389bfee1a5048fb84b056f8796ec7071469cdad0835a832691bfb9e5b41d7190

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c514b8e6e0de04fa27c48565cc4639c0N.exe
Size

160KB
MD5

c514b8e6e0de04fa27c48565cc4639c0
SHA1

0331614ae888dae4296089d815e6126c0d972c50
SHA256

389bfee1a5048fb84b056f8796ec7071469cdad0835a832691bfb9e5b41d7190
SHA512

3f724b0164aee034c5d52a2facbb232b6fa6d4724933c4b0e0ab87cb4561f3bf8864ccaea6541bc3b5b172931e1d878ef6ca8f7c175af66b3be9bb3e4f54b6c1
SSDEEP

3072:q8FbE8vKsUiWC/2se5SJdEN0s4WE+3S9pui6yYPaI7DehizrVtNe:jkHTIENm+3Mpui6yYPaIGck

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe

Executes dropped EXE 64 IoCs

pid	Process
3320	Nnlhfn32.exe
1524	Ncianepl.exe
4048	Njciko32.exe
3116	Nnneknob.exe
2716	Npmagine.exe
2676	Nfjjppmm.exe
1460	Oponmilc.exe
5024	Ogifjcdp.exe
1144	Oncofm32.exe
3336	Opakbi32.exe
4564	Ocpgod32.exe
3108	Ojjolnaq.exe
4084	Olhlhjpd.exe
3260	Odocigqg.exe
1124	Ognpebpj.exe
4728	Ojllan32.exe
1008	Olkhmi32.exe
4500	Odapnf32.exe
60	Ocdqjceo.exe
2852	Ofcmfodb.exe
2108	Onjegled.exe
3884	Olmeci32.exe
4508	Oqhacgdh.exe
2000	Oddmdf32.exe
1012	Ocgmpccl.exe
2332	Ogbipa32.exe
4216	Ofeilobp.exe
4556	Ojaelm32.exe
4336	Pnlaml32.exe
4196	Pmoahijl.exe
4148	Pqknig32.exe
3804	Pdfjifjo.exe
740	Pcijeb32.exe
456	Pfhfan32.exe
4768	Pjcbbmif.exe
3412	Pnonbk32.exe
4468	Pmannhhj.exe
2612	Pqmjog32.exe
3736	Pdifoehl.exe
1196	Pclgkb32.exe
5088	Pfjcgn32.exe
4516	Pjeoglgc.exe
3540	Pnakhkol.exe
536	Pqpgdfnp.exe
3128	Pdkcde32.exe
3488	Pcncpbmd.exe
8	Pgioqq32.exe
264	Pjhlml32.exe
4492	Pncgmkmj.exe
3104	Pmfhig32.exe
3708	Pqbdjfln.exe
1512	Pcppfaka.exe
216	Pgllfp32.exe
1748	Pfolbmje.exe
4032	Pnfdcjkg.exe
4368	Pmidog32.exe
3496	Pqdqof32.exe
2620	Pdpmpdbd.exe
1184	Pcbmka32.exe
1080	Pfaigm32.exe
4876	Pjmehkqk.exe
3696	Qnhahj32.exe
1820	Qqfmde32.exe
2908	Qdbiedpa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	c514b8e6e0de04fa27c48565cc4639c0N.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6576	6460	WerFault.exe	241

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	c514b8e6e0de04fa27c48565cc4639c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3320	1560	c514b8e6e0de04fa27c48565cc4639c0N.exe	84
PID 1560 wrote to memory of 3320	1560	c514b8e6e0de04fa27c48565cc4639c0N.exe	84
PID 1560 wrote to memory of 3320	1560	c514b8e6e0de04fa27c48565cc4639c0N.exe	84
PID 3320 wrote to memory of 1524	3320	Nnlhfn32.exe	85
PID 3320 wrote to memory of 1524	3320	Nnlhfn32.exe	85
PID 3320 wrote to memory of 1524	3320	Nnlhfn32.exe	85
PID 1524 wrote to memory of 4048	1524	Ncianepl.exe	86
PID 1524 wrote to memory of 4048	1524	Ncianepl.exe	86
PID 1524 wrote to memory of 4048	1524	Ncianepl.exe	86
PID 4048 wrote to memory of 3116	4048	Njciko32.exe	87
PID 4048 wrote to memory of 3116	4048	Njciko32.exe	87
PID 4048 wrote to memory of 3116	4048	Njciko32.exe	87
PID 3116 wrote to memory of 2716	3116	Nnneknob.exe	88
PID 3116 wrote to memory of 2716	3116	Nnneknob.exe	88
PID 3116 wrote to memory of 2716	3116	Nnneknob.exe	88
PID 2716 wrote to memory of 2676	2716	Npmagine.exe	89
PID 2716 wrote to memory of 2676	2716	Npmagine.exe	89
PID 2716 wrote to memory of 2676	2716	Npmagine.exe	89
PID 2676 wrote to memory of 1460	2676	Nfjjppmm.exe	90
PID 2676 wrote to memory of 1460	2676	Nfjjppmm.exe	90
PID 2676 wrote to memory of 1460	2676	Nfjjppmm.exe	90
PID 1460 wrote to memory of 5024	1460	Oponmilc.exe	91
PID 1460 wrote to memory of 5024	1460	Oponmilc.exe	91
PID 1460 wrote to memory of 5024	1460	Oponmilc.exe	91
PID 5024 wrote to memory of 1144	5024	Ogifjcdp.exe	92
PID 5024 wrote to memory of 1144	5024	Ogifjcdp.exe	92
PID 5024 wrote to memory of 1144	5024	Ogifjcdp.exe	92
PID 1144 wrote to memory of 3336	1144	Oncofm32.exe	93
PID 1144 wrote to memory of 3336	1144	Oncofm32.exe	93
PID 1144 wrote to memory of 3336	1144	Oncofm32.exe	93
PID 3336 wrote to memory of 4564	3336	Opakbi32.exe	94
PID 3336 wrote to memory of 4564	3336	Opakbi32.exe	94
PID 3336 wrote to memory of 4564	3336	Opakbi32.exe	94
PID 4564 wrote to memory of 3108	4564	Ocpgod32.exe	95
PID 4564 wrote to memory of 3108	4564	Ocpgod32.exe	95
PID 4564 wrote to memory of 3108	4564	Ocpgod32.exe	95
PID 3108 wrote to memory of 4084	3108	Ojjolnaq.exe	96
PID 3108 wrote to memory of 4084	3108	Ojjolnaq.exe	96
PID 3108 wrote to memory of 4084	3108	Ojjolnaq.exe	96
PID 4084 wrote to memory of 3260	4084	Olhlhjpd.exe	97
PID 4084 wrote to memory of 3260	4084	Olhlhjpd.exe	97
PID 4084 wrote to memory of 3260	4084	Olhlhjpd.exe	97
PID 3260 wrote to memory of 1124	3260	Odocigqg.exe	98
PID 3260 wrote to memory of 1124	3260	Odocigqg.exe	98
PID 3260 wrote to memory of 1124	3260	Odocigqg.exe	98
PID 1124 wrote to memory of 4728	1124	Ognpebpj.exe	99
PID 1124 wrote to memory of 4728	1124	Ognpebpj.exe	99
PID 1124 wrote to memory of 4728	1124	Ognpebpj.exe	99
PID 4728 wrote to memory of 1008	4728	Ojllan32.exe	101
PID 4728 wrote to memory of 1008	4728	Ojllan32.exe	101
PID 4728 wrote to memory of 1008	4728	Ojllan32.exe	101
PID 1008 wrote to memory of 4500	1008	Olkhmi32.exe	102
PID 1008 wrote to memory of 4500	1008	Olkhmi32.exe	102
PID 1008 wrote to memory of 4500	1008	Olkhmi32.exe	102
PID 4500 wrote to memory of 60	4500	Odapnf32.exe	103
PID 4500 wrote to memory of 60	4500	Odapnf32.exe	103
PID 4500 wrote to memory of 60	4500	Odapnf32.exe	103
PID 60 wrote to memory of 2852	60	Ocdqjceo.exe	104
PID 60 wrote to memory of 2852	60	Ocdqjceo.exe	104
PID 60 wrote to memory of 2852	60	Ocdqjceo.exe	104
PID 2852 wrote to memory of 2108	2852	Ofcmfodb.exe	105
PID 2852 wrote to memory of 2108	2852	Ofcmfodb.exe	105
PID 2852 wrote to memory of 2108	2852	Ofcmfodb.exe	105
PID 2108 wrote to memory of 3884	2108	Onjegled.exe	106

C:\Users\Admin\AppData\Local\Temp\c514b8e6e0de04fa27c48565cc4639c0N.exe
"C:\Users\Admin\AppData\Local\Temp\c514b8e6e0de04fa27c48565cc4639c0N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\Nnlhfn32.exe
  C:\Windows\system32\Nnlhfn32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\Ncianepl.exe
    C:\Windows\system32\Ncianepl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\Njciko32.exe
      C:\Windows\system32\Njciko32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
      - C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        24⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        29⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        40⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        47⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        53⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        59⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        70⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        72⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        74⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        79⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        84⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        86⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        90⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        93⤵
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:436
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        106⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        111⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        114⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1960
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        120⤵
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        124⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        128⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        134⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        138⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        140⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        141⤵
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        143⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1532
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        147⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        151⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6364
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6460 -s 408
        155⤵
        Program crash
        
        PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6460 -ip 6460
1⤵
PID:6536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
160KB

MD5
be61ed067130c6e4e372fd2f555c68ce

SHA1
bacfb91cd83aa9af76f63b16bb5d30be110c5717

SHA256
ec4476aa934658bc53d21d093b664c57a1b2f0d084ce5c2382e72e18ffdcace5

SHA512
8a2340131f460a58508b9f0d7404c86797fa92bedf547b27fbaa1d7c80e4abd123f6772676b347ef2251bcf1ae76bf36ccde65ef5fb03ad88897204806a4e36d

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
160KB

MD5
c3377f24d6185546465d268e9b576153

SHA1
acc7dbbd53b294c8495a5361c4e180f643d4ad36

SHA256
4f92f0470bbe2c0cc098aea6bbc1d437089178960b4bf5219a4a886b78644f2d

SHA512
52f19230527e16bbc23315f79cd471a13caa6322da808cbb718e94fcc05c665ea8966ac5ead3230d291894511d0a3b370a27bdf524323997f70b0b5d15c72423

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
160KB

MD5
49b93048aea66d43c36d89596ac2f499

SHA1
09328d935dd380ed4a4921daae68b0e4bfe2c639

SHA256
4823cc13cb74365603d5d823b851a5f80aaf20c263c7f7af684e8b04973d09c5

SHA512
6505d84f250c47fbe2bcb7e8b95804c634727faa42d01b78d7366eafd796df35dfc9d85c48452a880342149603674ff9c3896dcaa2446fe41ca8be412f4c8656

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
160KB

MD5
c9e248577c6abcd3aa2cb2a5c162fe79

SHA1
e89d2748e59d83be9e1313e835296674d4017067

SHA256
547d0e75be409652ed984db663beeac24bf4602e596712f57b0f953f200828ec

SHA512
f79abbb75917f9d3220d0ae2061c9364f84a60fcd3d776303497f3873e36f3fedb7cbc557c89c47fd889d33e22d663f982f6eabb1344668cd94cbc9f37f861b7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
160KB

MD5
e6272118759973f0777a643ddc159a1a

SHA1
b11dcc4a4cf60b23d0c013f9ee461ca09ff9009c

SHA256
253062af8c64bcad456f6ac252034b6c5bf521f02ed9248a1906789d9189558f

SHA512
410d9d9ee557b12bbb799f757363389f60027b4ba3ca756ee6f3675918c7619ba28d12fbf7212f8f8c5b52b8c06d75754592b5887dabe4d4027ebdf9690403b8

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
160KB

MD5
a32950a047c1f91a63982147ff835e27

SHA1
e08115a9909bd7c726b6556a61c257bc2b36cc00

SHA256
692d5c824ce09468e9754cf21d458de63e303e380fece925855d75cc2fa6a0bb

SHA512
29b2844082b86eeee96f9a3c0362c5e8611943b2c6ce5b1777e89dbb305dd6560337a7e5aea2cc51d60b2cdb47887bbd77123a78acbb3c16d2088b41906e4317

Download Submit
C:\Windows\SysWOW64\Gcgnkd32.dll

Filesize
7KB

MD5
9210403af51db2f31e80a7508812a871

SHA1
e6d4c7806872357860299efbd55e5719c06c2f34

SHA256
2cb24aeed5bcf7a635fb2eb0eb30d590f3e8f67bdaa08e2cd21f5da14157f750

SHA512
3fc7589f8066f61be0332a71c94e033f6cb1c8076c50cb9d221bf734ce465ae2eed2b8eb2a94dd0f452c94a2cf615e3c37cc4fae8b6a8872e3e2bfa329fd5852

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
160KB

MD5
60a2da035226cca936027b2abcd978e5

SHA1
32621a55f7ac742c54963ec1b85b3b517aca4744

SHA256
e26bd66375118b9881b336f0f21eb60e1c741146940aeb57b643d6d6f6420560

SHA512
3d9491580e6d5cf7e479f539f0c7ffc5619c20649de966eb9bc57f6637db68877b9ab33b29ccefe64a46d51137111c19bf863904d7d0cf56ac92acc00920ebdb

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
160KB

MD5
1df450233eb3518299f1ba8a23b141a2

SHA1
4b555e092c5b3981d7398edce0f6face758b24e7

SHA256
468050b9668f9b0faecc7542b28e5c61b50358dc29a1d748fc7d5b4b3c7b471a

SHA512
92ff3635655bea42f7d92e91f7689d003b039978e1307736c6cf63c462a0e2ed203cf81d37a262948d31d557ad67a172af83c8e548a42ce0e88d65f3795b9ab6

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
160KB

MD5
84d0a73730852a4d0ca3ef30f707d0dc

SHA1
8f433d57eca4a6e1b780a84d4eecd28cb55919e9

SHA256
aa23dc9c45d9e43c9baf94b52441f0532ac96c4cbb18f26cd28cabf67c9ec8b1

SHA512
ecfb8ec7ab8af853edbac566029dd614e22f8b9e017c20cb48979d0a118f805448d94b6966bbc8bcdc45a0b04483182c8bc60743194c5edc6fc0465c9a772ea1

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
160KB

MD5
0cee3738ae88d32e58ec251fde793be2

SHA1
442c5190e4ae5e7e18388b63d7618462715c4154

SHA256
1b460b2be0a54dd38944d90ad3f15791826184326c45e5a4ae8a4d43877f4213

SHA512
5e1af715eb5d39f5226ce96f5fe1b42e23fb23228b491024d4f700e7bce07ef52fc1128480b06135d382376e46e0bc8b9665c3dcc99c18e3b93fc33891807666

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
160KB

MD5
48456ca523205383963668d2e0fc6847

SHA1
e4898611a6cbccbef062c2d6bc7a5ded8675783e

SHA256
ce8f5857ad80034f2ee4451404f2118de968fd78fd869071f3e099ca69722a75

SHA512
73a5928bc71ea93b53b9a3b461de17906673f7a9368e6c490243a85d83cbd0344449aa7fdb6de40cda53e5016331740dbf6a1de9a440a80cc49bd3f06d467b5f

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
160KB

MD5
780a47ca91719cd0fa9f4622dca94388

SHA1
ec373c9fcd1d4c5ca28902b89d1a811e90e29a61

SHA256
bcc064fd2d9fe5ef0940dee207002f907a8722964c6aff31a48e04b5079852ea

SHA512
149c67c0433146562fe610b66d9c4f72cc856431e7fdfb133ebfa7629bdc5e20178334ee518f8c3885f68f63efe05e01d641fd68c12d064eba8fba8b4f5f2d53

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
160KB

MD5
7fd90e8334c5db0dffed9d583ef58591

SHA1
fe5047e3dd4e04d2c3097eeefeaa3a8a857d0b68

SHA256
db2978b6b33cdeff452c4b30adcfb53fca2d56a182c94304ce2a3428f05b1cd3

SHA512
7e5e7827685840afd913d7285758d99beb5504edeef098ef9d38bd959591aff197a51b70bf7736ff53ffc6b742374c471411c002466a080b37b35978ec86d0f9

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
160KB

MD5
cd8b8e5f00b524ba631b76af3ab3de30

SHA1
90a93b174254aa549a14bcad8f8c7efefdd5d4dc

SHA256
078f133bdd7532de59d95d33806dec81369d14fa4e3dbd5537c62fc86a1b32f6

SHA512
ab8f1db99d11274952363324b405fa009c271eb13bfe9c23328b6d70c0f7eec9519390535da07b0011340fd9c463181ec81cdee7e798f1a6fb542abd98d91ec8

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
160KB

MD5
e531d4afe279bc47064f3a629299b6ef

SHA1
bce238f5c4c6a37e1bc17e14dc5ed808d2f25948

SHA256
4960cca7f048c9180b726c2991daee15599bd69b190398c976de0ce558f84ab2

SHA512
bd9b00e946c8e0cac3977abdb145cb12ffa215ec741a401db64e1c2736c03a1e10f0e337ef86befba84159ac8f10411d32aa5e0fb6dde50d55c1246b19dc1ec0

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
160KB

MD5
a8fc4f904101bacbdb2c298b3483293c

SHA1
b92725fc8056c495ddd052c9495ef054fc51955a

SHA256
d6e70c82ab5f2bc31e241a4d679c7c7b73c0d7bb06e48a6d476b12348fc811a0

SHA512
529cfe70343f6e95713b156fce638cbc824b861f256cd86e7f0b25066b8cbf1f5645951b1438994e3979befa9f1f043064d2f6edbfb8fc5b3f98afb34a1cbbdf

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
160KB

MD5
21d9551607d83e276956362433f480ce

SHA1
38e2603a2a1c9babfad9978ab2c1f8138e1f6fa2

SHA256
bbf786a083a774d8c3dc08345f3d4987107f4c7c0b19ed04ed75495849bd7019

SHA512
b839abdc7963c025272c8a07914ced99b2256bf894dbed3e5a29394d4d5570cbb0b7c2fdd2aed07b06f7350d32bf56f9f4f5bbbd02316643f7a523cea4be9db3

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
160KB

MD5
184a8f1c8cc21eb93bb9b1534ad2b9b2

SHA1
55f9485232a11362ece23a93431e7c0bf1bc9bbf

SHA256
942c5749888f6a9e79e4d369284b6ac4c1a4221b45b27daa373a424b61f1f16d

SHA512
2d6c40baea1fdc76792cb97056d3118a0446cd6d3f146d190435d35adf6718f283b925edf07626bd2a8dd2f8abd516a5279d40047a0aa3ad13e49f08840687a5

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
160KB

MD5
857e11e84e50dbd9adb438b3cebbe05f

SHA1
d450c7c951f1ac892334cc0923a52a74e1233f6e

SHA256
2f41cd3c2d2a89a57080fe17f87886194b96086b956178200a7e6e1a4195cc4f

SHA512
1ce00d57e605ca50f44fc6e7c91006bda7cbc2da0fa08cf4fe43f72f0181f50c775889e14ea47c1c61696815d5ad8d3ac1dd16016a59e77f02d1a0ae0f0b92fa

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
160KB

MD5
b4383c4e060f0541db63e2bd3f65dc19

SHA1
827fcc6baa872f1a850c394820611d97756dc88e

SHA256
8c1cdcc29a8449856ac57c402f007f5ff5547ab27e78cad4cee5a12f3e5e4ff2

SHA512
6302c0dfdd9d4a16b5cebab39b473cb8b26a4ccc25a3ab4b7c605cb4b78acf7b1f88f87f6a9e32a45cd5427d34462ff4ec238e99d119e94e1b51c20a385a6909

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
160KB

MD5
9b9f60c1c1b1e3d4a86ea03688adf28a

SHA1
7c49e40bd9636a00973929520d1b040b59d4ad98

SHA256
8c53172460c1bc081d3a1906f9a8ede2ad2fd4a249996995b4e75eb0d78bc234

SHA512
5a3bfa0409efda76915a2025e71cbaa16acf6c5df362a36490b6f3a7a95e16853c80311c377a0e1a8b6438766df1c0bbeb112fc54a7f78ddf02ec4b44270361b

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
160KB

MD5
6514563ca84e942679ba33cc37867af3

SHA1
3519f994e5a884f1ed396e750e22b5ea3d0a95dc

SHA256
6799042638981b5133b6a2c1c14a97343c20c25b13463016e5e007a2edbd6634

SHA512
714ee25debea991de977ead1b11543c588cf8557405fe33897f6164887062732bf0de3f727ec3ba87e20c45db02411564c4579292fe77a8593a1dacfd46bb572

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
160KB

MD5
102d202ff5816931f846ce682bd1152a

SHA1
28f3dc1362b148ac997a669ad959909699aee309

SHA256
fabcb8530919092b78d98039bba0cd582f3af96fa478ad09573e4bf843f25734

SHA512
eb679279d43f0f0f364234297f11eaf7930189413ebbfda018f47db2692fc636ecf6363237eef401a01932e00683e1e81262efcb7e9b6fff044cbf84f1ca8396

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
160KB

MD5
f6cc0edbb7e040a0ccc29c958635edec

SHA1
1e4a63d61c2daf9f61f8b93f4db0c61b26af8d9c

SHA256
e4c60401bcbaa0e307c5c7b1ff575abde9287963a28687b78a7ecd156697df53

SHA512
258c1712a47bb6526e093700de1dec548749f7967b356460f1be4e539421b5787a52ada4d3cebb933e9b4758fbc2f6808ef0f803d534d552d07a6c992b3863dc

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
160KB

MD5
6d5becbf28bedb4fef67c6cd4c82d011

SHA1
822c83ee04fdc47c5e5e290aa180363dea385d69

SHA256
7117ec221a336010ca4891e9eb575ec77350fbb980abbae84d17727def544794

SHA512
5b18388c1ae368cb559e0e3d11c75d76ca11a16b309d279e641993ee532aa501d2e354ee5b89525ec2f69f040aefeed57b294f7d4b562f2a56da379e21d3e949

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
160KB

MD5
f828dccc470a42eee6d4c62a128201a3

SHA1
39a22a1815b9500d1bd800c15e46cfdb0b776654

SHA256
a98ab513c7ef48a5babf6879ce1ac4c17809fb34545c771eefa7d5e22c8b8f41

SHA512
7c42334a736431ab2e81ae2d8b00ac7d46cc77d73208cd20f16ef7b089d69c138aecade663efc3ab24ed393dad36d8a834e65f2bf7e7ff9a3c9430d04aa3f6ef

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
160KB

MD5
2a162c1c7b6321006c5099a5076122f8

SHA1
1e57f5c880812d72d66ee90796c3b55e1a283fa8

SHA256
26aa09fd22e5a8e7de80085bcf666413ea7a39cc8ddc4addaa3a75d4731c6441

SHA512
069ed1d213da4ec41e49dd641802f08ee0503e848a410fba8bd0b9091b323eebe7ed97a0085969fd6e7a982cd9bacb41da6313b23151a26a320bf88ef24451d2

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
160KB

MD5
3dd0b8481b99160a9d146b7109a23ae1

SHA1
de9e18241b913d50b0cdd3b65160cbab6e707f76

SHA256
51e70be3826dd06fbc0e575f54980cfa249b61567405e1a0f80cbb1e5624d0e0

SHA512
209eab55d60f712a364106d57875778540d9572c9693bc692862dc1e110ef40f2e3ec7afb7f42aabdaebd89ad815a2988ec3be87427fcd97eb3426b495d66450

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
160KB

MD5
f8b11630af60ab3e4aa3b26a9c8b0d4e

SHA1
a7ea553f993a3cc6fa847ec9a5f5bae1b316dea1

SHA256
7c0d648725f6a258b4eb5688d528aae408803d5907e03ad52e676e186ce8c5a5

SHA512
5451b5700f9c4eace0ef9f12d5986c2735237ee0c3184f8d5b88b3b77d16c797374225673c9fee89a39a658c52252c21eff81427364fb45a46f33a8f58885c08

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
160KB

MD5
536113a17fe9399483b4774cb01d5a43

SHA1
ff8f530769c00b9785bce1d6653a9fda5448d033

SHA256
be5c6fc4b3c31f3351eff2292dfb26d715ac2de7ece48667e764df7b29f37b7b

SHA512
e22175a94a66be7403ca24a84f09d7dd5ada7df7aa39c5eb927bd2bf2a17caf1974ceda096bf48f70c9d44388dc2df4dcb3bf0fa722fe86003a0f6c99f26b8da

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
160KB

MD5
e107d9cea08de617a3d60a8d7d12c5ac

SHA1
bebc2fd1c6845b34351c47c0b03bfce680f8dcee

SHA256
6a3e9f670217fb825be23088be2c29802a0c47e1c86ab0f07e3abf25fd163ada

SHA512
095ec38d2edeca7491263ea0e4d2fb9b54ea94a9b02f5421fdc34433fb2d0a9827e1b6135d73c373e9cc9d59602de4c06dc3f3324cfab558442a7156c2577962

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
160KB

MD5
21d7b60c6e133d00e89c13060160bac5

SHA1
ca966b6b2b4df6e2a7c12fe016fd287c6f1ce00b

SHA256
ff776e22d450d23afe7253bf2b9f39d55eb7a570b9a6d320bc70aef4b0eaa1c7

SHA512
aa47673bc749e647b7fff04a752d73d0a7b09b7cf830c3559a3bdd81b8ba8e7ddf5ad86961601197ac53206ab8b8d4d804176c289de7cc5a40b3630777378635

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
160KB

MD5
035e4094bbfd5b773139a44defae578a

SHA1
a7fa8e292bef0308cd4e436d7485fba0a45b2115

SHA256
be365b2c706e1d491d9f31a12a3869a4a3f1670560341fd01ade7daeca228418

SHA512
98b6362051b9ab18ad82a7e8e95713dcaad462eada9ecbbdee6db7afe843d783d17e113fd428d63194903d0071c4728bf5770647edbd01d85f366821806584e4

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
160KB

MD5
86bb8e104503ab2e7a4f67b41eeb5f73

SHA1
f7aef7fcc4b5811f53a15c7d166e02f65e8f4c57

SHA256
00f20aa32e74e8ed7cf4907215651672f572e363bbd12b6df8d132a4d89eb977

SHA512
6e33fadf51665f2813a3c20b4072b27ac57514c9c8141d5386cb46c5e20b1da48452f98f6d622fbd5d56d8b35b84542eaf719f19794669fe16fccf9e5785675b

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
160KB

MD5
d0f6165a9be788ba695c70ef078a390d

SHA1
02f1bb3f8ff446c014134975daa2642f252a5ec9

SHA256
ea7195e5967631633ee279da8f3e89ccae898b84eb3cdbcf0dcbc9f93af39558

SHA512
d451c5f7a845a29c86c2197e49d008e8a2437c2a565cd650ea26cf11085a5f46ff7bc441a40562d6cc653d7a8edace7d4192486b20c1470bca1405297715816f

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
160KB

MD5
5a90e83574c8f3fd83f954b75531d809

SHA1
d9510fdcecbe36da92f6655ccb95b6627996767a

SHA256
c68e5870f2e4e4084901fb3d3c2bf7f9b16beb89d7d1a46416bfd92176dcbbbc

SHA512
1527a3eb764c98a6e13b40389e4fb080124b27415ba2056ab6fde2e6f508a146d232d52a94be5d4494c69c8c0b88dea4760624a533436c6f717e0843f1f68cfe

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
160KB

MD5
22a03699e807e5c9c771c20522ef8cd8

SHA1
f30e920beac18c96b78785370922f601e1b77eaa

SHA256
6891ec1271c6018f9fb343c2f23cb268ef0421c6826d5f64373d218cf91b915d

SHA512
cee903295999533c266496cc9875fb243721b9cc85f7b3e74e40f4f56e7f67fd5cc56910a457a2a8db3f868c13b0a6bddc371a4dc28b7fc7b8166b4cc57db6cc

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
160KB

MD5
744cfd55e24df329ba3dd35e71eac3da

SHA1
aeff4b826ec5470d2c7771ae7bf0b9655a57b8c3

SHA256
b8547fc68670a387508e7cf04698dbc39f45de84e829beccbb8f99dba7adb1c2

SHA512
533c2fc24244a136caa8ac4a976fb1cdfcebf7201cb3c56ead1d4e48286f5a64092d1578e7e9a01822191f9b25d184adec99dfcd1116f5ef4a69c04bfa9cfea3

Download Submit
memory/8-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/264-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1184-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5156-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5196-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5236-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5276-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5316-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5356-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5404-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5436-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5476-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5520-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5556-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5596-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5644-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5676-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5716-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads