9d61d1837d420d5beadf742f61a9a8f24dbc5877342d9ea669587ebb99e704c2

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65959a09e690ef05aa38eaaa7edde380N.exe
Size

93KB
MD5

65959a09e690ef05aa38eaaa7edde380
SHA1

fdd02bca4ccf68c7aee7b88de043b2e491bfa21c
SHA256

9d61d1837d420d5beadf742f61a9a8f24dbc5877342d9ea669587ebb99e704c2
SHA512

123246342a8c605cfdc5e93f507546353e6aef69684df55b1e208e7af04f57021d6f1796f7fdd077a5924c81800dc22fc11b4a60c7f06082441fe7312ac4d63f
SSDEEP

1536:MWCxw+FOvC+CkhD9hel9VBNmksFqyrPjMW8f68Q19WnIYjc1L8+1BH2G6puYksRF:ewiOvC+Ck9hH4eWnI43TZebSJdEN0s4X

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cklhcfle.exe

Executes dropped EXE 64 IoCs

pid	Process
6008	Mcbpjg32.exe
4420	Mfqlfb32.exe
4864	Mnhdgpii.exe
4320	Mqfpckhm.exe
1672	Mcelpggq.exe
2432	Mjodla32.exe
2292	Mqimikfj.exe
2504	Mgbefe32.exe
4188	Mnmmboed.exe
5036	Mqkiok32.exe
3292	Monjjgkb.exe
3992	Mgeakekd.exe
1224	Nnojho32.exe
1568	Nmbjcljl.exe
4488	Nopfpgip.exe
2900	Nqpcjj32.exe
4408	Ncnofeof.exe
872	Nflkbanj.exe
5176	Nncccnol.exe
2356	Ncqlkemc.exe
4388	Nglhld32.exe
6028	Njjdho32.exe
4056	Npgmpf32.exe
5288	Nnhmnn32.exe
2052	Nagiji32.exe
5232	Ngqagcag.exe
5624	Ojomcopk.exe
5356	Oplfkeob.exe
5276	Onmfimga.exe
1432	Opnbae32.exe
5560	Ogekbb32.exe
1736	Ofhknodl.exe
2584	Ombcji32.exe
3348	Ojfcdnjc.exe
352	Oaplqh32.exe
3604	Ocohmc32.exe
1004	Ondljl32.exe
1208	Oabhfg32.exe
3156	Ohlqcagj.exe
1204	Pmiikh32.exe
1600	Paeelgnj.exe
576	Pccahbmn.exe
2644	Pjmjdm32.exe
4268	Pagbaglh.exe
1520	Ppjbmc32.exe
3232	Phajna32.exe
5768	Pfdjinjo.exe
5388	Paiogf32.exe
768	Phcgcqab.exe
3220	Pjbcplpe.exe
3176	Pmpolgoi.exe
1916	Pfiddm32.exe
840	Ppahmb32.exe
5136	Pdmdnadc.exe
1884	Qmeigg32.exe
5040	Qpcecb32.exe
3640	Qdoacabq.exe
2608	Qfmmplad.exe
4372	Qodeajbg.exe
5760	Qmgelf32.exe
4476	Qpeahb32.exe
5180	Qdaniq32.exe
5880	Afpjel32.exe
3828	Akkffkhk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mqkiok32.exe	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Mgbefe32.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Onmfimga.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Ibmlia32.dll	Cggimh32.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Fenpmnno.dll	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Mfqlfb32.exe	Mcbpjg32.exe
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mqfpckhm.exe
File created	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Amlogfel.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bmjkic32.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Ogekbb32.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Akdilipp.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Nglhld32.exe	Ncqlkemc.exe
File opened for modification	C:\Windows\SysWOW64\Pjmjdm32.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pmiikh32.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Bpdnjple.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bmjkic32.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Aggpfkjj.exe	Adhdjpjf.exe
File opened for modification	C:\Windows\SysWOW64\Mjodla32.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Aknbkjfh.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nagiji32.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Boldhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Mnmmboed.exe	Mgbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Nopfpgip.exe	Nmbjcljl.exe
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Onmfimga.exe
File created	C:\Windows\SysWOW64\Ppahmb32.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Pjmjdm32.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Ebggoi32.dll	Bklomh32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Jnfpnk32.dll	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Ncqlkemc.exe	Nncccnol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3584	6084	WerFault.exe	219

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnhdgpii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmfimga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcbpjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmgelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nncccnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npgmpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65959a09e690ef05aa38eaaa7edde380N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monjjgkb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Monjjgkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnojho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	65959a09e690ef05aa38eaaa7edde380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	65959a09e690ef05aa38eaaa7edde380N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6080 wrote to memory of 6008	6080	65959a09e690ef05aa38eaaa7edde380N.exe	83
PID 6080 wrote to memory of 6008	6080	65959a09e690ef05aa38eaaa7edde380N.exe	83
PID 6080 wrote to memory of 6008	6080	65959a09e690ef05aa38eaaa7edde380N.exe	83
PID 6008 wrote to memory of 4420	6008	Mcbpjg32.exe	84
PID 6008 wrote to memory of 4420	6008	Mcbpjg32.exe	84
PID 6008 wrote to memory of 4420	6008	Mcbpjg32.exe	84
PID 4420 wrote to memory of 4864	4420	Mfqlfb32.exe	85
PID 4420 wrote to memory of 4864	4420	Mfqlfb32.exe	85
PID 4420 wrote to memory of 4864	4420	Mfqlfb32.exe	85
PID 4864 wrote to memory of 4320	4864	Mnhdgpii.exe	86
PID 4864 wrote to memory of 4320	4864	Mnhdgpii.exe	86
PID 4864 wrote to memory of 4320	4864	Mnhdgpii.exe	86
PID 4320 wrote to memory of 1672	4320	Mqfpckhm.exe	87
PID 4320 wrote to memory of 1672	4320	Mqfpckhm.exe	87
PID 4320 wrote to memory of 1672	4320	Mqfpckhm.exe	87
PID 1672 wrote to memory of 2432	1672	Mcelpggq.exe	89
PID 1672 wrote to memory of 2432	1672	Mcelpggq.exe	89
PID 1672 wrote to memory of 2432	1672	Mcelpggq.exe	89
PID 2432 wrote to memory of 2292	2432	Mjodla32.exe	90
PID 2432 wrote to memory of 2292	2432	Mjodla32.exe	90
PID 2432 wrote to memory of 2292	2432	Mjodla32.exe	90
PID 2292 wrote to memory of 2504	2292	Mqimikfj.exe	91
PID 2292 wrote to memory of 2504	2292	Mqimikfj.exe	91
PID 2292 wrote to memory of 2504	2292	Mqimikfj.exe	91
PID 2504 wrote to memory of 4188	2504	Mgbefe32.exe	92
PID 2504 wrote to memory of 4188	2504	Mgbefe32.exe	92
PID 2504 wrote to memory of 4188	2504	Mgbefe32.exe	92
PID 4188 wrote to memory of 5036	4188	Mnmmboed.exe	94
PID 4188 wrote to memory of 5036	4188	Mnmmboed.exe	94
PID 4188 wrote to memory of 5036	4188	Mnmmboed.exe	94
PID 5036 wrote to memory of 3292	5036	Mqkiok32.exe	95
PID 5036 wrote to memory of 3292	5036	Mqkiok32.exe	95
PID 5036 wrote to memory of 3292	5036	Mqkiok32.exe	95
PID 3292 wrote to memory of 3992	3292	Monjjgkb.exe	96
PID 3292 wrote to memory of 3992	3292	Monjjgkb.exe	96
PID 3292 wrote to memory of 3992	3292	Monjjgkb.exe	96
PID 3992 wrote to memory of 1224	3992	Mgeakekd.exe	97
PID 3992 wrote to memory of 1224	3992	Mgeakekd.exe	97
PID 3992 wrote to memory of 1224	3992	Mgeakekd.exe	97
PID 1224 wrote to memory of 1568	1224	Nnojho32.exe	98
PID 1224 wrote to memory of 1568	1224	Nnojho32.exe	98
PID 1224 wrote to memory of 1568	1224	Nnojho32.exe	98
PID 1568 wrote to memory of 4488	1568	Nmbjcljl.exe	99
PID 1568 wrote to memory of 4488	1568	Nmbjcljl.exe	99
PID 1568 wrote to memory of 4488	1568	Nmbjcljl.exe	99
PID 4488 wrote to memory of 2900	4488	Nopfpgip.exe	101
PID 4488 wrote to memory of 2900	4488	Nopfpgip.exe	101
PID 4488 wrote to memory of 2900	4488	Nopfpgip.exe	101
PID 2900 wrote to memory of 4408	2900	Nqpcjj32.exe	102
PID 2900 wrote to memory of 4408	2900	Nqpcjj32.exe	102
PID 2900 wrote to memory of 4408	2900	Nqpcjj32.exe	102
PID 4408 wrote to memory of 872	4408	Ncnofeof.exe	103
PID 4408 wrote to memory of 872	4408	Ncnofeof.exe	103
PID 4408 wrote to memory of 872	4408	Ncnofeof.exe	103
PID 872 wrote to memory of 5176	872	Nflkbanj.exe	104
PID 872 wrote to memory of 5176	872	Nflkbanj.exe	104
PID 872 wrote to memory of 5176	872	Nflkbanj.exe	104
PID 5176 wrote to memory of 2356	5176	Nncccnol.exe	105
PID 5176 wrote to memory of 2356	5176	Nncccnol.exe	105
PID 5176 wrote to memory of 2356	5176	Nncccnol.exe	105
PID 2356 wrote to memory of 4388	2356	Ncqlkemc.exe	106
PID 2356 wrote to memory of 4388	2356	Ncqlkemc.exe	106
PID 2356 wrote to memory of 4388	2356	Ncqlkemc.exe	106
PID 4388 wrote to memory of 6028	4388	Nglhld32.exe	107

C:\Users\Admin\AppData\Local\Temp\65959a09e690ef05aa38eaaa7edde380N.exe
"C:\Users\Admin\AppData\Local\Temp\65959a09e690ef05aa38eaaa7edde380N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\SysWOW64\Mcbpjg32.exe
  C:\Windows\system32\Mcbpjg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6008
- - C:\Windows\SysWOW64\Mfqlfb32.exe
    C:\Windows\system32\Mfqlfb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\Mnhdgpii.exe
      C:\Windows\system32\Mnhdgpii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5176
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6028
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        25⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        33⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:352
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        44⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        49⤵
        Executes dropped EXE
        
        PID:5388
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5880
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        67⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        71⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        72⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        85⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        89⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        92⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        102⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        103⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        104⤵
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        107⤵
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        110⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1072
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        119⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        120⤵
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        121⤵
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        127⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        128⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        129⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 412
        131⤵
        Program crash
        
        PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6084 -ip 6084
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
93KB

MD5
f55904c30e98aba1d6d4b4d4089cc804

SHA1
b81f816e1ac6f18a60a4b10c4cb003b9c0433619

SHA256
220c6757765975e13d8c6cb94aae4b7ce802957c08be21e368bc35ce4548e975

SHA512
e18b4157957b9300dd65f9d674105bda48b5ebac8d54e2c024f2ad5e6d0fb21829e9e363074e4c9748b5366bf3c983f94c766c5bb1016224f2b3f8c2c54df815

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
93KB

MD5
896401a554fb2d3c4d1ad18451d7d088

SHA1
0a3a31a776ae03a26c7a6ff24effb9bc9d0a3ad7

SHA256
2e78c576bd92d6640da7120cfad1010541eaaa7fea965afcfeefb8eec39ef2cc

SHA512
c53c75d7db72ca80b0d7c2c714be27e8f3d87be9045667786e7385d363cde83046ea9dd4627daa6d64ac7b65e86532caff47bd38bab637211e9eff1f110a6c68

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
93KB

MD5
38b0b720fbb8a5ce40913c1efb00a186

SHA1
063f12adf551c329853247af6923a5f2b60569ee

SHA256
1628a19f0072e6d6eed3ddd61c91b66204beb79e8e5792882fc9dd2a1263bf4e

SHA512
8f9e74fe83aed10606ba4243805120479c1e6bed09e1661a8839945ea8e476c4c4f467334e21b7a395c7fe0613430b48c47382524ba1def70968730a61766906

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
93KB

MD5
0087420c803ca727cb8b693d2976a839

SHA1
879c386587c82bcb3e2af1b1b0397c69f5228956

SHA256
58c2f6cbf0ac0ad395caa5d0bc861097966f55742603d7a94df61ba7a6116ac5

SHA512
6e6c506587c25c47a1d3e787f9880480b72d3d73b2e549ec379f0a4932b3f58d3126e4485f7bffbacbaf75b687c388c031a40abe683759a181adf95114d6678f

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
93KB

MD5
b6fdf090dbefb21a644a70a363e94ce4

SHA1
ae0a113bc3cb8135da69881f66aa73e02df3ac60

SHA256
a066939cf605966f4b52c732795158b60d4481b96f398e25f78a5d30d2224548

SHA512
ac7fc914c022568c35c08b9473c5cd095c65a6067c7f2193e9fb49b06e13cf9a23a4c13400bc44a44b403e559b188465c556d4261859f3dea2877a01c6d2a09f

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
93KB

MD5
e9ac613c310fa7c474deebd30fe111e3

SHA1
3c87031b870d1b6645ef007d114f1df1bf05fc03

SHA256
93ed86a69d1725d6eff2a820180a29471bf4a9a83f02e4b9d454c7df6d690891

SHA512
75d78848c0a6d34368f176125ffb51e7efe66e0e65da3911e5e429e0c7a91c12c63cff790ea3528449571238f3ba7f24a2d87137f9c27b5c2e01ed1b322ea071

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
93KB

MD5
1d6e4278aebea8ad81a594b7d53e1a33

SHA1
6369743aa206cdc8c8244bc4a0d66c82ce154f26

SHA256
0049187258e3dbbaaa8d6ff62097c902721196dfb0f0928e5e93b6c7bb3d6c0e

SHA512
b4fdcd420423d3c52820757300dda5181f417d09ce3a7df454e32dea94cfa850e24d723fff21c5a9c4445fc4b123740e3d6ba1d1dafff1de99b9c50cf0fe73d5

Download Submit
C:\Windows\SysWOW64\Gpkpbaea.dll

Filesize
7KB

MD5
11d7bede6e6689d2b4171185ca19aa1b

SHA1
2f4a0b9fc101bbba742638716b1bea633fedc3c3

SHA256
255f0feac914e1b806da4c7de27e56f53530e59474ca816956f269ea13f5ef36

SHA512
e7334de93ca5966def42a96ec9975c2e99e81b84ab3def49158e51fbc20bd2a51c018f585784761a25dc5f88a3191f7d426f508b8d7be847b939008142a2f1b4

Download Submit
C:\Windows\SysWOW64\Mcbpjg32.exe

Filesize
93KB

MD5
1220b0a79fabc913e8235cb1f068c061

SHA1
b86a69fb0c503798bb9538a3b86789dfcd40950d

SHA256
d870a5edabdab8f85e8663b4d8c9e464edd653bc4c3a9cebef456981891f26fe

SHA512
d12c1b663f18a1b9bde28041936bcd50771be27a626566d5ee28731ebc2af86855b68d22291b021a1314f6b7251534af7293c1e7aec8be8507f2456e9901484a

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
93KB

MD5
9159987f85beec6da52aee5451dc7bd9

SHA1
39fe70e515491b286e2ba2848d9883438b73d654

SHA256
47df68ce1c80c85767a66d9f8595ccdc561fc1edce6a74c5a06ba380af923290

SHA512
e9d0a35d570a6d9ea32dd6cb3716b3111b67e9753dc9247500f72cae62a9a82b9796b6aba6e03b606dfde0b1e14730e8f65c0be268748b2688a9d266f3a89305

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
93KB

MD5
8830a7b02e97e006dadf3e7297967363

SHA1
aa45efff44dc20fa855f49412bec33d5798f0d1a

SHA256
95359346b97891b03b77c1ef7c59b68907731f9b4a719504c171b48c41006f41

SHA512
c37720d6156fa8a682f7d6dbb03c3dbefe075f6abbd704aada79fe1cfb13db7a5fe28fb5ebe9a6ef04e4c61edc2d72b8eec95d2649f1416a377fb71b13b4d5e4

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
93KB

MD5
db966d8f1bf76784ce99dd00ce2306d9

SHA1
6404efcd5580813aad958c4ec9bee34a56f8a5c8

SHA256
2f5a171601f23e231c9da1cbc0c8eacb42307e395dbcd40c4e08c592996c2075

SHA512
598d0be0aaf5b5b9838d2df37c51911d25ff8641d6f3ddafab42bdcb1138fadefed23fc634c70439f3d5199c9fc18430ac140f4a7cb410ab9a221754fa01fa24

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
93KB

MD5
195ad28d82b1d7ee9eccc1ac27049b29

SHA1
0f37cc688560631cee47affcc4bec6f8d911c315

SHA256
4096e62e45c1b62944c339703765f96afcb7fed628dbb9b34762aaa4542d2075

SHA512
ac011258baad1a506c44da27bff580f7706eccda14b7efdf6d7c1ef2f9ba0fcf1c7fe5b387f346092255d3e8d0bfd9870cd37cb48d4837cd731dd8c3e323476a

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
93KB

MD5
84fd5c1da4be5593f4dabc7f99841eb3

SHA1
7d6187534162ba82bcdd68de97196a5224785e28

SHA256
a0556d9b594a934561cfa57da8752598fccf46e4b25634a0300e93a2d28566de

SHA512
3813e7420be68330a21a7066db926d1871357aba3ffca9007b894a3722c91d13e42c16765be4e8f7a8d18aa7ecdfc7392f135e66d304e215bb34bde2bef63c7d

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
93KB

MD5
564cd5b7d4edc9b0dfc1578ffb9cf461

SHA1
50ab7f39be42d55426977e503805748d96524e2f

SHA256
c7589dc33749268ec0d0d31ca4ec37ce677231cbd248fb6c6902dade5a6c9e84

SHA512
912b90473606b67266d23878ebd9684607d29b78a5048ef21bbc50cad8c4fdd36ac77e6c3a49a24474d76da34406f3b37e11f855207537f4cb0436fe184a6ccc

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
93KB

MD5
2f4a7ca8398d61c4f2aa042c893fea8c

SHA1
166b769dab5589cd547e23ed3005397d1bfb040a

SHA256
13c9d9920bccde9aba7a53af5c4ac548e20a8bd67da106ce795290c1984f033c

SHA512
21bdcaf12ffebd4f7f041f63cab2f31269e58bf23d90b2f29eb1c3f4c6070d35f32d3dc8f7a36252410e09aed940526265f7805b08ac7ed591c90a3458149794

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
93KB

MD5
cc33aaf262b87b5ec0aa95992640dd62

SHA1
2637555f2b38999f7cef2fb38dfd0ee3af712410

SHA256
5a6365bd7ad90a6346bd913baf4df20a3691370b0e64a954f788f60c67dea217

SHA512
0bb81336e8ecc8611743132e0655e832e9661a5cc280d64d05bcb297e36812c633e0392447f5b21d2466e9984a6dd9eb65c731e856c5adf4f524e32e34b742e0

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
93KB

MD5
39bfe39f39b4ac3792322905a2a9164b

SHA1
0291eaf67b210f4a3b1949c787e8ade98bd6bc4d

SHA256
1c44589ef9efa4eaaecd0c470ae8a562a44be660ffd77ef66d839dd09ec1299e

SHA512
011bd150b08f186ff9e360685f7a7420360f663edf6480b9cc324ec5c0da17c039ca50bf5dc8a12ba45710681f072c24348f7b58697cabb108919a4b9d07c60a

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
93KB

MD5
9bba1b20267cc432bca4659e887b6f25

SHA1
ad06176436a8544e36773fdbeafa3de1ae3142f1

SHA256
76225c85eef36be74e794721a27e44967a6d3e69fcf56bb197a59ebd1129fbd3

SHA512
7f774c4b2d7b51955f21799291cd3a6398e601c8f3600ce7e6d1173e9824e71769bbc6d56be43ca59af565881b7ae3ce506dc6e0a6b25f996cadd5378a8b98d1

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
93KB

MD5
acf10083fa13beda3f590a1fab58d3f4

SHA1
b513b0edd826b0bd393b06342480540c7eb1058f

SHA256
f05c729fcbf324ecf2d2e310464639f553e8431a0b758de4cdc2af88d0e4f70f

SHA512
39b8f2229c34f5a0926f0fcb05083b3718a006752825d50b7a8b042192a1bf5a9abc5ed56b86fa5b5dba2571a2c0033c84ad68c209c6fe7fd0cec523095023f7

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
93KB

MD5
906418d8360fefd3270c8fd1b8a8e5ee

SHA1
5e9fdbf44cf4e8451228c2fa305e71361a89484f

SHA256
85b736500bf4e1ddf8c243ca4a3f6c58f30c53655a96e7dbf39dc9e362417a99

SHA512
85fe6e2f5718cfac5453ece1af07cdc9b3755e6d4112c08a67e3690768ba11268ed5a890a29a4c9f3f4d8f086ab67eec3f355d1588a48b5b47d741f9f19dab7b

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
93KB

MD5
0ef3fe2d4953c1629baa27b4026248bb

SHA1
7d50f8937375e9fcac00646db31ff3b12a019378

SHA256
6bbfaacd238a906a45f1030cc4aa7357ed8910d92b8a829b16df670153545189

SHA512
19205071ad59754a55e3ff78fad82529afa1cef813083cb78c5e74535db18ea49c6ef7e9248fbf5f8ecc1ef108437aad12787b66d6ed3e12875eb75a7446af56

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
93KB

MD5
867984ba936d59f089613d191dc28831

SHA1
1b232eeff86c435113fc837a991b52b8418a7ae2

SHA256
4d65de526b9df02a2bc376db45023abce5311df1453551e3b22cc4e68f363061

SHA512
1077321d00bd82eb1cac453311877df3e677913d273a56bfd5e2c8c031a1e9a4007ac423a493daee69fa0342acd195634f52ef5a7b990691688f0b4d575c5cc5

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
93KB

MD5
97b6a7d26ab045350f62ebcde562c590

SHA1
40bca3a9c238a6dd97657f5bc21fc40027966c86

SHA256
670652f5b6aa43523cf7418a8f4bcb80ae241962f3b401968057277a394d86ba

SHA512
1accff7c87f7feaaa88399b4d14b08bc988f8c3ffc244d95de6dda04818f4cf735443cdacb2c8dc6efafbb623d21b07d77c9e530446f2f2f093bfc6ceeb866be

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
93KB

MD5
391d3a782360ca94da4dc4e270b430f9

SHA1
2d7a7d87ed2f43442de2b9cf2254b3bee8f1c5f8

SHA256
447e398b7e951f8da3190de2e64d6585eaf1066362f9141b2b97a7f0c6105572

SHA512
baa0c0f2f1167d49b0d76f5a43fe150b1feaf2ceccd09b4d3e37aabc927d07ca9dedf68713b75f0425ca52ce62a70a163db2ea4a8f6331d0d343b6c72d97e161

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
93KB

MD5
897c5175ea5f81de59deac4dd1df3693

SHA1
ba52065d72366d966df4ebb7ef7b5d09bda93dce

SHA256
086950a902eb7ca7c633eac164f173e2ddd3394e3206a073c4f29f47e4a399ce

SHA512
b5e1a7d2648dcd1317af6c4f4ea58eb731e4b3b4fb71235f6167d9deb12ac124b903b5f374ba5822f06da97159922760fad85b96a2749a49a5f0650a7693a399

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
93KB

MD5
429372cfdcb6d547c563d37f8972b05b

SHA1
8ad168b560a136513257aa630051b7b1263cc545

SHA256
63cd4841190226bbcadf3b94916e7a959a200e3f9f89de604b3bccf971c92dde

SHA512
2f1c062dbac7ce02b5d5e529ebffbc279a95b24c1c2cbd0286a13d86f8b2efc2f5af9c6cf24fdd0d27aed21a8e6c63cf6703dbc5842623ad5d4e6698a3036f3f

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
93KB

MD5
5b680e8fc98da9cd093e997510a232ce

SHA1
b153626c8af67dddcfbcb47b6b7fc3c92c997cb6

SHA256
2ff13d1f2b97d9ae68c22ab0460ca092e71ae7a2c02aa22a2ea078e3eeeac0b6

SHA512
266ed2051e73f0d5a3d9d21efd4a8a33718f3552152a98a0e8b46aa8c19bbbd8b21249e7f4c11b7dc6820ebbde1859afa5652faf13710814f6c4bd7e49995a08

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
93KB

MD5
5b90a938e616d0bd6b0a18a965d6afb8

SHA1
252247f3336a9f829cfb84e2678105c0d02d3d11

SHA256
bfb1d91c8003ebe2462b7fa99f7400b1f4c43bd76f7406a9dc79c63da962b729

SHA512
e98fc085a1e0b9c5bc1558dff963da01899d069ca4072ab22a592b162696dadf32a8978a88cd0dc0dfd967c896f079cfee15c200844a789c873cd8ed62529cdf

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
93KB

MD5
fd1030b43942793e0fedb3f6d0857975

SHA1
5affdddd35c7c94681fbf6e4af6a88e1a54f357d

SHA256
af1eb99afec43c890e4629217adca526acd8232958785ccbc2aaf7dac7881ff1

SHA512
e4e8b2bb9d7e4eafbbeb44e08c52c8a7c6ccc5b734bd30acce018ba519db2a9f654aa46d6c8748b93585d109b97b6a1c9a27fdd5b6aa94c7c14ff2a647279294

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
93KB

MD5
c74cc719b495117b03fb6469a093e0d2

SHA1
f505d54b82959102ff93e2a0822c86465b784f35

SHA256
bb5f76c3a09e2ce259acec2cc30154a82949ae2d19ce9fdd27220e1566a10c25

SHA512
7ef1d1fa59733a7194a746fc6c1cc2274ae4135608e22339e24ad87074bc0cb73b644daa99100dc1303636f3b7a2e8d20ab22156dff8dc661934110077f59043

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
93KB

MD5
a9bb3394e2c427f678c763be96345623

SHA1
35a73c258fc5bfee578d556ef9ec7d853916ef81

SHA256
8a37c646f45f79459749881e3be676136b69222664903f4f77b89edf3fd4442a

SHA512
fbfb6503f4998e1c6ac06ee3eecbbd02c0e8052f2917451bf0c4228958d0c751754a3fc96d99b8309a9e3115acc35edf37e102780d0d189019d6d865f87e0083

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
93KB

MD5
3f49244745898d81c6f86449f8a586b9

SHA1
67d5121a9f7344bc5f434b7d554cccb4b00bc8e4

SHA256
e6bfda4013726a2b0708c2a40cb481e02164c27081b47c5dfe22ac314944f68d

SHA512
07ba8ac6bb901f9fbc9d76b1f5febef19af86b4aaea8e4a89e34778792d15a87ba50b51b4e538b1ea738bff2f8b312a850654ec5a42458d782ccdafecd309068

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
93KB

MD5
733f2862a6c734fcd7f5fee97d2c2409

SHA1
fe4076c3902aafc7955b60ea2b05b0a630cae65d

SHA256
2b3f82b82f2aee50417a056e991001fd3782027ea271ca414f4afb4e45920521

SHA512
a7385682bf73c266e153e87641114912ae7bd617d5aa6ca3e1d046f4bf6c7aec4f319a5ff1a20704edc6cba739539cea264c8e42625279f710a4296a8f02c92b

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
93KB

MD5
4d7779336a665c92b8aae81d6bf59293

SHA1
043f42ba420c4ab2b612ddfeaacea839be897a05

SHA256
c5e98e04955a4c511bb9d4cba5d98fac7905a398ac9e43b7a524ab460bd12f1e

SHA512
c75bc2ef0fdd24aacff8458620c1efee727f0c44dc3c0a4d1d78ba6ec81e2dd5efe791b6afb7c5e25b8736fde4ba6b3fd8e6716f554c2199e515330f539b0fe2

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
93KB

MD5
1b66941c8e2c5aeefb65e73ecc1595ca

SHA1
5f814375ce3e477d198a4d33f0c6e51451f1d2b9

SHA256
557fef7b93b9e101b668d788868f464255b82534d668d79d605978508ae97ffb

SHA512
ad834a21615e5f383a129f1e0c05b430bf722070e75d559c6abf1fcbff81c045dbd67991e0006ae65e807225000e7048891a07dd78a4d5d72603ddb68f8d16f3

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
93KB

MD5
75f36f70930e69cd809fd7ca765ad4a7

SHA1
849e6f344f392063f886581f7bdab18630fa6d0d

SHA256
b81077fc5b7ac4ea9c53678b123c83cec8eb67f5d4527e059abad149bedf9aca

SHA512
2a910e8c764ec4550045f469792307b0f434f04b9f2f16e16bdddace50e79d70aa7787ab81ac3c8003bd8670c44a4c5015ca14525fe9e22767914aac14a942c6

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
93KB

MD5
02f522b96ab75b6768a7ae4b4ca00afa

SHA1
9aecbd7175b18b1b79cb12fec01dce5e9a3294fe

SHA256
b0d408fdace99f5c1dcdfec695aec688c6d03a78e34589b8a6fdbacb06cf9167

SHA512
bb456ff3023aeebf530accea55ce0c643eea82a2af430f7a4613fe804a15ebfdb9d6bc22bea23ca0a802c46a104e486c11b5cf3e756b890dc6695526e7534c4c

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
93KB

MD5
4c2b4f4a7df55fdd0965e6ff854d4c3c

SHA1
7a55d07bd88020d6b536e8758ddd2797d274eabe

SHA256
afd093b52767f11e13025023a4d5490f219ce352d5ee382718ecb320c0cd9b86

SHA512
8a2526ff7b8c32638a81ceba2df89597a3b413920652efb45e3b8f4762e9917379d64364450702c7d224fa0959601eae3dcba91bd5e3d40851815c44385fe9d1

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
93KB

MD5
24d3e745591b1d46811dc5b3d67935e2

SHA1
8ea3bc49ae94bbf56a57bcc1c3d539971b1d5657

SHA256
0c7cc1b99748b3a990eeecb87e0fc65dafd813b1711dbfcaa71d6aeed43a7608

SHA512
36ab2b85de034988111dada1aa5aa593efce804004c2c00835e0c6afd87b80c986e1a0eece327c688b972e159966dd169302df2af8f4eae47deedb2a7f27157d

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
93KB

MD5
a6539f421db40eb8bb9b479ace276964

SHA1
b70543386b79005a5bdba8681aafcb29e8daf09f

SHA256
f4d59c37b3dfd467ff5db89ec3e2c9ae47c1c826c2a35b79daf5defe221a5571

SHA512
4c90aa5e4d208ed66d31c6a71e03cfc8c5e955f57559e6f713821eec80dd24af26876b510e0b922f7b4bc37f70d8fac863490aa322fadbdc56bbfe7a3cf2f238

Download Submit
memory/352-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/352-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/576-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/576-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5176-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5176-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5232-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5232-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5276-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5276-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5288-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5288-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5356-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5356-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5388-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5560-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5560-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5624-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5768-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6008-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6008-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6028-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6028-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6080-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6080-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads