 2484 wrote to memory of 4924	2484	Lkiqbl32.exe	94
PID 2484 wrote to memory of 4924	2484	Lkiqbl32.exe	94
PID 4924 wrote to memory of 3520	4924	Lilanioo.exe	95
PID 4924 wrote to memory of 3520	4924	Lilanioo.exe	95
PID 4924 wrote to memory of 3520	4924	Lilanioo.exe	95
PID 3520 wrote to memory of 4980	3520	Lnhmng32.exe	96
PID 3520 wrote to memory of 4980	3520	Lnhmng32.exe	96
PID 3520 wrote to memory of 4980	3520	Lnhmng32.exe	96
PID 4980 wrote to memory of 3656	4980	Laciofpa.exe	97
PID 4980 wrote to memory of 3656	4980	Laciofpa.exe	97
PID 4980 wrote to memory of 3656	4980	Laciofpa.exe	97
PID 3656 wrote to memory of 3196	3656	Lpfijcfl.exe	98
PID 3656 wrote to memory of 3196	3656	Lpfijcfl.exe	98
PID 3656 wrote to memory of 3196	3656	Lpfijcfl.exe	98
PID 3196 wrote to memory of 1064	3196	Ldaeka32.exe	99
PID 3196 wrote to memory of 1064	3196	Ldaeka32.exe	99
PID 3196 wrote to memory of 1064	3196	Ldaeka32.exe	99
PID 1064 wrote to memory of 2100	1064	Lgpagm32.exe	100

C:\Users\Admin\AppData\Local\Temp\c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c721a81292bdeee40dc2a7e7ce085e00_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\SysWOW64\Lcmofolg.exe
  C:\Windows\system32\Lcmofolg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\Lkdggmlj.exe
    C:\Windows\system32\Lkdggmlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\Liggbi32.exe
      C:\Windows\system32\Liggbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        51⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 400
        52⤵
        Program crash
        
        PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4692 -ip 4692
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
172KB

MD5
b6cb0797126d9c4bff0626beb5058e19

SHA1
e76816bd04b9266c2ea6c84fbc83bf26eb2f9772

SHA256
eed840b0153d2b8a68f78cfea6159f670ebbf5376dd8f08e6ed320f8c197600f

SHA512
8bd58eb2806a34045ca02b87378a2dfc27f362db55762d218dade9b25bddae3e767b63e030a9cd91a5acb9cb4fa7cf49d926359a62c31f82d699fb02d80a7ada

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
172KB

MD5
a4595d0ebef4bfdfe82d92b53ebb7d5f

SHA1
0569cf7e7d2d46825c4c54223324954d85d9795d

SHA256
195a766ab625b456876e406c2a0afea8b319e0509d61cddcc4920b7fec6b81fc

SHA512
0e45da0ac9cfb56a996cabebdc54b3984248ee585b9ab483d2de9cd63df63b22646228da249d5c3da3ec6bbbee3d997dd3c454f04809dd68e76e30e4090ca146

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
172KB

MD5
6c44d9c097bb8a88e93b6e0077aa5239

SHA1
3a958d3e0138e092e2467e6d2c4bc38ccefd8296

SHA256
c331d3693af050b7de4a9e2099bafa094935a54dff8092e25aa7881e9271d903

SHA512
f019d0d7b8f21f0c7927c72025fe501d04843ac26d3b26a66aee00f3a365f4571458b7327645b58208b6e4824b1278e1be6d786fb05d686fde443854f3d091cb

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
172KB

MD5
716f08351927afd4df3badb18fb958c5

SHA1
f3eb2ba73178ff74d96818fed5f0bc3d7a2c4d96

SHA256
3b5b8f988d6d341cdab73f0c3051c3f53b26dca2fc115b6ee3a5ced569ea251f

SHA512
df2ebff8f768dcce2c1d4f53f74ca2c022ba5fc7512bd247cffa5344eecd3da67a31a3b1bd249db065e044a38778f0eb18e06e9656c32fde753868c8bd68153c

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
172KB

MD5
f6e8a2c85d17ef3b85b4bbfa75520acb

SHA1
c02fe32128b842ce566250a68ead3bb006733b4d

SHA256
6af703ba3626f4ee5260b100050d42bc819c70df74631f8f1f98e1235e02ddbc

SHA512
bda139569f42cfe5be5eca917167f165c50d9ed75e8662fe8d721c8f60ae8df0c02d9c5a51e5c400ea2609d14a4f4e747992cba874464376d78861941f0599b5

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
172KB

MD5
937a031384efffccaabfd0fc72487290

SHA1
c90ee1b61d73ff7a84978dfc377be27bc5de7958

SHA256
087b27c7fab489799fb32f64f176e190839d2a7ee5ef6daab9627ad540df0649

SHA512
1a2a5c64c54a5dccdaba85421d339d6a95bac2a3e1541c5b0767f76a4d9b6c15585c22ef965af45c2914c669461ddd35d6fb83f610cf64a1a82365c19306bd81

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
172KB

MD5
42353ba0fe0ffb1f2858bf9fb1cdd670

SHA1
da38bf635586e6a7639c6fb45f1fed6fcb47f56b

SHA256
03e8f05067122362b5cde34fce92d3730758b8521a374b6cf5fcccfa6f88292b

SHA512
86e7777ac7817ce5a7d68f5616fee94e3e6e3325bf79d3b5db71a01829916f21f65832849fffeebe33a3dba0fbc4b558a53100cda17dfecfc5665e3c0a1aec66

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
172KB

MD5
0d2bab49339e6db03788d484e3940c74

SHA1
806998347e4edb0323026d6cde5c395960dd3084

SHA256
f1e72ce701541ba291ab364798bb640316b85e80717f3363f9381f5ac8b08132

SHA512
e6095541b36ce780319a51fc4c2574e9939a455cf7e858b7dbc92058804470cd47d8d257e4d0b1584a915aba13e83c3a9d5f69bb67127226c354a277b9d263a1

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
172KB

MD5
b96fbdb04ccab2d6d2fff70d2b90e772

SHA1
76f48fab1ad140bf946db4bcadfad77bc26c700c

SHA256
0f1858b5f8afe456113c326f126ed1b792c036682d7bc05c17daf7ac1e3b9788

SHA512
f2a4cb97a74f7b19fa988e23586e75d81337eace41d5670d0801e13491736f2ef92868b68ba662147bbf0ae6ca521f3b055ae4e26188481c30a987dfdd02ca11

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
172KB

MD5
8532d392dde446d6593fc323bee3afde

SHA1
b0a85fe479fb43d846537217fef2f7776cf12e54

SHA256
8451d492b9bcfc0993fac77d53f11e683eeab23f39cbd3539e8c2cd66e6df275

SHA512
db7e82e530be6d12f3f3ce8c6edab1e96fcf6fdf8d97ef5695a8950e09335f080344c9ade49fcd4a5071d1e4abdbd2c52b04d0c98f368c9d166e82cc3a249034

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
172KB

MD5
5ca746e35b7ebbf7ea527bc15825e89a

SHA1
1c4573fa65dd7029151254e8f8b99707b084310c

SHA256
01a1edcbb21da8962a33e7167c35e9e5ba2690aba1876daaa2af8c79c7f86b14

SHA512
a6d09560feae72649879fdaa2feb06f8741f9efb1730e3a4f80f225c080a663b61b69df8fe5db786073c648341a627fda862ce013bf1fb22c8770d5a709a701d

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
172KB

MD5
ad50be53660cb1dd18ae2dcf0dd7e2b7

SHA1
ad0a6408673c8719e26492b740df2ff9eaaa960e

SHA256
3bedf2bd9f2cc7df29fc77ea424b96db26d4f93639b38b3357d712bb87517061

SHA512
ad364fb05130d17bd9dec259c02bea285ed1e4e81d76bc2546953829509a523c41354f1624deceaa1024ba0c44e3d1851e4cda5eb139494e26627a637daabbda

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
172KB

MD5
c8facc8ddb1ccfc23a60042b578b44c8

SHA1
8e6307abb1a4029a6a513a4a7bb306c497192bf8

SHA256
c6e3ed7fd6ceed634b71c7f0a4b1cff788d9b2eeecf824852845e605057ffcc3

SHA512
1a9b84fa38de0cffbccd9967dd9699a869aa0e36ebe2238a4f71f81da8bfad2bb44a23498fa9cffc46601dc61361863b09f20dbfa01b90fa40053731a8e5dae2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
172KB

MD5
d3f99527a850d31821f5839237bb5dd2

SHA1
bf4226554557be8a8a58320b113a4e185691f776

SHA256
50f94cb3e91b7e2f647ba7c9e0a100d5b3557d0123451de3f917077925e16ddc

SHA512
3f9a4584d9b140860064c44a24bf2e7fb6ae07f8acf5579faef4476bc89652cd8670814a567ddc60a479a1f34c6f932d2884cc6c9bcc6fa7801cdadd86b13629

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
172KB

MD5
b030cbea65f2ba20d8132778ebdcc988

SHA1
7ebec48cd6663c6f620b277d7e8dd2b65ac63aa2

SHA256
dd44c68e6369cf25cfc8ae3afff0d4de6336fd9d09b137bcfe0df4a1b406ea3e

SHA512
da8ed2ad4add1745acd53e327cce72b2aad5b0d4e81cc0ac6b6be63b3ce57112d107605b990e8d146e089daf5d34df17289e00e5e2f00ce41d9063fbc801e089

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
172KB

MD5
5a3f93700c96a9d516962721b2296a90

SHA1
35e066698ec314f370bc05c73e6390218113a4bb

SHA256
f2842c84001012da7b3e3efc43bd6543806b197a585c13174776c8406fb17876

SHA512
c2641173673634383b02479dec89eb0fbd283a88a4026f8ee1b5761750de440d9ac0ed79cebe2f528617d984d20fd04eaed9056d4926406135463930d232cdf8

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
172KB

MD5
d949b83cbb4ebc3cd812de4f8541e989

SHA1
43f786330d43d283e92d3c1584edfea37513fb3c

SHA256
d9325f23c8c252fb5bd3d03cea753cc90c3f101c1826f9d3be4b88a7e41050fc

SHA512
d72afd305ed3cf05620b24ecaeb20913550fc6c6df9b1d812337175a3d78d79f027bc375cfa2e90f9f889ee503da3030314884b6a282f3e0796c7a27d1e6c18d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
172KB

MD5
f95fd7a0372a38cfe5bc15427e0e61b6

SHA1
2b0feaff977b78c470ef1cac4c814fb4905f7ab7

SHA256
009fa8d70f8d173f651a7212118236c1070f842c6735d3318f6583c127ee1d52

SHA512
b2f0fc77b959aca4c714ff28122a5fda84cfe3d732aa5482239bc1def23077f4fc4f6ed23e34c63a2db430d85c76965523989692addd65c223be92f2fd2792ba

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
172KB

MD5
358ede6abaf53596294c6a1fcd8e4515

SHA1
e6c6842215de8fcaf37c5a5864e90988143cbdb4

SHA256
96a517b52c9d7525a4c812b99e3b127b911afa857e2de76af81d4ac8ec55db89

SHA512
0209328d0a478a662573e0fd6e35cfc7cac57114a301747fae879602a3760dd5d207544cfd97e24e1394c92605c8f99e7f657cc9ae9bdcbf0b528c033bb40e39

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
172KB

MD5
047da49857bab062889e81d2827bc6e2

SHA1
25c9cd6b67c9e3b65a1ff8741516d6d95831f4c3

SHA256
43a3870a9a4db57ab1441175fe97a1e5f4add1e04f222862a7eead38421707ac

SHA512
bbbd5d72e8732a53dc13006da73034bc873e54695c67041a67e4fbb35aa2b5d189ffd7a5e43539187ef5b7fcc8a8f5cf5aab0743989a402bfe9462cf79f2b179

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
172KB

MD5
02c124987dbc641ddc7668913919cc46

SHA1
9cd62dd06263f77b9cd227fc42fd635b7e7f5079

SHA256
8f7c322a3c2baaeb64b31b2c40c25652738250067aed9943151589f40318eaf0

SHA512
fe8e058df56bb7c28e7193e7fd5b3deefa7c53226d989de8134f6d1b8345494ed35b94efa49d25826895899be11697386106ef7e103a92b9e2b19bf055e62cba

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
172KB

MD5
4774642e749c30b3fc502642c0ee820b

SHA1
1ad1ee6227b3c647ad0cb8eb390a9979c2752618

SHA256
29a5fb771f33efe0a37acf7e7849f56443dac768df853008d7065d09209edb43

SHA512
816e161aa3d9ec35159b81c747d99d78c0843a67568b9ca302e52f03692d16be4d2f36ee2136aed163c6a92a10cea58b80fe9208bb6f94c09e2f78ae600e704a

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
172KB

MD5
0bc7de62584a4d04073ba0815abe7421

SHA1
d16f9fb0d7503819ec30b3de394264fba8517d4f

SHA256
c8fc4ccaf153d54070beef0dd0c69191ea2c404b3752d6c39e48c16f168d132e

SHA512
1eab8cd47810c3dfc906825abb20799dbc79a591b48ff922412c0d0c53352528061003a112b23c921bc6a67480ae30f365843674d8866e8ff0af564d0fec4f0a

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
172KB

MD5
b8c978380286b26a50634c0a507e3e44

SHA1
dca41ef862a5e00f97e5fb319dfbefe6b8a62abc

SHA256
e8f3319b7d0818216f3c1118f38a28483086eda1b750d10df513129c1d072014

SHA512
e5cedb40336b86d6459c4c2ffe04accb37396ea49168c73219f836f09e7963b2997db8b400c30d05c2382af2a81742dc0e75f8a99a61989cde74631002f09e50

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
172KB

MD5
f54960c09a464f157325fcc303425623

SHA1
223a05c5e1b723d32f40a6347591153c657e81f0

SHA256
8edf700b80189fa43ce8eba1ce6549d931059af02e30a4634d26d0e512c10aa2

SHA512
fd49472fb6152019f4880f35cb31bc2e2ae07a95d10a6105dbd3f1bef915b2f044d692e3992811f276d60bc53653bcd221cdc28599893a172c41de69120d6c11

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
172KB

MD5
124fdce07b53ccb89bad5e0c04479982

SHA1
7649cbcb7a83794474f58bca9391337103eda33a

SHA256
8891d730cdd4d7230cc396c13661a30e548d89fe8adcd1896c9fc64aeccab116

SHA512
048a5e90f73c2dbfb266ab541a692a949def80c8bd566f38a0fcca9ee48dbfa6c09c37f81132da2b92633b8e799d2206d3c2a196a2533a7efb6f1a5b65c1e145

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
172KB

MD5
7152d70b94f26c75d931d9664ff0e4cc

SHA1
6bbe5a1beebb7276a6645f74f2e8a30704e1a392

SHA256
311122ea0ffd130973fa594b35756def2ac06a0a958c137a4001f4a88c464f41

SHA512
cd9b17a3b19f9420dcf0452356620608ea64ce4cc62552bb8c736bcec8c0bbc91ab0674cf484a4dac55d8038a8dd5865e62b9e2cd231d792754acede6a4afba2

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
172KB

MD5
389dcb1c90747e01493c15c669bbaaa5

SHA1
c67c3d0d1f734bc70382b5ed47ce61a7bb45e8d0

SHA256
16a08ab41a950208b2600cc097bbb144c4820b5ae75f148debe6401fcc2725c4

SHA512
38cf7aea0b55982feed2e4202ba9b80fef5d83f3d97f7f8641a4eade7d6d1220cfbe0510da5b20e0be5d9d656025019e29fedccb7a2651c1ac413fd20ed594bb

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
172KB

MD5
508a15399b3710cfb53cbf0a24ffbbba

SHA1
ad86c51e4d6c4b07d6aa8746b98632eaa9bae9cd

SHA256
d088b7745e6a8ac643b5876f01312d9e7e48edf6c8fc6bc9a4d59c18435c5b33

SHA512
0beb9797d7e5d954405d976d07622890abc7e9e7f454bf46a2cc049fcc839be747111c2db2b822eeb3cd62590190af0a9eb138e5cfac107cd42344e1971d3db4

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
172KB

MD5
b65ec672cedfa8af2b432ecefcd23059

SHA1
c5e155bdde7c9b62fa3ab49de68ebbd96c9b3851

SHA256
04993cb242592615472dddddab36729fe20b53013c2fc30666ce9819efcf7ab2

SHA512
b582dd96c8191d2f40eb6705033cd5c4461086390143937ddbeab0a8d064676ea073552900ff93163fcf6c869cc298e0498bb56443e1a8685df43ee22107c01e

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
172KB

MD5
a428fd127ded732491d3fb919cf0333c

SHA1
184ac4e4b35dc43b68e521b8b29e4b5435affdcc

SHA256
29d604ac99a99deb3c69f154a97fab7e65f0257055c10ec82f0248d40d190e70

SHA512
fb16aef0978a87c076eefa824bed140ebe4eb357bcca3f6ca7f016c9aa45fa5bc64e0553d247fd8736e09bb8d38ff6910948dbf7305b8ac513f7a6bbe4dcecae

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
172KB

MD5
8a098aa36ac898418296b3912ccb5d2c

SHA1
4d68e3f1e8b3574869a085111740072f8abed042

SHA256
422ba45f503cebbd484d09828625ccf8a355a66b5274ee8916da94c77d07aaad

SHA512
caf236548c083d07139f582c34d7cf1b567cf84822d52cc03edc3ecff2676ab7773231a5f0333d369a484f7504418354a46180f262e1922c90f82fc465bf9f02

Download Submit
memory/384-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/672-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads