4de328e443e957360c2887c7bb051dafc6dcd0f7e5af699a8943cc197170bb1e

Analysis

max time kernel
124s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe
Size

152KB
MD5

a1fd02f57abbbf4ba2745e222d7aa824
SHA1

6531cf1625f7d0643453a4401baab78aac269814
SHA256

01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985
SHA512

f9d42c5e22014637fd6f064498d5d2d753fe9a9043a2847036cb33378e4098f325a3987c2ddc992d91696dbdd23d8e1dd0a5c16e8f0872813821e2e70f439559
SSDEEP

3072:1indKPWDmSA0NCbG6q1z6SSI64mgqo8vfaXM+kKxkYuaVDAq+fCrEpb:gndXmVlbGF1uSS4vr80MJKx5rmb

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe

Executes dropped EXE 64 IoCs

pid	Process
912	Ldoaklml.exe
3084	Lgmngglp.exe
3676	Lgokmgjm.exe
1076	Lllcen32.exe
2520	Mmlpoqpg.exe
2920	Mpjlklok.exe
692	Mibpda32.exe
4732	Mgfqmfde.exe
2396	Mdjagjco.exe
2384	Migjoaaf.exe
2768	Mdmnlj32.exe
2508	Menjdbgj.exe
4844	Mlhbal32.exe
3308	Ngmgne32.exe
872	Nngokoej.exe
4244	Ndaggimg.exe
1708	Nebdoa32.exe
1720	Nlmllkja.exe
2284	Ngbpidjh.exe
1576	Njqmepik.exe
3748	Ngdmod32.exe
4356	Nnneknob.exe
4544	Nggjdc32.exe
4836	Olcbmj32.exe
1584	Oflgep32.exe
740	Opakbi32.exe
3628	Ogkcpbam.exe
3448	Oneklm32.exe
4316	Ocbddc32.exe
4188	Ojllan32.exe
2800	Olkhmi32.exe
2980	Ocdqjceo.exe
1468	Ojoign32.exe
2208	Onjegled.exe
4620	Ogbipa32.exe
3708	Pmoahijl.exe
716	Pcijeb32.exe
3344	Pjcbbmif.exe
5048	Pqmjog32.exe
720	Pggbkagp.exe
4968	Pnakhkol.exe
4528	Pqpgdfnp.exe
2400	Qmmnjfnl.exe
984	Qcgffqei.exe
3140	Ajanck32.exe
3520	Ampkof32.exe
4784	Adgbpc32.exe
1620	Afhohlbj.exe
624	Anogiicl.exe
5092	Aeiofcji.exe
8	Ajfhnjhq.exe
3320	Amddjegd.exe
4364	Aeklkchg.exe
2916	Ajhddjfn.exe
3144	Aabmqd32.exe
868	Acqimo32.exe
2912	Afoeiklb.exe
2456	Aminee32.exe
4112	Aepefb32.exe
2348	Agoabn32.exe
3736	Bnhjohkb.exe
1624	Bebblb32.exe
1788	Bganhm32.exe
1352	Bmngqdpj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5316	5212	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Mlhbal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 912	4172	01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe	83
PID 4172 wrote to memory of 912	4172	01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe	83
PID 4172 wrote to memory of 912	4172	01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe	83
PID 912 wrote to memory of 3084	912	Ldoaklml.exe	84
PID 912 wrote to memory of 3084	912	Ldoaklml.exe	84
PID 912 wrote to memory of 3084	912	Ldoaklml.exe	84
PID 3084 wrote to memory of 3676	3084	Lgmngglp.exe	87
PID 3084 wrote to memory of 3676	3084	Lgmngglp.exe	87
PID 3084 wrote to memory of 3676	3084	Lgmngglp.exe	87
PID 3676 wrote to memory of 1076	3676	Lgokmgjm.exe	88
PID 3676 wrote to memory of 1076	3676	Lgokmgjm.exe	88
PID 3676 wrote to memory of 1076	3676	Lgokmgjm.exe	88
PID 1076 wrote to memory of 2520	1076	Lllcen32.exe	89
PID 1076 wrote to memory of 2520	1076	Lllcen32.exe	89
PID 1076 wrote to memory of 2520	1076	Lllcen32.exe	89
PID 2520 wrote to memory of 2920	2520	Mmlpoqpg.exe	90
PID 2520 wrote to memory of 2920	2520	Mmlpoqpg.exe	90
PID 2520 wrote to memory of 2920	2520	Mmlpoqpg.exe	90
PID 2920 wrote to memory of 692	2920	Mpjlklok.exe	91
PID 2920 wrote to memory of 692	2920	Mpjlklok.exe	91
PID 2920 wrote to memory of 692	2920	Mpjlklok.exe	91
PID 692 wrote to memory of 4732	692	Mibpda32.exe	92
PID 692 wrote to memory of 4732	692	Mibpda32.exe	92
PID 692 wrote to memory of 4732	692	Mibpda32.exe	92
PID 4732 wrote to memory of 2396	4732	Mgfqmfde.exe	94
PID 4732 wrote to memory of 2396	4732	Mgfqmfde.exe	94
PID 4732 wrote to memory of 2396	4732	Mgfqmfde.exe	94
PID 2396 wrote to memory of 2384	2396	Mdjagjco.exe	95
PID 2396 wrote to memory of 2384	2396	Mdjagjco.exe	95
PID 2396 wrote to memory of 2384	2396	Mdjagjco.exe	95
PID 2384 wrote to memory of 2768	2384	Migjoaaf.exe	96
PID 2384 wrote to memory of 2768	2384	Migjoaaf.exe	96
PID 2384 wrote to memory of 2768	2384	Migjoaaf.exe	96
PID 2768 wrote to memory of 2508	2768	Mdmnlj32.exe	97
PID 2768 wrote to memory of 2508	2768	Mdmnlj32.exe	97
PID 2768 wrote to memory of 2508	2768	Mdmnlj32.exe	97
PID 2508 wrote to memory of 4844	2508	Menjdbgj.exe	98
PID 2508 wrote to memory of 4844	2508	Menjdbgj.exe	98
PID 2508 wrote to memory of 4844	2508	Menjdbgj.exe	98
PID 4844 wrote to memory of 3308	4844	Mlhbal32.exe	99
PID 4844 wrote to memory of 3308	4844	Mlhbal32.exe	99
PID 4844 wrote to memory of 3308	4844	Mlhbal32.exe	99
PID 3308 wrote to memory of 872	3308	Ngmgne32.exe	100
PID 3308 wrote to memory of 872	3308	Ngmgne32.exe	100
PID 3308 wrote to memory of 872	3308	Ngmgne32.exe	100
PID 872 wrote to memory of 4244	872	Nngokoej.exe	101
PID 872 wrote to memory of 4244	872	Nngokoej.exe	101
PID 872 wrote to memory of 4244	872	Nngokoej.exe	101
PID 4244 wrote to memory of 1708	4244	Ndaggimg.exe	102
PID 4244 wrote to memory of 1708	4244	Ndaggimg.exe	102
PID 4244 wrote to memory of 1708	4244	Ndaggimg.exe	102
PID 1708 wrote to memory of 1720	1708	Nebdoa32.exe	103
PID 1708 wrote to memory of 1720	1708	Nebdoa32.exe	103
PID 1708 wrote to memory of 1720	1708	Nebdoa32.exe	103
PID 1720 wrote to memory of 2284	1720	Nlmllkja.exe	104
PID 1720 wrote to memory of 2284	1720	Nlmllkja.exe	104
PID 1720 wrote to memory of 2284	1720	Nlmllkja.exe	104
PID 2284 wrote to memory of 1576	2284	Ngbpidjh.exe	105
PID 2284 wrote to memory of 1576	2284	Ngbpidjh.exe	105
PID 2284 wrote to memory of 1576	2284	Ngbpidjh.exe	105
PID 1576 wrote to memory of 3748	1576	Njqmepik.exe	106
PID 1576 wrote to memory of 3748	1576	Njqmepik.exe	106
PID 1576 wrote to memory of 3748	1576	Njqmepik.exe	106
PID 3748 wrote to memory of 4356	3748	Ngdmod32.exe	107

C:\Users\Admin\AppData\Local\Temp\01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe
"C:\Users\Admin\AppData\Local\Temp\01ac58e5375a9bb8a176d89ea65de5cef9e546292e13489d5c3d1b08341a9985.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\Ldoaklml.exe
  C:\Windows\system32\Ldoaklml.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\Lgmngglp.exe
    C:\Windows\system32\Lgmngglp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\Lgokmgjm.exe
      C:\Windows\system32\Lgokmgjm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        25⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        73⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5044
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        80⤵
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        91⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 416
        96⤵
        Program crash
        
        PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5212 -ip 5212
1⤵
PID:5288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
152KB

MD5
0753c41b6aad994cc07587721aba45ba

SHA1
0853a341d39c2270f8fc218ca1d8e5c921945bce

SHA256
26e954a9abc3227f22639a1717cd3de09b6c3a3ec8eeeb3b0934a84c9754317d

SHA512
e9136de7875b0e8e9680fa72b8eddce9fff5346b2dfb4014da3374e28c94b429e90bbf040d2a1848fb23e53f3db3c3b0acefa4615097f0228f1e269ff1cfcbbc

Download Submit
C:\Windows\SysWOW64\Bnecbhin.dll

Filesize
7KB

MD5
0ff985b15171363b16df28f493f6e7e8

SHA1
5289de42f6349dcd9a128ef3202478365cff0d73

SHA256
880fa2bf2a0906c55fc9bdee2647b348764c6a8daa5591dd068f716770925bd8

SHA512
9f2577d9465cbd39f05a03c1e50ca43597dc9be033258d0ba72e2488b884d13402dffbb0ef0e4faf0c118108ca03ec171632f3d7652a01921e03fd162e095f84

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
152KB

MD5
447ebf56e440079276a0e975b425c63c

SHA1
d40240e104ad8d0c713d659897ed63d363055327

SHA256
0a7333dacd7d14b62ae31636469a579f83a48792354e6378dd2f40aed89ecbea

SHA512
5a0f93c1bab5753c45a70e6d52c12fa7681548f8036a06e685f075f76f88ab9119acdee0068fb1dfc02ccda4736a1894a61495ca0d254c8d3744c9b2771a2b86

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
152KB

MD5
194315bba98002c80d8f10ea64126df3

SHA1
ae1a6ed1ca9832f4617633e635b1bab9bc27630b

SHA256
54a80a8be91d4c7ac0419995cdfbbe98e301027d22bb3e68aa2b784f651d926a

SHA512
268c74f171bcb40e103259694284d2eb3737b9c88e3f6a807575ac6ec351bdc2e9ab8e4b19b4219605363f11041cdfa4bd950aa437761db3a8cc827c8ff12f59

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
152KB

MD5
bc160f341ea749a0071a1bc40e8a54cc

SHA1
6e8468310af76b2b70b23a837d0a3a2f4c0b073d

SHA256
bb5c94817ab21d3d33885d0c7a949e0a2822fa9d4a04cc9c8b5d6fee45ef2f34

SHA512
f804cf85d88d1d5faaa96da99f0e11c099edf06bd8ed80dd8b072b125b379114f75ecc11d3e0a58c252a189a7096e3bfeb62827d7a877f350a2bffa67130abb7

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
152KB

MD5
f676651a2fdc008878894e3356092524

SHA1
45ee541effc309e8be7bbce34aa534b4e2c493c8

SHA256
3ad45a991cf5a17dd54cd4c8d73834e02a80428d683e6673d4c9c4dbcd30e453

SHA512
cf5a242af0782220d9791ffb53cde1c2def93d5aefd3ea62d455ff27f6441bd00a74a9984e590554827283f4f599013b7e05219beb2dd21670d5b693e1a49e21

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
152KB

MD5
e22baeae932bd0931d3916373f19ec71

SHA1
8e304b163151d4cdb5141070b2e9a87f0acbb227

SHA256
a1edcbd37cbf70c3ed767c7b56cf58baf20de8d814c0f43a380bba681cb436b9

SHA512
7cad02ecf246bddc6863ee9e6d573fa156251d7c2d225b3a4f56cd55dc7b6c84aba96d3b812090a80ed0456209ccb4f7a99512531131e6346a4528c62eab699e

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
152KB

MD5
4c0994b73c6f5df36ffba7e0b4cb25cf

SHA1
9199b0c7d27734b81a7352c58d1a7414852386db

SHA256
d0469fb0ff4d06276cb18419b503ea0c7f0cc918794eeefcc1ce85e088ae3d44

SHA512
dad66af62808402a68edf3cda99d625d4b1e94e853eb7d8c3e1bd95d057eb5e1680f9a2e57632807b74a6bbe2bb8c9eb4f24f26904a28900f7f4955525f7c12d

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
152KB

MD5
7d85312b0efaee70b6ad1b389b4adb47

SHA1
2d4da316c3b025ce561d1cd1d76be5521b9c7f62

SHA256
cda4bef3847c75eb50457866f782a22b4637bf5fe99f40572ae1b1f92c17b742

SHA512
662caea9ffc26eef0084335b200d4c2353eb191b3a30d964088a5f201cbf12f0f0ca74b5a57427eee23cd7be49bb444e99049675718a0123b297ee973baad135

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
152KB

MD5
fd5688304b7e3e301465485b716dffc6

SHA1
829a0fc2c7d5259693b726795c300aac7e7a7165

SHA256
4a34835adddee162e4619a42624cc45c526f9e585c8d5167a04bdef17dd3d0dd

SHA512
8d3372673b95ba32374b90f6858121d368ba320b75db8306c86727edd32033b8e9cee15393367caa28e11f19092bc77efbf1ac7d1202419ac589c780c59dbc65

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
152KB

MD5
266be7e845286e26795c952d29ee98ba

SHA1
d287fbce109476d0fcb75054374dbf3b58607e2d

SHA256
98fd091a3694bd3505a647dd0dfda6bf0988a6cbb3da6c552829add087f140c2

SHA512
68ffca3273bebe4b913a5a5be881778337eec68231fb7946a0c2cb9e9488684ac669159ce23a3894bdaf931519f0d955a904ac6b3c3b46b2b17cbe80a3c04fdf

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
152KB

MD5
aafa9654658303bdd0b42f6ac25b8169

SHA1
224f1ead4d669a1e63775adf9bb4328047837b81

SHA256
75877a7321f70881ccbc7f9f86b1fd95ea6cc17b3e6f72e4b4d430502d11bd7d

SHA512
1b5b913d51cf6dae35d508acdb5ed11ab6017d02b41e7cc19b1e70c02fb119a471a82a4b23bfb74a0bfaa98137480d17e8fb066af09ddc6e0e73fd9250e14163

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
152KB

MD5
7a248876e182d32cae1ceebb7c27fa57

SHA1
24f8996e5e7d938a3e151125a12991d36eae5add

SHA256
0acb520a7e08172208b1eb08333b99b06e680d6dfbb4db4573f2f4d3043d471b

SHA512
c995489c6adfaba4e3232a399bb07d8cf68aacaf0202a8cbb4fbb7be827904a43f51b114b8e07ec7b8904bff9b237453825e74fc34b43919e9b01d4c364c1098

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
152KB

MD5
5ef0cb7c1882def69aa1878e1bcfee2a

SHA1
23bc79e09d4f0e30bc2101137a63ed6d45b3fe55

SHA256
18e6f8487f80d1b5604b3a519e3bd6a0672743411adeede886f6820145d666ca

SHA512
824469732cbfdc85f9007632bcff31985440bac79a2b704eedf70da13cbdccc0b89ca80c96cf30b8dfdf8a173903d747ccdc40a99fff6eaaac8ddf4a90aeb407

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
152KB

MD5
ae0e634e0eac33af17da72089767d5e9

SHA1
01cf76ca8e8081ce25ab56d4b9fabcf2f486f924

SHA256
44af8c231640772e4063364502f0cc87d2d583e2869980eecaad2bd6c6400846

SHA512
2ee3816ee9dc6d2145170983f14b2020227e19e1568a536cd383ce5d14f1714b9581b9b692105ca198c04da31260511c79ae124f82be943a1ed65efad78b04da

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
152KB

MD5
9d3bcdf80f5d4fc3b6c5ceae6be7bbd0

SHA1
c152a540cddf19465e7e79acf0731dcbd3f517d2

SHA256
0695cc577797be1f88caa0b3cd253aa560f47c78065df956c39b2d0fe51c0b06

SHA512
221b3c76aaa5a9b322fc4dde0477f76b8572e83802d3807cbef94304ed9ec16e61c082ca67c906de346276f6ba3543d27e992ae7b62b78a2ed6da03f7629a13e

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
152KB

MD5
1636a388f1a1b7d881d5ed1eb4366d00

SHA1
21b0770603ef9fbd9369186b7ca12e95c8dd09d6

SHA256
e0ab4ae952540053e992599da4d2260e2ffadeac1a2fa33c94e53c26f50c602f

SHA512
06e38a1dbabf5c4412414ec10b8bb4a56c09d721aaca16e04d88549966ccb7b02482dcc87d4911e6cd8372b266f64ff4d0aebe1ac08f1e6969a5256e7847e4e0

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
152KB

MD5
e4b9f388847f4365c9a3e0e30fb96d8b

SHA1
13b00a72907c9c101773bb1c6e46b0e2926cdd07

SHA256
9cdd36d39967a32ffdb1c75b45f2895475a23809e0bd8f0e8a1bbba026b1d584

SHA512
f959543440925a88fbb00f4da0e5eedfc01430f0de47813cd71de15e0e159734e704915fac0aebcd1048f92927ed2a30af7e970658d2926007862bdf50193a8b

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
152KB

MD5
3a83bf5d3e08f64411f0b25e0ca16e05

SHA1
495d883f54c7963a42ce8d19d0f7eeba07905f58

SHA256
275df7d66e075f4ba9bc33da57ec2db696cef0c3c7176f99b4d2593a4645bdc7

SHA512
4f5e6796a4cf614de5adad1cb12465e8fc3a7a8f831facfa71857fca44b4710cb8d6fba53dc1b37139eb57d9bc6d02d371b6307fef2c4cdb05385fe2b6256c57

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
152KB

MD5
a75756d8f54cc29fe98f66eb84bdd7c6

SHA1
234fb6a289009ef9b35d3b403c8c867d48129ac4

SHA256
9570d8d60696b24f933ec52145c3230aef6abd6bb7e0af1dea36f81cd82c5aa2

SHA512
5f190ee9a09333a0374e8fb3be68f853b7109ed4bdf165d0060fc5801efd52373ede34c225452f487d729c27c1ba2b3a8e21b1223529bad1f9ff2f0e6b2e7236

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
152KB

MD5
0c49c8082a0040d2af4b7452a0d1723c

SHA1
6ef49defb73a24de18ff60586d1d24bce342eec3

SHA256
0a2376e07308693ccb81e32566b2e2272d6b50bb1f67dc4dcf7a4acfed4edcd7

SHA512
cb0154065fa319d1b72265c0e116357a85b22137f8d37a3dfdba0611a8a70f1d4aaef746c125640daa2cd58709c36ffbf4a51b90f101ce2fa099c4b359544311

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
152KB

MD5
8963fca381e6a6c475df0652839cd6fd

SHA1
3d7dc40603ded94488aa583b8db63cb01f9bb443

SHA256
6fe693227a244195c28b116d0b05236d11451cde5612319f24d9ad463c6a8d49

SHA512
2e7c3363a6a72eb2fdc5ae1ca9ad98c08d226c0efbe16bc1554ba8a37f1a9ceed9cbaa6ceb6a18925d708632d42c12dc51886d5b2cd4310858543557a0b251da

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
152KB

MD5
ef201005fba794dd3e0a9b8efbba85dd

SHA1
ea227532cd501d2f4b28a30abe3600ed20bdbc94

SHA256
b56cb86eb39dd1fc0ba4a7c98a92e0115aa05e814816541cf4b331122fbb5e99

SHA512
7d642c6b34040055bf4457e219579b5485eb75c58c554bd64bb56f9e1edb80e0bf79a02cde6c6825366432515b7c5da616ebd78410018c27168dfb934a0e1399

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
152KB

MD5
8da0ffd5ead151218161736115e88a96

SHA1
f14bbb4949c2cf8d9c9681bfefa50af23897c48f

SHA256
36a7971cc87bd802814276a1ddc4aa2f475a909bbc040181796e048d0551da5b

SHA512
7ca5c012e9c6e05b2a106d6135c88ea4126b10942774269fabea3cc45817c4b8bfaefefa539ba9ef7eb52ca3b933da195d83b66022cdc67021a4f51d91cab578

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
152KB

MD5
089675568d5e682f7f37effc144f4316

SHA1
88bd0288c4df67b1483ab22f2723bd8284e4eed4

SHA256
6f39b7e101acbc8725d57f45707e19e427906a3c04ace4907a373e8bd6f004c3

SHA512
1ed6c0673ccee721a10794005a40bf8f7168069b9bb4687ea3dbd438f964a56b996ce5d250a4f687ab3f94b7953348f18b93b509bea150f80b72ac8a34c93939

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
152KB

MD5
7898205371de9543516eb74527c1ac76

SHA1
fdd767404e6d8741fd638694a8c51ed01315d39c

SHA256
ab22007c606d1ad30afd2004db8d5b61993f36f98a6b3ed695c6b31f1d13a2d2

SHA512
53746a1794fd3595a8c365340ec46b03188f55494d30ddf209e7496cd04516b6c82f1949d268f6c83c30fbb1245e29bb8321a3b19fc17f45193275e01ec65270

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
152KB

MD5
70f4ab091faa91eb278f374a23ad5e1c

SHA1
ff2af820df376e08d578dbc8291a69285dd20b9f

SHA256
27bf6b7488e54c2eb81183d11a8e62b216ee0aef82e1fe6e704a5682a9067b9a

SHA512
fa24986c063cc753014a8438eddf4e37bad2fe054a5b819a7aab471321c1af2e35f73cd2f9b5d1f2c473f39589abf7b352f1ed2a36b7e017dc9a267d397219b7

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
152KB

MD5
c153d8f2ee4c7196f53cb797e3fb48fd

SHA1
ce87a65e96b2f4c9395d43c28d83a26fd2cff024

SHA256
cd0ec96e341592fff5009b31fbfe38431fcaa84425ba470e64534dbdf7ee3b4c

SHA512
e4e422409cec72ff1d819e50ffbe893cfc127f11a39312d211cffde703d3b2a6cccb87d36d349c19ed51924f0c43167dc4860c1c360dc2abc626a01f8a11d3af

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
152KB

MD5
969e9b8e863838776f0fdd4915527317

SHA1
90c2666fe215b7f8606207e2b588e512335bb366

SHA256
02670b21f48bc87becd865df9fd2b3ee12a4982d8ec232204184d4a5b22ca873

SHA512
c621c5182e84ea17049d5097568aadeb38425b2b7c4f18104a8ecbc8ba2b722297c92a0f11d6f9d911be858e09a2e271a0e8dfcbc4ca60cd6ff6b4bb84649238

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
152KB

MD5
c93fd765cad5af9633c014a60ff0fb7d

SHA1
e1ddd4885458e40061517eca73026cfbfe5f7439

SHA256
0960d474d72b0931cc57c1d332a72dcda02d39f11f3fac8e7ab8a2fcf87f63f2

SHA512
55264e95d163b62ef4d94b1fae6c6dd9093d92e988c1983a6b434230d13a9acca03444d49d01c6be1455175ca001a44b8069bac2ed2459374b8a58ce5c3ca607

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
152KB

MD5
233c5d714d33993a0efd3b03654f034c

SHA1
2d084eb7dd5fbd6551a56f339977154cb9ae78d1

SHA256
0ec7ac78e0a91b2f40fccf3dd232ab4596cfbc771304620d737cae1677461ecc

SHA512
e4c11b44fde38e139ac64fcb5e656626ed3d4eb80b07908ff024d996f34c51e14d6bb9fec3012843d61038ea54d78cc44013860b62b8d83d1956fbcbcc7e1ed9

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
152KB

MD5
864cb283cd990f59fe11b5530e483f70

SHA1
3f5cf681aecfe5a7145740f083631ec7c0220a71

SHA256
1d29a3f6f0d7989944841c58774c56ff986ee276a3749c1674c4c393b18b0e57

SHA512
98150fe7a5ff3417171ab93d07a720ba3c79068477a732fd7d6eae3b91e07f3e167b159feafb72488e0e6243828dc380c4d689b3da14d29c790ebe29b32c43ce

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
152KB

MD5
f06e545e0b117afd53c82de213df89aa

SHA1
8cca91c11feec6f84e3db26ad5156b116d98d492

SHA256
345eb4c428a51e6448178978712d6504f8385b1f327a7fcbcad916fb332dc0ae

SHA512
18bd3d3f8eadd43bc75b81b497e7eb75d73f9389124d4b7f9a8c73c461d6a5ea914d6d16c9e482774aec0bf574a0a794e384e2ca3737b1e53dff48550c07116f

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
152KB

MD5
1515379e4a24ba4b736126edb1cfea07

SHA1
709245d7e64dcdf0e878567d14f0fda42239ba70

SHA256
a57efe2f78f07f91e66b6d5f35b9cadf3f95f78c31e9b888be756139a7a65c28

SHA512
d9178a691a8e3ab9d81c98a97917ef9d9225256648bc2f14a4c07c1f5b6d1e126c09dc6e12d9251eaf143404c2ae25b3a3412263935959c47c91a36a63b23b0e

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
152KB

MD5
e065c8d8bfe3af9dca3a18c4bb2bf41a

SHA1
bb7f9e62b9a7079a7b0760d1c69d9e8458386aaf

SHA256
0fc9c96dc8cca1524759ca252ee45bdaa6307670761663eecbd9f497c4685317

SHA512
67ad4335adea9e9176a042b8754c71dec73efa9e8b8fcc0db122bcf2f93fb463557fd90f93156f78ed3c6b8ad762bfc76ae5b79b73dc0edee713fcc76f421e4d

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
152KB

MD5
2bd2940e27c7cfb871a6eb11bbc28f28

SHA1
edd454b29e3bcd16ec6d8facbc07997034216139

SHA256
c821c46e2c67dd91023729c31ebe65d399aa1246844a66ba67e23e1257801bb4

SHA512
a190b3d7eb4fd445bc72bbc25f72e00280e9e9f6e7a6e69d5983afef0cf54aed3ab0356b1444c01a285ce4d72c27260e518054d77bf58304d901e7e74e3e7267

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
152KB

MD5
68293d92ef978b4bcb1fd537e0dfaf7c

SHA1
0b084c7061d0bcf07fca64a732c607a33618810d

SHA256
f5041d44cfdf16c43bd114a8c1e56d6dfcf997ee6e802dd5295c6feaf7f515cf

SHA512
411b8b7b647876e3946f52419ee85bfb38df354c64734c453cbedda7cb3e4800e9e5fb5acca8810855b61d8b0e5e087a2cb28971f7a88d58f92af072387ddcf9

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
152KB

MD5
25a4178c17312933075c790eb67ace04

SHA1
dc382fecec377acac0e8d39ddf1f4ab05fad3e39

SHA256
af604d2d5f4132503e9f4642c25a3dc49b24158890211c2df82de98f2e17b045

SHA512
011216cd6e9805e0a4e30665bef197afb02edd8416e7b99aacef1ad20d691666b9b86122c9896e1b0b32b5e98ce2b4874b6fa164782334c1c8cfe7773ca40bf3

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
152KB

MD5
a28430c5c48d7be7331180cd4788a0fa

SHA1
f2dcf913914d349b1c9ff44fc1edcdc43c42c44c

SHA256
d54da0832a1fa1969d8b2d1d430c3c4ed53770cd773c692333f9a7b7c9ecfd69

SHA512
172bea1000753b1ee0382af3a74e07ccb2bcb6c5901db1bcf5ec9de35727140e74984cfd45a3b53722165c732a81f225d6eae38c1f7656cdd128d3f511186f5f

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
152KB

MD5
fb26057c3b2810e64ac0208f9104b99f

SHA1
9bcc87452e9d3de175b5984a9a6abe2050431f09

SHA256
019582da9b9456fd84524455497a07c4c27580e3473d415bb8821751b8498d05

SHA512
d6368e7a14b5c1228414236e54c7d9093842aad40b2bf5f9f23df7bda2a42a975e5c43059fc452057c3cea91562d9a44d88b6163c2e730ec1c390b14db11d8d6

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
152KB

MD5
19b8b9f3780386e18cf2a3e651bc845e

SHA1
e0039e0f3da03fbc0d6c3491bf0fd693fe9a124f

SHA256
af210e16c39cc1771bccd421fbd572b8edf52f9344639d5be38cfa2e657a5cb6

SHA512
e33c8b49ff6417928b8e4b0a653cc3b70b28b37e9bdd6511f94370662f2879a44ea0ba7fe3b101aadb7e095fef0b632271e5263291aafd28285b41e3015ec789

Download Submit
memory/8-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/612-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-701-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-649-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-759-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-658-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-647-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads