berbew | 0d6c7f01f78274a166cd84194a277dde1a58905632e71bed4e0706d7d9bf8e85

Analysis

max time kernel
103s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

ea5dda8a8fa38b1371e5c98bc05742f8
SHA1

9cb68c7bc3959c22b83d7bfa79a73fc826d3fdb4
SHA256

0d6c7f01f78274a166cd84194a277dde1a58905632e71bed4e0706d7d9bf8e85
SHA512

c89f7f8b36397d2aae09ec50e4cd83ee5fdcb974b113d6b6cfd224fbc2657eeb636a01e7fd2b36720c15ab44eacecb4253f47933bd04c11e282beddf1b4b5930
SSDEEP

12288:ZRMI0c2o8wE39uW8wESByvNv54B9f01Zm:ZRMI0c2o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbgdlq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4184	Fkciihgg.exe
5048	Fkffog32.exe
4588	Fcmnpe32.exe
472	Fbpnkama.exe
4048	Gbdgfa32.exe
1516	Gohhpe32.exe
212	Gbgdlq32.exe
4560	Gkaejf32.exe
3064	Gblngpbd.exe
1712	Hfifmnij.exe
2328	Hihbijhn.exe
1988	Hodgkc32.exe
3840	Himldi32.exe
3244	Hofdacke.exe
2308	Hcbpab32.exe
3944	Hfqlnm32.exe
1808	Hecmijim.exe
2220	Hoiafcic.exe
4808	Hbgmcnhf.exe
1464	Hfcicmqp.exe
416	Iefioj32.exe
540	Immapg32.exe
4148	Ikpaldog.exe
3204	Ipknlb32.exe
2188	Ibjjhn32.exe
2932	Iehfdi32.exe
2012	Iicbehnq.exe
3600	Imoneg32.exe
1508	Ipnjab32.exe
4904	Iblfnn32.exe
1788	Ifgbnlmj.exe
524	Iifokh32.exe
3264	Imakkfdg.exe
4648	Ildkgc32.exe
1620	Ickchq32.exe
1936	Ibnccmbo.exe
2460	Ifjodl32.exe
2128	Iihkpg32.exe
2708	Imdgqfbd.exe
3492	Ipbdmaah.exe
3376	Icnpmp32.exe
1940	Ifllil32.exe
3896	Ieolehop.exe
3272	Iikhfg32.exe
4732	Ilidbbgl.exe
3152	Ipdqba32.exe
3148	Ibcmom32.exe
1572	Jfoiokfb.exe
1904	Jeaikh32.exe
4080	Jmhale32.exe
3276	Jlkagbej.exe
4704	Jcbihpel.exe
5000	Jbeidl32.exe
3008	Jfaedkdp.exe
1108	Jioaqfcc.exe
4848	Jlnnmb32.exe
4956	Jpijnqkp.exe
3436	Jcefno32.exe
4720	Jbhfjljd.exe
936	Jefbfgig.exe
2768	Jianff32.exe
3736	Jmmjgejj.exe
2532	Jplfcpin.exe
2584	Jcgbco32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jbhfjljd.exe	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Hfqlnm32.exe	Hcbpab32.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Imakkfdg.exe	Iifokh32.exe
File created	C:\Windows\SysWOW64\Ipbdmaah.exe	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fbpnkama.exe	Fcmnpe32.exe
File opened for modification	C:\Windows\SysWOW64\Ieolehop.exe	Ifllil32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Gohhpe32.exe	Gbdgfa32.exe
File created	C:\Windows\SysWOW64\Jmnoof32.dll	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Hofdacke.exe	Himldi32.exe
File created	C:\Windows\SysWOW64\Hoiafcic.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Immapg32.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Eeanii32.dll	Jcbihpel.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Adopjh32.dll	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Jifhaenk.exe	Jblpek32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fkffog32.exe	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Ildkgc32.exe	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkagbej.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gbdgfa32.exe	Fbpnkama.exe
File opened for modification	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hoiafcic.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Ldleel32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8060	7976	WerFault.exe	314

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifllil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfoiokfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hihbijhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikpaldog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkagbej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imakkfdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickchq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipknlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcbpab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ildkgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbgmcnhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imoneg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icnpmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfcicmqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbbae32.dll"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccbgbmg.dll"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jianff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifllil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4184	60	2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe	88
PID 60 wrote to memory of 4184	60	2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe	88
PID 60 wrote to memory of 4184	60	2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe	88
PID 4184 wrote to memory of 5048	4184	Fkciihgg.exe	89
PID 4184 wrote to memory of 5048	4184	Fkciihgg.exe	89
PID 4184 wrote to memory of 5048	4184	Fkciihgg.exe	89
PID 5048 wrote to memory of 4588	5048	Fkffog32.exe	90
PID 5048 wrote to memory of 4588	5048	Fkffog32.exe	90
PID 5048 wrote to memory of 4588	5048	Fkffog32.exe	90
PID 4588 wrote to memory of 472	4588	Fcmnpe32.exe	91
PID 4588 wrote to memory of 472	4588	Fcmnpe32.exe	91
PID 4588 wrote to memory of 472	4588	Fcmnpe32.exe	91
PID 472 wrote to memory of 4048	472	Fbpnkama.exe	92
PID 472 wrote to memory of 4048	472	Fbpnkama.exe	92
PID 472 wrote to memory of 4048	472	Fbpnkama.exe	92
PID 4048 wrote to memory of 1516	4048	Gbdgfa32.exe	93
PID 4048 wrote to memory of 1516	4048	Gbdgfa32.exe	93
PID 4048 wrote to memory of 1516	4048	Gbdgfa32.exe	93
PID 1516 wrote to memory of 212	1516	Gohhpe32.exe	94
PID 1516 wrote to memory of 212	1516	Gohhpe32.exe	94
PID 1516 wrote to memory of 212	1516	Gohhpe32.exe	94
PID 212 wrote to memory of 4560	212	Gbgdlq32.exe	96
PID 212 wrote to memory of 4560	212	Gbgdlq32.exe	96
PID 212 wrote to memory of 4560	212	Gbgdlq32.exe	96
PID 4560 wrote to memory of 3064	4560	Gkaejf32.exe	98
PID 4560 wrote to memory of 3064	4560	Gkaejf32.exe	98
PID 4560 wrote to memory of 3064	4560	Gkaejf32.exe	98
PID 3064 wrote to memory of 1712	3064	Gblngpbd.exe	99
PID 3064 wrote to memory of 1712	3064	Gblngpbd.exe	99
PID 3064 wrote to memory of 1712	3064	Gblngpbd.exe	99
PID 1712 wrote to memory of 2328	1712	Hfifmnij.exe	101
PID 1712 wrote to memory of 2328	1712	Hfifmnij.exe	101
PID 1712 wrote to memory of 2328	1712	Hfifmnij.exe	101
PID 2328 wrote to memory of 1988	2328	Hihbijhn.exe	102
PID 2328 wrote to memory of 1988	2328	Hihbijhn.exe	102
PID 2328 wrote to memory of 1988	2328	Hihbijhn.exe	102
PID 1988 wrote to memory of 3840	1988	Hodgkc32.exe	103
PID 1988 wrote to memory of 3840	1988	Hodgkc32.exe	103
PID 1988 wrote to memory of 3840	1988	Hodgkc32.exe	103
PID 3840 wrote to memory of 3244	3840	Himldi32.exe	104
PID 3840 wrote to memory of 3244	3840	Himldi32.exe	104
PID 3840 wrote to memory of 3244	3840	Himldi32.exe	104
PID 3244 wrote to memory of 2308	3244	Hofdacke.exe	105
PID 3244 wrote to memory of 2308	3244	Hofdacke.exe	105
PID 3244 wrote to memory of 2308	3244	Hofdacke.exe	105
PID 2308 wrote to memory of 3944	2308	Hcbpab32.exe	106
PID 2308 wrote to memory of 3944	2308	Hcbpab32.exe	106
PID 2308 wrote to memory of 3944	2308	Hcbpab32.exe	106
PID 3944 wrote to memory of 1808	3944	Hfqlnm32.exe	107
PID 3944 wrote to memory of 1808	3944	Hfqlnm32.exe	107
PID 3944 wrote to memory of 1808	3944	Hfqlnm32.exe	107
PID 1808 wrote to memory of 2220	1808	Hecmijim.exe	108
PID 1808 wrote to memory of 2220	1808	Hecmijim.exe	108
PID 1808 wrote to memory of 2220	1808	Hecmijim.exe	108
PID 2220 wrote to memory of 4808	2220	Hoiafcic.exe	109
PID 2220 wrote to memory of 4808	2220	Hoiafcic.exe	109
PID 2220 wrote to memory of 4808	2220	Hoiafcic.exe	109
PID 4808 wrote to memory of 1464	4808	Hbgmcnhf.exe	110
PID 4808 wrote to memory of 1464	4808	Hbgmcnhf.exe	110
PID 4808 wrote to memory of 1464	4808	Hbgmcnhf.exe	110
PID 1464 wrote to memory of 416	1464	Hfcicmqp.exe	111
PID 1464 wrote to memory of 416	1464	Hfcicmqp.exe	111
PID 1464 wrote to memory of 416	1464	Hfcicmqp.exe	111
PID 416 wrote to memory of 540	416	Iefioj32.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_ea5dda8a8fa38b1371e5c98bc05742f8_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\Fkciihgg.exe
  C:\Windows\system32\Fkciihgg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\Fkffog32.exe
    C:\Windows\system32\Fkffog32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\Fcmnpe32.exe
      C:\Windows\system32\Fcmnpe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        23⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        26⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        27⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        28⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        31⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        37⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        39⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        41⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        45⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        48⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        57⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        58⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        60⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        64⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        65⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        68⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1408
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        71⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        72⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4132
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        78⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        79⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        80⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4384
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        82⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4516
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        86⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2868
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        89⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        91⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        95⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        96⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        99⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        100⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        101⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        106⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        110⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        111⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        113⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        115⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        116⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        117⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        120⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        122⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        124⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        125⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        126⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        128⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        129⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        130⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        131⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        132⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        133⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        134⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        136⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        137⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        138⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        140⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        141⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        146⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        151⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        152⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        153⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        154⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        156⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        157⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        158⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        160⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        162⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        163⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        165⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        170⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        173⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        175⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        177⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7036
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        179⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        180⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        181⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6268
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        182⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        183⤵
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        185⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        191⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        192⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:7096
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        194⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        196⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        197⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        199⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        201⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        202⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        203⤵
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        204⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        205⤵
        Drops file in System32 directory
        
        PID:7308
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        206⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:7436
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7476
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7520
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        211⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7608
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        213⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:7696
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        215⤵
        Modifies registry class
        
        PID:7740
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7780
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        217⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7860
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7936
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:7976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 212
        222⤵
        Program crash
        
        PID:8060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7976 -ip 7976
1⤵
PID:8036

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:6868

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
400KB

MD5
ddfec24ec5cff64634eb7ad6517958f3

SHA1
90dc0a03995d31fc4cb67dc5975ce9de5f8b1b26

SHA256
c3bd2e69b89e81d9e3f4a258c2892b1f377873fe64dee9afa8da34dc8ea61ae7

SHA512
b8726473b8c6acccd40d0feacb3804e3a47f86615daa0792f5cd5f908972c08aa9bdecdaba66f01208c8a0968303a4b795c09d81dab9ee2197d9a37533917ae1

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
400KB

MD5
3869e3c60534183141ab09c3e9512514

SHA1
e3893625a63ffd37c8269156b8360e8d94134b97

SHA256
ada7616e25a7ce1a9d2cd0e5d6440add19ec521a05fdea3a9efe24b335d6919b

SHA512
61a6afbb64e7f25c647d43dcbd1aef36db70cf0e84e05382180ce76acbf97db09e846fadea8d55394c92ef5fe3b9a4e96c4f9269e66fb492da061e7110b4c402

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
400KB

MD5
619f684e55d3f5932ef652d395adb76f

SHA1
1db99db08722e660578330ab2066dbb91b6d2d17

SHA256
9cc0e8d66d38de46de16644999cb1fcb7046736dd101c024039ccf8a2da5ba5b

SHA512
f0bb98d253fdce537a39c9fcea9654b7002882ec9ea34ac4c86f5f0881374f349a2e142fdbe840eedc557ecd5b37ccd4a05a6e6d5f8b02f0102fcead642bcd4c

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
400KB

MD5
1ef21beed2c24f0b8d4c9fd6855ef97d

SHA1
728dd91ca89d8123216f615548e66c0d1464a66b

SHA256
754c5e4b1bad5b1dac05cc78a108762f2da1913d51a14e8c779d528847776594

SHA512
f6b899cb9219605770d27f5121cf00d748a273745573b7c1cc779f7a9d9f014026f04733a12a12ce8d0e3978d252528477bfdd935a158a01c42065b750ace878

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
400KB

MD5
6b03afdcf99a3190043756bf8dfa9dcd

SHA1
a79aad26ce568196d82de5e41e9a44587e234b79

SHA256
1b27230165c80a5b21477c5ffcd3a21014e2d275c3f05e35a4bdec5098c28e82

SHA512
1117820d4429402819793eeabe775b3dbd5ce736a146fc62f3fe46257ad8a4c9cc446c74c3f176913e44b02fa0fbe1bc14fe236498944f3fe625c6d8869cdb27

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
400KB

MD5
50f30dd0ad6a708081b943c8640e9117

SHA1
cea6c058b3f747ce16b5c44ba67b768eb09f42f6

SHA256
ff954913a35bacb1f72041e91dc1cd57e11379742259e645f99d97816715a2f7

SHA512
0e33ea7aabf4029010106f2789a2038f327018d0765e1ffdd95e914e284b3d2ae5bd06f0271495644554a4a14df87bed2f4991feb481a2d162c2c091d8619a8d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
400KB

MD5
3c10a6ffeaded5d6c32dadb58c74df46

SHA1
af8e4de538c95c5894807b6632ca62fee99c9885

SHA256
7e168bceb0d86294d8a3fc2921ef9a674f7704400dcb35016f0cd19fdb165a0e

SHA512
c8504d4506ed664bd0dc928a2be3b0a892941749df5499b85ad8fbe20d76fc905ee389be373db3a957109c9dec1777dee141e2d2c7bf4fd1124a09d87c232b96

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
400KB

MD5
d419907be747529836fb73298902ee04

SHA1
e6ed613aca76df03424b6523a985a5c80ca50ebc

SHA256
ffffb5931eb1fdecb0ae69f61d11e11eb972e6e1eba8d475f57723dadfb4ea56

SHA512
2c754a6f79fbdf884154113bdbb5c879bc7ede49480e0af90de8dcec4a0b405b996940877e6fcb4af367c7fdf0744a65417e5bd8b25889c829f772787a1776ee

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
400KB

MD5
1572866beba60c12121678f06693c7c5

SHA1
8c9c4cb82f12e828915b1cd5c3259390db023a12

SHA256
487d766c282f4e3104dbbda5fd5a4361a874d2fabcb734c8feae645e70e714f9

SHA512
5440f4b8eaff0e483c8f700db41de477c4ff005b78c026bcd26f1b7254d68cc3ce2e19e2332492d1dbeaac50950dfa27179abcb86ba54e813513e1bbd8fe92c4

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
400KB

MD5
f330f49049e4c5bc6bd913d36ffaee71

SHA1
bc6b9d3e382920d26a5650c3ee9c08132ebd1cda

SHA256
e394329aaa39ef61a2c515358f34731992863b9587960df868196769d005ec7f

SHA512
853ad891d285ed6bd7ef8cfde8780258cd643f5ab5838c2bc193ccf8432758cc156c37d1482b045a248247e79074da5ed136a8f6a88dc83960352c88a1f80147

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
400KB

MD5
547a4214118c89affc74f5e084693ca2

SHA1
f15a9925a1486496f53b0dc9727722f0d0ff1aa7

SHA256
e1eed4513e6135ca3e1daaf4f8612aea7e142e45c6fb6dfcda6db17a4d69b56a

SHA512
ed4ad3e3ab48445ae49b8a3e10eaf362389d2d264a2c750c7e41ff93595ff7248b2ccbc244fa235fcfd97c6092c0299fa15034a38187373d83bdae14fb64b18f

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
400KB

MD5
9b50244e5309cfed6d5517521c97e922

SHA1
4721786fb3fc65ac988bb652f44b05cb71471f14

SHA256
3b2f81bc4f4cf8d2ab2e5336ed7dfec7b78f042cc577c28ad32ce9bb18998949

SHA512
8ec75c1b2a63187af1539ab47f131c4dac4991b136fcff0525818f0a52912f3e486ef8dbee5926aefb36b5ab190ef5619e1010754ce1ec1a53b3700715c4e6a0

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
400KB

MD5
a9761d66164de8f8f221275b7b371cbf

SHA1
e306bc2c3075b88aed4d28b3ad81712d24eb2f0b

SHA256
3633497d02ba3201602eac4150b362255606b902b0b5da682ad154698ff28891

SHA512
2db952e1bd368c0cd86f377c2b04dd279d18f2c76cacddf0428de82d131056bbb83afe924c84d17fea28a8fb7dac101eb52c87f896ed68d608d0a8b105c4582e

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
400KB

MD5
f0f4b9bf513d79287ad084e79efdd130

SHA1
f579bc113bd8bb424c4da2cafabde162a5fb459e

SHA256
4f4f9d3645a29d71af115e81f2937a4501d6f366e926d99b95f7ed71cb7e2ae4

SHA512
8346a844761d939cdfffe327b0d5c797395c0ddbd7823ee03659a703953c82d48a9e84a6b893b602bbe646e58e130c0282adbacd40c9f6233ebfca5d2274105b

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
400KB

MD5
ae716c83d358a1d89cd00493f6ad3785

SHA1
1b9b4e831e6711e41d177186d86212dc469bb224

SHA256
b103bd5a4beac39ecd88240ab554fc758aaf59ab791f6dc8d577c0329c5063b6

SHA512
2edecab3ffef5a3c1cdbd3860ff69bd668021abe2a6bdca99879ce938adc9d791fd50603ac2dc6272c6167eab5fd647cc620867a006ac78603cc3bad601f5a5f

Download Submit
C:\Windows\SysWOW64\Gohhpe32.exe

Filesize
400KB

MD5
34554e15bc7623056bd606058097181f

SHA1
4e74def29d83fff605fc1de4b473618c96ed4180

SHA256
04cdaf5cfd8cb6b35ee058d0bd6f5027f863a14e6a8b1f7d3276f2d809fef4de

SHA512
fffd9778df284fe28c66c173073ea793b570c57ec6d889015cabc2823f9ffc45d85e50f9aca529d53ef9969664a2278eea19c7d857370d7cce22e0656062d508

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
400KB

MD5
fe9fac154da8f23b2a190f439fe9d7e8

SHA1
60cbbf18ccfa19e85977a159a92923c4074f2321

SHA256
d281a70d63afb86f79648f19e70cd2f6ce55a95c707e96fb9685b757dde402ed

SHA512
6d645eae59b758652430dfe5f830a6da62392d606b6692f3abac8ad4ca8e2587ccba795d84bf9c42b179f1d63d70ab46b444564e205ed3512fdc56c2d30abaf0

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
400KB

MD5
02cc9b3ab2ad09ee82ca36f76b2be95e

SHA1
b97f19bdb78d03e99b4147add1d2ffb3414f81dd

SHA256
1a38bc9d606e0883d4aac9db7cf9e9e7ad5ee9173339da109bab306233267079

SHA512
564989171347defda1b6c1be16acac5ccbc907924f6542aa139527686f09bc4c635bddbb06e3a067d13fdbbbab62d82e0a949d51b82dd35ebeedd8dc0b83d35c

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
400KB

MD5
5a15a4340241b31c477812ad7730d427

SHA1
6c980d4ec1feded6134877f1e4233371fc5e3ffb

SHA256
696f729107e0e8e494c4703aba0bca0ce35b67c803643689c920120ed5fe41f0

SHA512
18a13bc6a538ba5290556d63588f125c428c2965847747d6b4e10ac0f19363df69fa582b708c7029ce04f5d859d7cfb8b22f5c0cddb6b7ac11efe747e2106ee5

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
400KB

MD5
332962eb805aa96458a8f60d5f479f6c

SHA1
6771368e68cb7e24f739b82434bd898733544c56

SHA256
6011bdbf9f9bd86dc2610b904fb0e4547f468f6fdf04dc2172d2115574fb4e93

SHA512
ad29c33a8c06e9cc84a62395a66b0945e52c75648192386aeda13390d1d9a0413875ac09fbf6d62ce2fd285001567773a9b95390e282d0461d1416946d7f8839

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
400KB

MD5
420f2a3e223d71f7c011728e8f8271c9

SHA1
9f6a50b2c5f537b2c22fb02f115f78de74fb387f

SHA256
e38ad1eca561b344dd18b5d21231be581480e86e2e07d68471bb8f39bfa3cfde

SHA512
71c2e503e092520dc78f6b165b0469c9f3067e8dd746a0d6134d1aa509a0c23d44195aad22db8f0676285c79d431225831a2178d1f6042b15d9cda917a52c405

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
400KB

MD5
70f5abe8aa33e69727079b6af245451a

SHA1
7930eac3c7deab5c8b8ecf90c3deda77d967d266

SHA256
8a4c6e57165d4789ec0d3c949743a62eb65caa4e6c8b5877d215a4622a9807ec

SHA512
f7eaa71868422ecdab7a9635a3e332e2441cd93be19a9eba3b9318c710645f1c576dd667ac74f6cea82f5009781949ef3981eb65ea3cf885f6e33d9a0963cecd

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
400KB

MD5
236d92a1793dd3d5b86cbc7508353ce6

SHA1
61101d8adc5c3e59c9532e0651930c30ef94d28d

SHA256
f43b19f7870bbda3f21ffde0e292eb84d80d880a3e4e96a1f1dfbb19182cde71

SHA512
d7b8e3f701d00aae7b27bfd70ae880f1b242bd4f38e74f29aa84c88baf38dc1656885db8a471c8958a8acf6fbb1a94123bd7f28ebc62c000ea5f154ded64651a

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
400KB

MD5
fe50e0080fbb42892a14ba01ff58899f

SHA1
40829c3e035d25995f4deffefb46cc15ebc47519

SHA256
8c376f9472ae0a172b02f285fcaabee767af11b61dd9c3cc19e5b60d87e55a6e

SHA512
0657a0317e5c1ef3d4967dd070b83d779b0124488c33bac264b206e667068da9ac201cf0ed4b2f01f2053d6454aa0546943b52130d7897cc7158e60368515e84

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
400KB

MD5
a272d4b94591438af350a98eecbdbdc7

SHA1
e2f8d5f055bd5f4f7d013050ba2c134611072ba1

SHA256
2c6f6273f535e51e8a8e8cb0bba4faeabdc3e0741a5fb2b357ef12b393d9374e

SHA512
cee700b3993552aac7030363dc0e02a8a750ff097a3fbf182f89d4737be5974f4b21e5bf851a4d5bb94c7fec54745c1602fd18a610129536f6de06ed0d0467cc

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
400KB

MD5
ff7bbe28e4ee51c7991b35b68a85c4a0

SHA1
4b6281e91e87d2eaa868f57bd09fcd10cd510895

SHA256
fea6bc3686ad6cdb586fd5c1ff93ea55d86d1f984ec037f62f1540c977cf3b0d

SHA512
f78290271ba4c8608fd6f08ade7ff2cbf09dd7624aa0413f86a00c668a7644a091191416b14518cf292c643ae7adfc67601a7d0588f57e86283f9739af449ef2

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
400KB

MD5
1dda75172c1b2b7c0efcb0102a8fa048

SHA1
37bbd92648b6051deac90918ed045bf22d5639ca

SHA256
27ea033bc2507975cdaa79e62f9cbb8b122e007f4872b2ca4e2920a9f41586e6

SHA512
befcaccb739bc38fae166397cf4e00bdddaba00384a4ee85f88202161041ecab24266389a83711229b6b112331d4a4e5377f9e73b2e7554f691b35da04deabab

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
400KB

MD5
f172f8f2fa3af20b6c7f66407e001856

SHA1
f5ead341642b6faa03bb496574f38b83b72cce01

SHA256
1fdf8ab37a1c497be9adb99c390e34847a43af9f8cb3c3b2f1976c7a8af56b3d

SHA512
428b72ef5065b6e3660e56d233a11a0a3ccba215427ecc6b24972b0714829971011b9fcf4ec3845b655c214b078f48d64e132951d185f5d016df61c18f53c648

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
400KB

MD5
3af3d22d3c7e3eb35b511ce7b7b75b28

SHA1
44bfe91ba444002db38fd70ae955cc5d840166a8

SHA256
fd55d2b78d912515c5ed61f9e69f36b63c9d5f4302b890a017881ca9f800a490

SHA512
90cd6ffe226634a711a75c9fe7bf05d5d7bdb43756ee9ef30de6bbeb85c65a10f3fdf4cf469eab5321fc02510904d4c4098a980903d79439d220c672aead96a3

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
400KB

MD5
326c7afa8c68547784ff0ffa51ffaf0e

SHA1
ca9a76031578cf314e43bf02ce05c09dff18b142

SHA256
9125c5a56c934aa941b6e14495da622927d6584715e3edc318414dcc67d98dff

SHA512
2ef9a49ddd3a84922c257f8f8dee0b819c8bf034b9c3844162dd508e1de9c95825064c0f77e11001f2c488e250a546c9d20b2b92c6c3937f6a53016792da5e29

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
400KB

MD5
0132ffb17d48a83c2a73dac741a7b597

SHA1
fd22cd6459e8dd16df7c37665a57b5fd964ba1fa

SHA256
ce2e84969dc0dcfbd2fcbce861bfc32d4fb5db5e34a520d926f69b4f0cc7a973

SHA512
d6fdfd0bab90590e652ed61c2524a7c72126c3483750b5d20987b2718c038ed6ddf0f13a0c989471768dcf62f9742079f3220389d8088045d17c0bc5c04cb5ba

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
400KB

MD5
4f325af61fd691589ba7e514ecab6e9d

SHA1
7767da8e00a581efe164cb8984d8e2cc038efb63

SHA256
21d7b38283c9d74d02a0de6e4173feb8a297eae5eb9ad5cbd57ddf984cfdb8cb

SHA512
476acf04c1ea3e694815a842713521a114dd799d5cca293b466a0409e0e3556d81d0b9db409d1ef74df2e77b3aa985f0f0c86f5922338f48e59eb5e058a6485c

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
400KB

MD5
8143afd0f76488b6a162ee51edd415e2

SHA1
b2a2afb291c3e139978ea878a8c31cda62d0108a

SHA256
51754bcd934bea22f0afb4035784fcc1ea7312db7937b697a7a84fcf5edf07e6

SHA512
42f95376d5de66568a3045fb14cb0c9cce4cc1954f529c04afdb16c2e4b3cfac7ac8b1114e4fe75754a1ae45c71d6bc1e34e29d1b76d55fd63e4bbb32691359a

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
400KB

MD5
8d23974c5334ce00e425fba0ad155ac6

SHA1
0d19e641b692cd63c308c775a8119674da8bd084

SHA256
a28772c276b2fdabb3cf50c3aba880ee07f9a9ba62e90f6f59911ac7a8bf6404

SHA512
8205d5620e56e2c66f832c8b68b4c7279c1239877df73386ce7160250094b14d4edd19e7e028f97f377b0656dcedde1966daa702670934a3f93ade5188a4a4c7

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
400KB

MD5
0e42058507f21781042b8b3c1e6f7b4f

SHA1
a9443840200971019ec542075375500f5ae03a8e

SHA256
4b64ec9a37579b1b28e3672ddb0f6f43eeba2ade5bc36e6e0427e5f623ef2820

SHA512
4b2d888a12d811bde93a2adcd8984260caa64e8373e54ae6146ccfc1d5d7ee399f3f68a20a55ed156762161532a9005cbfbd237fffdfc7478d79881ad14db7ca

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
400KB

MD5
3240bfb1c6622185d5c47ca745d6936e

SHA1
b6c07431820899f6be002de726707b35abfe4a80

SHA256
dbc9c10a9655267dac02e0638b08946472d69ef7cbe9e321e613c199a0216c85

SHA512
e9572a8bb41eca34b6fd2cc6ec5fba691f0412e1eeaebb6d1d2a7f4fac5f4448163b1db83c368ef0a8fc623700fbe4dfaedf901f954736073d4a874ddd1a1e3c

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
400KB

MD5
340b18756953240e016bd6c7a135dd01

SHA1
1e8a1a80f6fe6c6aaf9782ef860c5e96f522d271

SHA256
e157667b5435f8787f6d0f68ee13dd1dbc59d58e0502aff705f19a615f543ebe

SHA512
3242f972ebe4fdc08c4158640cc50f36422e75e9d266161c1a48165a4d54cd900eb553a6d005e128aeeb1a2e4947f55b2bef507835f72295d439d819006ee68f

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
400KB

MD5
d594c2751748290d4913c8a06235f49d

SHA1
a1d59cd2f44b23614f1dbcf742e12ed2a63162d8

SHA256
1276033639240d1ab6d48fec5a1e4f963ff1ba6a575773f24f74575963150728

SHA512
94c8844417f3c49184e0e277200d083408c15ca9bba04a55bdaa963f2228e2dd9d8c1d9f2d1631ee6fdbb0f0de705078a0cc2e06084571e75dc1cf68095adeea

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
400KB

MD5
34535d5d8c11f3dd3753157e509497ef

SHA1
94f765e2ebc7a1f6f89c5b62ca659aed5f247b63

SHA256
d1b8ab2c4c5408440ff1e47242d1002ae952393e5666e577b551f0cbc87ecf3b

SHA512
ed487c804c59fa24fcdb837768486801ad05816e498c944ea4e7a5923bcba9a1e6617c093796927cd33cf14ee220abb3e893fa0dd3ae5eccc91a8821b3a4a28a

Download Submit
C:\Windows\SysWOW64\Lcgdbi32.dll

Filesize
7KB

MD5
5ed2baaf65e499ad5b4c68224e015c79

SHA1
9085d609f2e539dd4aff828e11d86651ac75e2e2

SHA256
1fc8de1d73651fd6905d3ea75e4a9541b0514cfcfd1a02c9afdcb0b0edd6cc0e

SHA512
eb7d1dca1d2e825cc2e88f92dfa20ac10598dc11b24d22366446ca25a101247f2d9f2b05e1f27ba0b1e83245b80ce58a05cb377709f93d9fbc0f4b6d7acbe237

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
400KB

MD5
7cc2988225df598e80d5b030aba0f6e4

SHA1
39b81b03e79d19456cb82ac38b3b167c72ad1dbb

SHA256
652ecb2467f94a8985e714f54f609eb9c5693e52ca9a3da546ff2f4da803f046

SHA512
0443c36f04094b91ced3d91a1c4c8d3738f8d4e87509483225dc29c774ddc74c7d685a5188295853c9677903d560961d0ec47a5e780e16e9a91fef606a22d810

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
400KB

MD5
12d8a3e72584129119c8ae067ff98343

SHA1
6a1e2b60730480f3bb0b093e7b19e79982610053

SHA256
0542428f260ec009f940bbce23705ee8017e47254423a721bfd796060b9d674a

SHA512
0cd1446fe2d39ddb73f7c330604b1a57ad160f07fe2e1b7e39593f0533c5277a232093211867b87ad695d7a2a8b6ad54a46f25e7fb326b7c494ab385d4bb007e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
400KB

MD5
eedfa62f50846369f905c473f6cd18d1

SHA1
2a31029d7ed61a6b680d4903b28dcdf45daa6307

SHA256
6041676509af59c2f8d48673f74c116d6039d4e03e84f732bd0cb77b117ff061

SHA512
6d6758c97837edb95892074bbe984ae2e6198a9dc54579f889b52b4abca78d1e62f132cf9547dd77ea66ff0c8107b3b777f326c98c20fabd65584a14be2afff4

Download Submit
memory/60-817-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/60-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/212-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/396-503-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/416-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/472-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/540-425-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/744-568-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1356-544-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1464-423-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1508-437-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1516-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1572-447-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1712-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1808-420-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1828-556-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1904-449-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1940-439-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1988-95-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2012-435-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2188-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2220-421-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-488-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-1708-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2308-419-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2328-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2368-463-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-1786-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2768-451-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2840-457-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2868-550-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2932-433-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2948-515-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3120-521-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3148-443-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3204-427-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3244-1832-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3244-112-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3272-441-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3600-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3840-111-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3896-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3924-475-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4048-40-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4132-469-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4148-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4184-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4368-538-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4384-509-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4508-492-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4516-536-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4560-63-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4588-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4732-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4808-422-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4824-722-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4904-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5048-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5068-562-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5144-574-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5180-716-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5184-580-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5224-586-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5236-799-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5264-592-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5320-598-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5344-728-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5360-604-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5396-805-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5400-610-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5408-734-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5440-616-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5464-811-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5468-740-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5468-1609-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5480-623-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5520-630-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5560-634-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5568-746-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5600-752-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5636-818-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5652-645-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5700-651-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5708-758-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5708-1603-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5728-824-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5740-657-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5780-764-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5792-663-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5832-669-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5844-776-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5872-679-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5880-775-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5912-686-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5984-692-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6028-699-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6044-787-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6072-704-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6112-710-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6120-797-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6396-1550-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6724-1503-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6844-1454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7096-1464-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7124-1521-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads