9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9

Analysis

max time kernel
83s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Size

93KB
MD5

04656d6dce516253c6076e8c8b83abaa
SHA1

b92397a22b48df24f9af9954437756215b5b53fd
SHA256

9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9
SHA512

426feb07741cde70b3ded9f8883413f7b5fc261df406b8e90ebc084d3339d0bd0132a1f7a521e562007774aa5e530596a36387bdda119704fa2fa51c3eb3ed5d
SSDEEP

1536:SUEatKmIkFoDerSBcnJqshfmuXfWrvAAAAAAVmAQvrP7pXMdX5+saMiwihtIbbp4:eab9FqQSB3sheuXfYvAAAAAAVmNrDpia

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlbkmdah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lggbmbfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbjfcnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngencpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lajmkhai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcncbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlbkmdah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfnlcnih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maapjjml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjhnp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpiacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcncbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llpaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meffjjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcanq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeoimeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndgbgefh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moccnoni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljeoimeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbibb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmhdph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmhdph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmnkglp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mejoei32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moccnoni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkdfhge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajmkhai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbile32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfnlcnih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndgbgefh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddibb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljgkom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgqlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljgkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpiacp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maapjjml.exe

Executes dropped EXE 49 IoCs

pid	Process
3008	Kioiffcn.exe
2936	Lgbibb32.exe
2780	Lpiacp32.exe
2700	Lajmkhai.exe
2728	Llpaha32.exe
2748	Lbjjekhl.exe
2884	Lehfafgp.exe
2300	Lggbmbfc.exe
1708	Ljeoimeg.exe
2964	Lcncbc32.exe
2200	Ljgkom32.exe
2128	Lpddgd32.exe
2992	Lfnlcnih.exe
1644	Lmhdph32.exe
2532	Lpgqlc32.exe
2432	Mjlejl32.exe
2464	Mmkafhnb.exe
1804	Mddibb32.exe
2092	Mbginomj.exe
1912	Meffjjln.exe
780	Mmmnkglp.exe
1396	Mbjfcnkg.exe
1936	Mfebdm32.exe
1732	Mlbkmdah.exe
2340	Moqgiopk.exe
2784	Mblcin32.exe
2492	Mejoei32.exe
2836	Moccnoni.exe
2812	Maapjjml.exe
2752	Mlgdhcmb.exe
1596	Nmhqokcq.exe
2332	Ndbile32.exe
772	Nhnemdbf.exe
1332	Nogmin32.exe
2872	Nhpabdqd.exe
2220	Ngcanq32.exe
2772	Nahfkigd.exe
1508	Ndgbgefh.exe
2856	Ngencpel.exe
2060	Nickoldp.exe
2072	Nlbgkgcc.exe
528	Ncloha32.exe
1052	Nmacej32.exe
2452	Nobpmb32.exe
1100	Ncnlnaim.exe
1012	Ogjhnp32.exe
700	Oihdjk32.exe
2496	Ohkdfhge.exe
2512	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
1496	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
1496	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
3008	Kioiffcn.exe
3008	Kioiffcn.exe
2936	Lgbibb32.exe
2936	Lgbibb32.exe
2780	Lpiacp32.exe
2780	Lpiacp32.exe
2700	Lajmkhai.exe
2700	Lajmkhai.exe
2728	Llpaha32.exe
2728	Llpaha32.exe
2748	Lbjjekhl.exe
2748	Lbjjekhl.exe
2884	Lehfafgp.exe
2884	Lehfafgp.exe
2300	Lggbmbfc.exe
2300	Lggbmbfc.exe
1708	Ljeoimeg.exe
1708	Ljeoimeg.exe
2964	Lcncbc32.exe
2964	Lcncbc32.exe
2200	Ljgkom32.exe
2200	Ljgkom32.exe
2128	Lpddgd32.exe
2128	Lpddgd32.exe
2992	Lfnlcnih.exe
2992	Lfnlcnih.exe
1644	Lmhdph32.exe
1644	Lmhdph32.exe
2532	Lpgqlc32.exe
2532	Lpgqlc32.exe
2432	Mjlejl32.exe
2432	Mjlejl32.exe
2464	Mmkafhnb.exe
2464	Mmkafhnb.exe
1804	Mddibb32.exe
1804	Mddibb32.exe
2092	Mbginomj.exe
2092	Mbginomj.exe
1912	Meffjjln.exe
1912	Meffjjln.exe
780	Mmmnkglp.exe
780	Mmmnkglp.exe
1396	Mbjfcnkg.exe
1396	Mbjfcnkg.exe
1936	Mfebdm32.exe
1936	Mfebdm32.exe
1732	Mlbkmdah.exe
1732	Mlbkmdah.exe
2340	Moqgiopk.exe
2340	Moqgiopk.exe
2784	Mblcin32.exe
2784	Mblcin32.exe
2492	Mejoei32.exe
2492	Mejoei32.exe
2836	Moccnoni.exe
2836	Moccnoni.exe
2812	Maapjjml.exe
2812	Maapjjml.exe
2752	Mlgdhcmb.exe
2752	Mlgdhcmb.exe
1596	Nmhqokcq.exe
1596	Nmhqokcq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lajmkhai.exe	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Mejoei32.exe	Mblcin32.exe
File created	C:\Windows\SysWOW64\Nlbgkgcc.exe	Nickoldp.exe
File opened for modification	C:\Windows\SysWOW64\Nmacej32.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Pmpiei32.dll	Ljeoimeg.exe
File opened for modification	C:\Windows\SysWOW64\Lfnlcnih.exe	Lpddgd32.exe
File created	C:\Windows\SysWOW64\Naflocji.dll	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Mfebdm32.exe	Mbjfcnkg.exe
File created	C:\Windows\SysWOW64\Nhclfogi.dll	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Ojqeofnd.dll	Nhnemdbf.exe
File opened for modification	C:\Windows\SysWOW64\Nahfkigd.exe	Ngcanq32.exe
File created	C:\Windows\SysWOW64\Gnkqpnqp.dll	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Pakpllpl.dll	Ndgbgefh.exe
File created	C:\Windows\SysWOW64\Lpgqlc32.exe	Lmhdph32.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mbjfcnkg.exe
File created	C:\Windows\SysWOW64\Heknhioh.dll	Ngencpel.exe
File created	C:\Windows\SysWOW64\Llpaha32.exe	Lajmkhai.exe
File opened for modification	C:\Windows\SysWOW64\Mlbkmdah.exe	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Kanafj32.dll	Ndbile32.exe
File created	C:\Windows\SysWOW64\Ngencpel.exe	Ndgbgefh.exe
File created	C:\Windows\SysWOW64\Nickoldp.exe	Ngencpel.exe
File created	C:\Windows\SysWOW64\Gcjajedk.dll	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Cldcdi32.dll	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Bggjeedg.dll	Lbjjekhl.exe
File created	C:\Windows\SysWOW64\Mlbkmdah.exe	Mfebdm32.exe
File created	C:\Windows\SysWOW64\Ibnjlg32.dll	Moccnoni.exe
File created	C:\Windows\SysWOW64\Mlgdhcmb.exe	Maapjjml.exe
File created	C:\Windows\SysWOW64\Mnohgfgb.dll	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Nlnjkhha.dll	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Ljeoimeg.exe	Lggbmbfc.exe
File created	C:\Windows\SysWOW64\Ljgkom32.exe	Lcncbc32.exe
File created	C:\Windows\SysWOW64\Lfnlcnih.exe	Lpddgd32.exe
File opened for modification	C:\Windows\SysWOW64\Maapjjml.exe	Moccnoni.exe
File opened for modification	C:\Windows\SysWOW64\Ndgbgefh.exe	Nahfkigd.exe
File opened for modification	C:\Windows\SysWOW64\Nobpmb32.exe	Nmacej32.exe
File opened for modification	C:\Windows\SysWOW64\Ohkdfhge.exe	Oihdjk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjlejl32.exe	Lpgqlc32.exe
File opened for modification	C:\Windows\SysWOW64\Nhpabdqd.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Lgbibb32.exe	Kioiffcn.exe
File created	C:\Windows\SysWOW64\Lbjjekhl.exe	Llpaha32.exe
File opened for modification	C:\Windows\SysWOW64\Lcncbc32.exe	Ljeoimeg.exe
File created	C:\Windows\SysWOW64\Cpgidb32.dll	Lpgqlc32.exe
File created	C:\Windows\SysWOW64\Mmmnkglp.exe	Meffjjln.exe
File opened for modification	C:\Windows\SysWOW64\Mmmnkglp.exe	Meffjjln.exe
File created	C:\Windows\SysWOW64\Bgbjkg32.dll	Mlbkmdah.exe
File opened for modification	C:\Windows\SysWOW64\Lajmkhai.exe	Lpiacp32.exe
File created	C:\Windows\SysWOW64\Cjchollj.dll	Llpaha32.exe
File created	C:\Windows\SysWOW64\Ndgbgefh.exe	Nahfkigd.exe
File opened for modification	C:\Windows\SysWOW64\Mfebdm32.exe	Mbjfcnkg.exe
File created	C:\Windows\SysWOW64\Moqgiopk.exe	Mlbkmdah.exe
File opened for modification	C:\Windows\SysWOW64\Ncloha32.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Nmacej32.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Kjhhabcc.dll	Lehfafgp.exe
File created	C:\Windows\SysWOW64\Mbjfcnkg.exe	Mmmnkglp.exe
File opened for modification	C:\Windows\SysWOW64\Nlbgkgcc.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Pfknaf32.dll	Ngcanq32.exe
File opened for modification	C:\Windows\SysWOW64\Llpaha32.exe	Lajmkhai.exe
File opened for modification	C:\Windows\SysWOW64\Lggbmbfc.exe	Lehfafgp.exe
File opened for modification	C:\Windows\SysWOW64\Ljgkom32.exe	Lcncbc32.exe
File opened for modification	C:\Windows\SysWOW64\Mddibb32.exe	Mmkafhnb.exe
File created	C:\Windows\SysWOW64\Nmhqokcq.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Ndbile32.exe	Nmhqokcq.exe
File opened for modification	C:\Windows\SysWOW64\Lbjjekhl.exe	Llpaha32.exe
File created	C:\Windows\SysWOW64\Mblcin32.exe	Moqgiopk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	2512	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljgkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mblcin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngcanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggbmbfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maapjjml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nahfkigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbibb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihdjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhnemdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kioiffcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmhdph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkafhnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meffjjln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbkmdah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgdhcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkdfhge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeoimeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbginomj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpddgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajmkhai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehfafgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbjfcnkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nickoldp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcncbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhpabdqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjjekhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfnlcnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndgbgefh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlbgkgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpiacp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moccnoni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moqgiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncloha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobpmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgqlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngencpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjhnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddibb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mejoei32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdecm32.dll"	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqkji32.dll"	Maapjjml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mddibb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qieiiaad.dll"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Nobpmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjkhha.dll"	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljgkom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmhdph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpgqlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpnca32.dll"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngencpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmacej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefkcp32.dll"	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbbnidk.dll"	Ljgkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naflocji.dll"	Mmmnkglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll"	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfknaf32.dll"	Ngcanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbjkg32.dll"	Mlbkmdah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonkpi32.dll"	Mejoei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnjlg32.dll"	Moccnoni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakpllpl.dll"	Ndgbgefh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegla32.dll"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kioiffcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpiei32.dll"	Ljeoimeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlbkmdah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlbkmdah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbibb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lajmkhai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljgkom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpddgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mejoei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpiacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lggbmbfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgidb32.dll"	Lpgqlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndgbgefh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpgqlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmglegi.dll"	Mblcin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanhnka.dll"	Ogjhnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mddibb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampcok32.dll"	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mblcin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhclfogi.dll"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nobpmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhhabcc.dll"	Lehfafgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmkafhnb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3008	1496	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe	30
PID 1496 wrote to memory of 3008	1496	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe	30
PID 1496 wrote to memory of 3008	1496	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe	30
PID 1496 wrote to memory of 3008	1496	9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe	30
PID 3008 wrote to memory of 2936	3008	Kioiffcn.exe	31
PID 3008 wrote to memory of 2936	3008	Kioiffcn.exe	31
PID 3008 wrote to memory of 2936	3008	Kioiffcn.exe	31
PID 3008 wrote to memory of 2936	3008	Kioiffcn.exe	31
PID 2936 wrote to memory of 2780	2936	Lgbibb32.exe	32
PID 2936 wrote to memory of 2780	2936	Lgbibb32.exe	32
PID 2936 wrote to memory of 2780	2936	Lgbibb32.exe	32
PID 2936 wrote to memory of 2780	2936	Lgbibb32.exe	32
PID 2780 wrote to memory of 2700	2780	Lpiacp32.exe	33
PID 2780 wrote to memory of 2700	2780	Lpiacp32.exe	33
PID 2780 wrote to memory of 2700	2780	Lpiacp32.exe	33
PID 2780 wrote to memory of 2700	2780	Lpiacp32.exe	33
PID 2700 wrote to memory of 2728	2700	Lajmkhai.exe	34
PID 2700 wrote to memory of 2728	2700	Lajmkhai.exe	34
PID 2700 wrote to memory of 2728	2700	Lajmkhai.exe	34
PID 2700 wrote to memory of 2728	2700	Lajmkhai.exe	34
PID 2728 wrote to memory of 2748	2728	Llpaha32.exe	35
PID 2728 wrote to memory of 2748	2728	Llpaha32.exe	35
PID 2728 wrote to memory of 2748	2728	Llpaha32.exe	35
PID 2728 wrote to memory of 2748	2728	Llpaha32.exe	35
PID 2748 wrote to memory of 2884	2748	Lbjjekhl.exe	36
PID 2748 wrote to memory of 2884	2748	Lbjjekhl.exe	36
PID 2748 wrote to memory of 2884	2748	Lbjjekhl.exe	36
PID 2748 wrote to memory of 2884	2748	Lbjjekhl.exe	36
PID 2884 wrote to memory of 2300	2884	Lehfafgp.exe	37
PID 2884 wrote to memory of 2300	2884	Lehfafgp.exe	37
PID 2884 wrote to memory of 2300	2884	Lehfafgp.exe	37
PID 2884 wrote to memory of 2300	2884	Lehfafgp.exe	37
PID 2300 wrote to memory of 1708	2300	Lggbmbfc.exe	38
PID 2300 wrote to memory of 1708	2300	Lggbmbfc.exe	38
PID 2300 wrote to memory of 1708	2300	Lggbmbfc.exe	38
PID 2300 wrote to memory of 1708	2300	Lggbmbfc.exe	38
PID 1708 wrote to memory of 2964	1708	Ljeoimeg.exe	39
PID 1708 wrote to memory of 2964	1708	Ljeoimeg.exe	39
PID 1708 wrote to memory of 2964	1708	Ljeoimeg.exe	39
PID 1708 wrote to memory of 2964	1708	Ljeoimeg.exe	39
PID 2964 wrote to memory of 2200	2964	Lcncbc32.exe	40
PID 2964 wrote to memory of 2200	2964	Lcncbc32.exe	40
PID 2964 wrote to memory of 2200	2964	Lcncbc32.exe	40
PID 2964 wrote to memory of 2200	2964	Lcncbc32.exe	40
PID 2200 wrote to memory of 2128	2200	Ljgkom32.exe	41
PID 2200 wrote to memory of 2128	2200	Ljgkom32.exe	41
PID 2200 wrote to memory of 2128	2200	Ljgkom32.exe	41
PID 2200 wrote to memory of 2128	2200	Ljgkom32.exe	41
PID 2128 wrote to memory of 2992	2128	Lpddgd32.exe	42
PID 2128 wrote to memory of 2992	2128	Lpddgd32.exe	42
PID 2128 wrote to memory of 2992	2128	Lpddgd32.exe	42
PID 2128 wrote to memory of 2992	2128	Lpddgd32.exe	42
PID 2992 wrote to memory of 1644	2992	Lfnlcnih.exe	43
PID 2992 wrote to memory of 1644	2992	Lfnlcnih.exe	43
PID 2992 wrote to memory of 1644	2992	Lfnlcnih.exe	43
PID 2992 wrote to memory of 1644	2992	Lfnlcnih.exe	43
PID 1644 wrote to memory of 2532	1644	Lmhdph32.exe	44
PID 1644 wrote to memory of 2532	1644	Lmhdph32.exe	44
PID 1644 wrote to memory of 2532	1644	Lmhdph32.exe	44
PID 1644 wrote to memory of 2532	1644	Lmhdph32.exe	44
PID 2532 wrote to memory of 2432	2532	Lpgqlc32.exe	45
PID 2532 wrote to memory of 2432	2532	Lpgqlc32.exe	45
PID 2532 wrote to memory of 2432	2532	Lpgqlc32.exe	45
PID 2532 wrote to memory of 2432	2532	Lpgqlc32.exe	45

C:\Users\Admin\AppData\Local\Temp\9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe
"C:\Users\Admin\AppData\Local\Temp\9e28443583ccac08ac505bb1e252e8b640537a771c64d312d5868b63deb18be9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\Kioiffcn.exe
  C:\Windows\system32\Kioiffcn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\Lgbibb32.exe
    C:\Windows\system32\Lgbibb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\Lpiacp32.exe
      C:\Windows\system32\Lpiacp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\Lajmkhai.exe
        
        C:\Windows\system32\Lajmkhai.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Llpaha32.exe
        
        C:\Windows\system32\Llpaha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Lbjjekhl.exe
        
        C:\Windows\system32\Lbjjekhl.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Lehfafgp.exe
        
        C:\Windows\system32\Lehfafgp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Lggbmbfc.exe
        
        C:\Windows\system32\Lggbmbfc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Ljeoimeg.exe
        
        C:\Windows\system32\Ljeoimeg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lcncbc32.exe
        
        C:\Windows\system32\Lcncbc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ljgkom32.exe
        
        C:\Windows\system32\Ljgkom32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Lpddgd32.exe
        
        C:\Windows\system32\Lpddgd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Lfnlcnih.exe
        
        C:\Windows\system32\Lfnlcnih.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Lmhdph32.exe
        
        C:\Windows\system32\Lmhdph32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Lpgqlc32.exe
        
        C:\Windows\system32\Lpgqlc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Mjlejl32.exe
        
        C:\Windows\system32\Mjlejl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Mmkafhnb.exe
        
        C:\Windows\system32\Mmkafhnb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Mddibb32.exe
        
        C:\Windows\system32\Mddibb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Mbginomj.exe
        
        C:\Windows\system32\Mbginomj.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Meffjjln.exe
        
        C:\Windows\system32\Meffjjln.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Mbjfcnkg.exe
        
        C:\Windows\system32\Mbjfcnkg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Mfebdm32.exe
        
        C:\Windows\system32\Mfebdm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Mlbkmdah.exe
        
        C:\Windows\system32\Mlbkmdah.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Moqgiopk.exe
        
        C:\Windows\system32\Moqgiopk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Mblcin32.exe
        
        C:\Windows\system32\Mblcin32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Mejoei32.exe
        
        C:\Windows\system32\Mejoei32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Moccnoni.exe
        
        C:\Windows\system32\Moccnoni.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Maapjjml.exe
        
        C:\Windows\system32\Maapjjml.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Mlgdhcmb.exe
        
        C:\Windows\system32\Mlgdhcmb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Nmhqokcq.exe
        
        C:\Windows\system32\Nmhqokcq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Ndbile32.exe
        
        C:\Windows\system32\Ndbile32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Nhnemdbf.exe
        
        C:\Windows\system32\Nhnemdbf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Nogmin32.exe
        
        C:\Windows\system32\Nogmin32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Nhpabdqd.exe
        
        C:\Windows\system32\Nhpabdqd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Ngcanq32.exe
        
        C:\Windows\system32\Ngcanq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Nahfkigd.exe
        
        C:\Windows\system32\Nahfkigd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ndgbgefh.exe
        
        C:\Windows\system32\Ndgbgefh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ngencpel.exe
        
        C:\Windows\system32\Ngencpel.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Nickoldp.exe
        
        C:\Windows\system32\Nickoldp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Nlbgkgcc.exe
        
        C:\Windows\system32\Nlbgkgcc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Ncloha32.exe
        
        C:\Windows\system32\Ncloha32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Nobpmb32.exe
        
        C:\Windows\system32\Nobpmb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ogjhnp32.exe
        
        C:\Windows\system32\Ogjhnp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Oihdjk32.exe
        
        C:\Windows\system32\Oihdjk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Ohkdfhge.exe
        
        C:\Windows\system32\Ohkdfhge.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 140
        51⤵
        Program crash
        
        PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dlmfob32.dll

Filesize
7KB

MD5
1073bf088346710c799e16422e6e536a

SHA1
f815e18827522756a1d868fbb1c57ea9b1e52184

SHA256
501ab846b86333cb99d8266b52868a6c24d56b89117df04396623f7f9fd1c5f0

SHA512
3ad3147ebf4d9f13c741cd1d6719bca86eaafbdfeecb08af442924fe6911cf424435a4f1c70734ecfa44b586796dbe7727254c9b1a43e3a481bd55b067878a90

Download Submit
C:\Windows\SysWOW64\Lajmkhai.exe

Filesize
93KB

MD5
92693d8d297466106730dc44a766f594

SHA1
b4429b069e5eb1e0b39ac3d03af0ea511fc98c52

SHA256
5d246eb7eb26ceecde874ee8afc236374a72c362790555ab582a0fd57a8fab2d

SHA512
6b5c69d0bbda409e552b590cb6fab0368f7c94a7db2cd89370e774909e28499a894a7562f30d0a98cacb8dd4bd0f9ff56939855edd967e5bb4e4fed78c1e240a

Download Submit
C:\Windows\SysWOW64\Lehfafgp.exe

Filesize
93KB

MD5
2c56a83fb11496f39082492cf7828336

SHA1
43939f0128db79d5692f3c64aed8242c4fac1c20

SHA256
489831e307983d5a7f0be0e2b002b9a55376d7a659eb2820260ca8e7439efd6e

SHA512
0ec9cdac8499becc39c8d20ee88faa9acb561fdb216713009603c4250947bddd0ad938d27582dad685fa57c5c51b6e3a45105f530f9f84f98e040dac4008d28d

Download Submit
C:\Windows\SysWOW64\Lgbibb32.exe

Filesize
93KB

MD5
01927808a8103460cb171307bd8ea9fc

SHA1
8cc497b6032eaa8eb88a6721cd77a0aa6a88f30f

SHA256
b9bb9a1492d2ed76792ae682cb5289a3a09d061e6351be5fef9460676904e176

SHA512
981f87c658894659ea1fcc1cce8b137fdad9e562aa42d96052914563dc0ad156a069eccf32c5c9ffeaff1bd1ee0a35f0330a5656747b0c35feaf034502ad994e

Download Submit
C:\Windows\SysWOW64\Lpiacp32.exe

Filesize
93KB

MD5
06efd833e4f7921fd4a1a84c36aa38be

SHA1
6d7a552d977334518f7b03e578959ea1a1f208b5

SHA256
4f5cfbf05fd05c637a1509c404814843e8705c6ed523c0a8a0bf441d57b15941

SHA512
19fbc637a31e1a80a4dd89128b0e3a4eaadd40ba290fa60b8e2d42998b09959c248acb95844e2343d07b07fe944768c78c75b6a4220061345d58be73ccf5f983

Download Submit
C:\Windows\SysWOW64\Maapjjml.exe

Filesize
93KB

MD5
6e9d31336c331cf901670f54012ed8aa

SHA1
a4111eac11b02662fb8afaacfc170b79c12753dd

SHA256
185141c97ba5c7ac2678a9a1169ab4fe2a818f54f03ca38c872ded9a1296703c

SHA512
39291b303ff409def923e39a39e07dcdc7def68d280010501283156693f8d974ff41771a3f3f10ba2a14481bf18cc37e6b17d3e3f635f57883aa147b4329ffe4

Download Submit
C:\Windows\SysWOW64\Mbginomj.exe

Filesize
93KB

MD5
ac490de5e9fd3490acda473aadf61ad6

SHA1
cce433ae63ea4c7b0bc8226295bf3f114b14990b

SHA256
87812aa67d4b197e2aaea52f7eafd818eaef64225562ed57c10a3ae2fcefb8ec

SHA512
d02c72d56a628631e599c20dcfc081b70e60c35f5e724e24d8c57011b2ed69845b9fd4d450112e177381cb75ba90f38d2ff94a9f007ff67076d9b1da549d7f60

Download Submit
C:\Windows\SysWOW64\Mbjfcnkg.exe

Filesize
93KB

MD5
2fc3b6d8c0dac2211e8e769283290f0d

SHA1
293f9aef1aefe52cf9798b71ee27a198f8f7571d

SHA256
2789eab30616f927f1531b08cd18a5325d38aad86641c2622900dc8d1967f68c

SHA512
82af3d6db409386ba450e097a2f626a8c405e39b9ebd0bbcdb430d42c2eefeba9ac65d5020c8347e8e7f2d676e5526c30c2f0b9a03e578e448ebc771f124f2ba

Download Submit
C:\Windows\SysWOW64\Mblcin32.exe

Filesize
93KB

MD5
00b53128be79b5ed77aad003db803908

SHA1
d28710041237b643672a74cd559e16c82046a271

SHA256
0dce318c5197bbdd11c4399e42f81662c302f97bd9e9dda2d0368dc000b8d780

SHA512
c2ddb2cb296bd06e9c7a341ebc95cd6b869eb4e08c90225e41b6b8e6a742f019d5a6233aba178b95e39973e18e4eb1e207fb47e6d2a642bfee54cf7f7b12703d

Download Submit
C:\Windows\SysWOW64\Mddibb32.exe

Filesize
93KB

MD5
44aeb7c90daa79f741cc27562c63a2b9

SHA1
98329dd28f0f21bbc8a96b52f177973a02da3cb0

SHA256
65f360a5161b52a40b42ce9047ea46acadf2d0c18406eb21b0c38c13f7d256e5

SHA512
13683c567a1d6ba78fb4fa886c369357ccbaa8a622c71b933bd661b21c29cda9e441158779944fd80c2e8a2eca8f5f850bfb97fff7113a4702b54ae1224be910

Download Submit
C:\Windows\SysWOW64\Meffjjln.exe

Filesize
93KB

MD5
1c58edea1de7281419ac03a25b8dd3b8

SHA1
984c6e5f1a70e08c5dcc7480885f478028b4adc9

SHA256
143cf9bfc3cedc9c5b054b32a3afb4c63fc7392da5ed6e00cb4751bc17d22f3f

SHA512
0d4b147e9e0b9363909cc9493a5d247378c7939b1430f571e82145bb309d4e7eda7a16427d93ded1ff5d0e2e4d9089e90dd0a4b1828db471c6d49da0a461e07c

Download Submit
C:\Windows\SysWOW64\Mejoei32.exe

Filesize
93KB

MD5
1886820ea83ecc85d780b42a7ae12c86

SHA1
05f50d17a1858503ca6c495316ec38cb2da3535f

SHA256
519e493575a557d7298708133020b42a0e61c1ee7fa2dfbca1ea01e2413acb18

SHA512
71032e65e4119b2131aed53768372edbebc35344f3d9622c3cfd3a6cea48b947d0d3e83eb4516db8fc33087dba25858b986bc7399b3543e479ca4f5dac4f93ae

Download Submit
C:\Windows\SysWOW64\Mfebdm32.exe

Filesize
93KB

MD5
b2bed84b012054756557b13fab2a38c3

SHA1
f4420a7bcef4c47821ddb8b914a28ffb84d12e01

SHA256
429acd16761cfeba2d525d9150b052b858be526357b7fb2929a3d1962550c19b

SHA512
67d2da2abbbd71e5748cd5d92104f50986355d632b4d8ae73671a62f868f00aab7db05846d759bb81326f1a77f2bcf355f698b571ecf4bccdccdbcc55ffe67b6

Download Submit
C:\Windows\SysWOW64\Mlbkmdah.exe

Filesize
93KB

MD5
66625ec2a7766a169bb208bbceb8c025

SHA1
cfc4efbacd53eb7250250221461c19659b0a8812

SHA256
1c6fb64dff399bd5f4f60b7ee1ab5c19d23d22873742c87b7bcda5c10c575f4f

SHA512
b3d4131a76c22481a036699d2b0fc278fcd7b1a82a73be5d0755b66ce8ee9c2c7e1a9ad6d83d810599b55888f5bece55d90d340cdfc23211e2ef617c341611d2

Download Submit
C:\Windows\SysWOW64\Mlgdhcmb.exe

Filesize
93KB

MD5
0d12dec33ffedfbdaf4e0c84c9231bdf

SHA1
ea5013a051bbbe504008bfdfeec8fe06e4ad687f

SHA256
c46430b38d0776aed0ec6409a4a701e84a5bf7949210badeb536d802b6b844bc

SHA512
868a693aeb5238dc5126d5184446b378ab696afb066f53af123a3691a9cfd7ecff366a4022e4d9cfd72eff49653dd328b8c66810a562da0ba552f728ae9d3b32

Download Submit
C:\Windows\SysWOW64\Mmkafhnb.exe

Filesize
93KB

MD5
2452460179ac1ea26eea61a6cdde38f3

SHA1
0ffe821fb7c0594b430a2b9efa0854c48e230598

SHA256
67472fefdd590b2f27e7b6395d5427941f3c080980fd4f5a659afd9028fa1e39

SHA512
75c4c3d4e325ec3ae0341a9ab585a2102ba96609fd4ccde0027899ce55bb2481bfca664f9ed8afd887eb7ace710e87e3bbc85aebabc945b753554d2ad64ecb82

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
93KB

MD5
b85313b94dca1b811faa35660ef57452

SHA1
5f3e453f26cc62f3971555c6e8e65909400ce76c

SHA256
1db454a66e92c2de2c31635e2d6ad23020465bc244aa9a804089db4e7b0b7167

SHA512
fa2f09af546a9a30b6cd229bf1daf44eac72d155edb00afb97a558615724a3addbb6c9155ff1f154238bdc218dd50aab4f19abc7293c80f139eb633ebba6ae51

Download Submit
C:\Windows\SysWOW64\Moccnoni.exe

Filesize
93KB

MD5
3aa5455f90d9a51f936782e256364fd6

SHA1
37a125856da5fa3ddda3daa8b544f745d7e6a240

SHA256
1c9607ee8599801067d7ae6cec2cf1426c40a5fe80ed8b11890a3b9266d3ca61

SHA512
9b0d508b60911c5b6cefbf9d371b112c4b7a360c9ad3ecd47d4a7043e93e39ad8f50427c29d959e83fa34bed2cc95d86cc2bdb72f7ae634cbe0863f750cc28e2

Download Submit
C:\Windows\SysWOW64\Moqgiopk.exe

Filesize
93KB

MD5
8efdb6840e64b4671b799b49e92ce5bb

SHA1
2364adb924fe9daa5f02b857420307598db6d33a

SHA256
3a77c9a7cd3ca9a33aaeed626f6ba83b2830f37874a9913f9d18cfa14bf5941b

SHA512
fbdeef601f4d75438643d98a1c510c4c96b8bd3c9b04f627e22d1b136f900d485cee4186361c0167bf1406ed82a1d34ce0b45ade299d43ab3ecb05c628d725d4

Download Submit
C:\Windows\SysWOW64\Nahfkigd.exe

Filesize
93KB

MD5
b14d581a1326606c6539135f2266b4fd

SHA1
604786c3aa6a462894e2ba6819f38597ae0b096e

SHA256
d91307c06601c03965c9bbb1f3659283f96555d1276c979de8c42fc474b60ebe

SHA512
92e950327228af97ffffc45859e7977f5b7d7657ee5fda69b18645017acaa054d88f2302477cb1202d710b3df1f691114665e7441ce3442408eb94655815e0de

Download Submit
C:\Windows\SysWOW64\Ncloha32.exe

Filesize
93KB

MD5
e9e1c2feb76b2032a091e62fbea0e2e6

SHA1
5e95479952a6a7dbb6afa2a3b68ab1bc347f5387

SHA256
e6527018ca0b4470728ab2555801562feba4fcf5daee9a088a3a1384d589669e

SHA512
0bdd4a41d8cd1649c6a35d775d8d566b8891d610a47728936fd6ce1fc39c23eab115fc2ecd200b3d0bafd6ed1bebeb98bceef7fac19f115b8e95ea9660b93e07

Download Submit
C:\Windows\SysWOW64\Ncnlnaim.exe

Filesize
93KB

MD5
ce49fa0dff89c556a50f96c4db8c3908

SHA1
ffdeb8b1454da608a5dfd4bba04a1a837f2d2f45

SHA256
baef967f49558c3e7426b91978a9d552b60a96fd36af15ebd4ceb5cedf9c3d72

SHA512
07a93bb51ececb9c00768dbf7d03abc243f37968e22410c26831882ff0c4aee328594abf45dd218788a3fe1741039162e8486a3aaca56c00b7fb8a35bf65f1c7

Download Submit
C:\Windows\SysWOW64\Ndbile32.exe

Filesize
93KB

MD5
1c93a991ac94418d7dfee421f0662b8d

SHA1
53555fd03920c5cf35f9165666509024082db938

SHA256
56a992df28cf09b892a4c5ab1a92573687b8541e92b47340929afed75de6726a

SHA512
e4932fc2efadaa7672e211de07e1e94f1c7517316f2b20e595f3d4f6d751b19bb3070db5240d8d6c9487549f1ded35b0e59bd402aaeeac501fbb3056b5040217

Download Submit
C:\Windows\SysWOW64\Ndgbgefh.exe

Filesize
93KB

MD5
72eed1bd51ac6e398f89baeb2b035a45

SHA1
8027c1c77d422841c8229935d36692dd538e4fac

SHA256
19d30ef69d1b3285e65d722316827d1f4daad7e57184cdf7020d61aaf54d5607

SHA512
c1109db46c266a4b9e9039cba81f39093239d7936645262a7517d0cee71e73eb16348055ce21ce2efeb16b488c258b4461005e44d355535c18a6a3d0ef62234f

Download Submit
C:\Windows\SysWOW64\Ngcanq32.exe

Filesize
93KB

MD5
32aaf68ac5bebfec9919a1c590d4a832

SHA1
f76f164bab9ec956ca39a519938cbd4f47b527d7

SHA256
af289d166b0e7ecf3dbe4085dfc0687f1fae010fd2951bc238a9cf7a473e3552

SHA512
5050110fe73d540283c5e5e27cda53723015bfefcaf7e1e7eaa2e7f7f90aa288f2f191acead202894abcec95902c61c12672fbb71d2c19eb922579f009798b1b

Download Submit
C:\Windows\SysWOW64\Ngencpel.exe

Filesize
93KB

MD5
3d1bd710d92cf62c14134966c2bd37c8

SHA1
15477cfa375c23677eec4cda2aa1301a070a9552

SHA256
e4952453ff6e2996caaacef6f83e863dee7f5f3abec8d139c579db778a4091a2

SHA512
21c8aac525f8c158fb439bbf6da069ac27f9fa29aaa628a66eb48dfd148280842524134f64cbf8c4e8c90e5eabc269064946b228f4e51ba3657de7ca27706a26

Download Submit
C:\Windows\SysWOW64\Nhnemdbf.exe

Filesize
93KB

MD5
c8b714f9d2432a3be17b8f980a247e77

SHA1
d23216c8464ed26dd08c72463d144cd7070852e2

SHA256
1e95519fb3b720bec73fde64fdf6c07d406693d247770774b0c69d45c9a4d579

SHA512
1a6f36529ad159c69bdad6a39f1915ac5df6c3b735fefd803f7286924681d1c78d5bd9d6373731f5f59f55708fa7ffae5d6e4cfbc05ed1f7f58f282652a9824a

Download Submit
C:\Windows\SysWOW64\Nhpabdqd.exe

Filesize
93KB

MD5
e78d8b67392e892f1f16a6b65aa80c29

SHA1
8de65a2c3f864f1ffa3bebf573da06d065dbbbfd

SHA256
43aa319d29f1bfe323988433fe60877b2f3218ea527045721c8adfc6ac7872da

SHA512
48b889bdd76bc068e17b13a47f3db090cefcd57e7597beaecabc67bebfdb1c929f5b2866084d577021abf5c60eee3af1e4e9606dfbe5686db8e6c79f6f9076ca

Download Submit
C:\Windows\SysWOW64\Nickoldp.exe

Filesize
93KB

MD5
0dfbe33d053f05b58960ea7ccde6276d

SHA1
0ae09b1df4e72fa4b00b7a3792022c2378741f8f

SHA256
c0641299be88de20b558cf39db9413f5bac5dbd095d1621a3f7b51add74a7116

SHA512
5cb4ebad51fcbc4c816f9934e6c49b058aad7ff1bd34d961d56a91df79aa43e685674ab173a29c87a7ec9717eb228488542d60f9fa88f94c2008b252d74c9c26

Download Submit
C:\Windows\SysWOW64\Nlbgkgcc.exe

Filesize
93KB

MD5
537fc5e814d696544007960d5fc4b383

SHA1
0aab61461381f4c02882c2fd9caea392f5edef4b

SHA256
d9e73167dc7e75b95e094440f4e6144b3380e9bcf28197e0066b9bde4e6ac0a1

SHA512
6f5ca0a204411d05cbcd44fe48dd3978ee30ba2083166ef22135c85c73a934043044cb2346a6bab7d3395f1c1a3d48dab1c9d336ed85e0ee11b375c4a8516b38

Download Submit
C:\Windows\SysWOW64\Nmacej32.exe

Filesize
93KB

MD5
6ec02f8abf24f8d852571cb743667ee5

SHA1
086e7f340de7ae5e10c1de734aadcd48194fd5cb

SHA256
19f6c438086b7bff1bc1836aa36f228b4ae35228edf79e20141683aa848f87b7

SHA512
795ecf90eaf8d9d9fa74e91bdca8176e007eb3ddb719ee498e00eb0cd647f8607e4806352419f57dd5cd2b6961e29c7f6f40eaf8bf717548aeab26236645ffaa

Download Submit
C:\Windows\SysWOW64\Nmhqokcq.exe

Filesize
93KB

MD5
d641cfb07cb2d38ae471a36c4ae9e0c6

SHA1
fd15eac1ad6bf3e62d931a0916ccc08d3eed3225

SHA256
554b6a29207f2dd5c0af8fff77da7d896a7d42b0dbffad3200f3b2c3b8e1e810

SHA512
9e903a90d3bf58325cd7409561b43a80aaf963697d492f84c030de433439595bd60aa52439d9683d58b509b6eb349b0bdcd38182e133e7007dad0d81370bcd9a

Download Submit
C:\Windows\SysWOW64\Nobpmb32.exe

Filesize
93KB

MD5
6f71d19efd022ea7f7c19f669ba273ef

SHA1
19debbc80eefc0b1d64c45a95e3b98b8a5d8dc7d

SHA256
5ed8172eec570638f2c4f884eca41572ded409e9c7463e47094b2037f6265249

SHA512
05543bb1fec8ffebd3101dc493bcba7a0ff2bc9f41a10d7d168ec8475523f4e1816e83f8f3b8aa228749dca089430363087d2a6bfcf7568331574a315da3ec8c

Download Submit
C:\Windows\SysWOW64\Nogmin32.exe

Filesize
93KB

MD5
245f13215925ac80e30c9c35e0214030

SHA1
e57b5502f2b38d7794b3c64c73b99d0892616106

SHA256
b12952c09fa1744de60d744c810724f81ab3c5b2ae41635e6df48b131a12a279

SHA512
248db4b5443ae83294b0f6c7dc82307b5e6405c8ffe8709456184e81dc3ec57a1472996ad8e06aec385ca24a0dad765e5eaa4b927e4c97f11513341ba9996b5c

Download Submit
C:\Windows\SysWOW64\Ogjhnp32.exe

Filesize
93KB

MD5
38363b9f8a16760a14707b1df78369a0

SHA1
aa2f7291c9c42d8d19cb44e5ea81194a5377e25d

SHA256
885fdc64bfab639ef1ab1d41487d7bc7599e4415c4f1d7fd3c269e914cbc8644

SHA512
5bf5fa0882d5e33553784b4f25d9d4920846b8a2aed623e156f760a4e1996588c53ac024e4f35019fcce31f1a62cfcd87e28f1b12948672097e62a5780c0a625

Download Submit
C:\Windows\SysWOW64\Ohkdfhge.exe

Filesize
93KB

MD5
913d5ffa8a36d6d851c92b2e0fc0adea

SHA1
2e6ef98d277334717d4e0993ebb29e7ee7b387f4

SHA256
9b2c6b9e6cdddb138df9ab44470fe4bdd287cebc3cf23bf268a4906ab0034057

SHA512
6779b42f406e0472005e06240110a8cf9bbe5b5632c034944769443275f23b37d7ce78b86460d71b431b343c51cdf971ac8d483519d1170f7aca66124b69dba3

Download Submit
C:\Windows\SysWOW64\Oihdjk32.exe

Filesize
93KB

MD5
68730105b622af8ca4e2d7e707cf5d9a

SHA1
2271cb0ebda589cc5c9cf8d9e72220541bab7d34

SHA256
852c3ce427b97dfc09fddb000da73e307d4cb4080a5d47a09e57b89ff60752e5

SHA512
ffcd90ec811b8567e3166ab75646a502227e4f89d20442ae53019ed4ae71ca423647558dd835bc5291a21ed9ea4596846deab512cbb195efe45445f91526565d

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
93KB

MD5
c11a60aa8ce9592661eb408ec6658c11

SHA1
5a789fdeabdbe8f715a0e4a44869ea19149d0e72

SHA256
3365b42a9da8c69c44ac9d727caa4c26d011823a25e3fb0bceaeb0266fa82e67

SHA512
2c525928f207b8a8423f5b5c16cb5486ee605eaaa430b87a1d46070f40338785f27ee55df8fc276a5721a453fd76a948cb29f29a1422f3a3e6a5cf953fe8f19d

Download Submit
\Windows\SysWOW64\Kioiffcn.exe

Filesize
93KB

MD5
46fe9afcbf88a40e1833e993f99d70af

SHA1
641bc4da037203bf8b90da01fcdbcd64d59d9298

SHA256
61a68c6ae89bdf728d94f0cb2a5c14fbd40cda0e5ba92c62c2931e0d14e73852

SHA512
80c03bc35ad58e837b6d0594af62e6b97a4e0c885b4dcb12cee0ee35ca519686b7380fa41998efe96f777e3b56e2d5aa13a36845b09d9f5ff4df3eaf9b6bcfd0

Download Submit
\Windows\SysWOW64\Lbjjekhl.exe

Filesize
93KB

MD5
9a86a493807644ed4e2511d847d946c6

SHA1
32d12786c171bb170ed1a54da9d8ae7ef108e347

SHA256
fb5673e95159a8142aac65e065809f240661c323ec55a0aa6e26093af3e8534b

SHA512
80625fe592f68c1ee1ea088e117f5d3627cf14029f8b50004e9f1eec0b41c95b7443e80bb891fd677132ef9bb9a784353b728e0631f9fd43603461ec1184e833

Download Submit
\Windows\SysWOW64\Lcncbc32.exe

Filesize
93KB

MD5
4ff9d36f7eb9d5679a36522b3e5ed4c1

SHA1
7cfe2e1b32c66a31ffc2f05a6bc42db6226b9a7d

SHA256
68d78c6afa39d20dc1c705957a5b03974bb830433d1e33202d8fbc9fa5b7a262

SHA512
4f5b928268d72a13434254d245a2442a5a79b6d34eb456d97870b96779cb56e9785ca8a1fc5e9c3a4345adec8f6be10461a28c799a7831ae8a52275613d78162

Download Submit
\Windows\SysWOW64\Lfnlcnih.exe

Filesize
93KB

MD5
f5fc71ed320fca977cef4cd7012eb81a

SHA1
1ef698f4b3d68d4e0a7331068c31f5c09eaaae2c

SHA256
68acb2b8747ff4faa60ed473af6a4b783436f7eb3d485ef7f7442a1be912ecb3

SHA512
ebd06919e834bee8c4d54940791410b975f65a03ddd8243dbf35694774db2ed333a82e75ff2345fff9a2e252802c3a1b0b17230a9c1ede2412c732c4d9cdb67c

Download Submit
\Windows\SysWOW64\Lggbmbfc.exe

Filesize
93KB

MD5
6a983e8fbf92a25822a9fcbab76db97e

SHA1
7c736cceeecc169cd87f936ef3c21c7d690d271f

SHA256
bbb5e19dacc9a99deac3557041a2201195bae1f6f2b1d7cdbd9c093eb385ba89

SHA512
89dd5174b755fc29642441d95d690ee4cc372343f0119d2ddd9d65c938ad5d154063dfe39e133a6afc99538c3be55a9eef844b46e957914db714b2aff99f1ba7

Download Submit
\Windows\SysWOW64\Ljeoimeg.exe

Filesize
93KB

MD5
a56ddd9a79cdec6778c363a7837cf450

SHA1
332cefb60e2b431e28b9c4ea4d97d7e5dd254dba

SHA256
dc7e254e4e0377c2736dee51555db61b46fa57c5e80970ddbc32ee52d081f83f

SHA512
95bb27a6db7e5fb8027a5d7af7dbac12214f22e6f8641ec4371799a3e9ae4d6d48a94fc107d8d391f40642cf001a755ff4cb6da6fa43db77072d9b313ec7c795

Download Submit
\Windows\SysWOW64\Ljgkom32.exe

Filesize
93KB

MD5
146cb29d1b6f2c3a4b74a7b9630be628

SHA1
0d8a9d1885f00f51e440f7e4fd81d43eb720b960

SHA256
bb38282e738e9977fd1c9f40ffb741aa857f1df3acdd9b1f6e4afaba24da925b

SHA512
b0cfb6f84e961a8c2fb1286c2c9265a701a9abcb18430298ca6d6baa01b0c0f5840bf8f4e51f0f2c86919e6af9bf246a6f8948fa84d8211f67f52087eb4e1652

Download Submit
\Windows\SysWOW64\Llpaha32.exe

Filesize
93KB

MD5
0ee10cee53d2fa964c29d2181b62bac5

SHA1
6fb8b80be07c509315b6ee40482c3ba05d148dc6

SHA256
2fe6319d167c97ae0209b5636f934281c0b4d0af0e61f5c6ece792a0952cd429

SHA512
438a2977775ede10fde9813849c72c8baa846c851958926e7d4de8f3ef3577c3c0f99a41683f196c670ace066d5cdc31228c57252a4dad84a0507d343543c19d

Download Submit
\Windows\SysWOW64\Lmhdph32.exe

Filesize
93KB

MD5
d987da020a3c57070cf73870d7c7da90

SHA1
143f3ec0a850e43af36a37c3368d651d38814192

SHA256
356627b9dba8ae9015147ac541f4ad47addc5db8c3e901805926c346877a625c

SHA512
3b7ebf85c0eeb438ebe13bb7e647c84d2d908ffead9b25b48cfd5ee7570e5ad8f31f392857e0d3fef36f466502dd6c76755ad32e4be1e88660139f3a253b09f9

Download Submit
\Windows\SysWOW64\Lpddgd32.exe

Filesize
93KB

MD5
2c5048df347019a1c3ea75fc4db15a27

SHA1
900767731417e6a83a1cf38fb712e9a40e15e7b6

SHA256
cea38e6becedc5f8bb5a7f34b18c9f5e253b401a8afa91373e184c88d70fe49e

SHA512
edb74052fb1ad4e7fd460dd94dfa4eeb255ef16db4d99a52fe3f7529ff39b247ae1a6a7c5a8b0847d6941e824293f601f56416e103fac4ff355241d72c2a7d25

Download Submit
\Windows\SysWOW64\Lpgqlc32.exe

Filesize
93KB

MD5
361bd2ffe54653e92da9e1e3620018aa

SHA1
b09a9df8e2cc4a09d9d61b832ed1763efdee8741

SHA256
ddd1e51b4ced05151670dfbbc72c4846aa13f2e20e07136df3a07a960018d8db

SHA512
ea40267a01edebf12475bc6a5db54ed3fb06bb198c073ab3942ec14a2762f8f9e49542e730a8481e16403b2a2cfdbe34746e8c7a1dd7486cb9c791f4d9d40242

Download Submit
\Windows\SysWOW64\Mjlejl32.exe

Filesize
93KB

MD5
b8f3bd4816b59df9bdafd5df161a88fe

SHA1
a60eadd0d4ecd8fcaf824f8af5d524f4649555ab

SHA256
5525fa963818aa9818e0f86cc89ce801e24dd52e2407f8f14c84123843713ee1

SHA512
23050e15569cbe08d0b446ebb0480f8c078712ef8c0acd43527805ae5458e2836911010807453bb9f017708bd0dc210c3b00997bf8c60a72f8f9eb39ad05eff4

Download Submit
memory/528-503-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/528-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-409-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/772-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/780-275-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/780-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/780-274-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1332-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-286-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1396-282-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1396-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-364-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1496-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-11-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1496-12-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1508-460-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1508-456-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-394-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1708-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-129-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1732-306-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1732-307-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1804-234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-264-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1912-263-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1912-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-293-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1936-297-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1936-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-492-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2092-252-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2092-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-253-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2200-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-156-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2220-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-317-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2340-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-318-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2432-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-230-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2492-340-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2492-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-339-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2532-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-208-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2700-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-63-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2728-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-76-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2748-89-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2748-440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-374-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/2752-380-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/2752-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-55-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2780-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-410-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2780-54-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2780-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-329-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2784-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-324-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2812-361-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2812-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-362-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2836-347-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2836-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-351-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2856-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-472-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2856-470-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2872-427-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2872-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-102-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2884-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-404-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2936-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-46-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2964-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-181-0x0000000001FB0000-0x0000000001FEE000-memory.dmp

Filesize
248KB

Download
memory/2992-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-396-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3008-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads