berbew | b69f76a3978d1e306e76fbf12f24d5d27df8d7b6fa3c3b22b17686ee2bf34b7a

Analysis

max time kernel
107s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

66e4c221eb25be4ff006c3d260720737
SHA1

95ff4b9f326f2951a632cdcc5c34c723c8be50f4
SHA256

b69f76a3978d1e306e76fbf12f24d5d27df8d7b6fa3c3b22b17686ee2bf34b7a
SHA512

739ffe2013d4f3e9741e435173cfa6ffca3f2ea24fa3d4f185f02d9650ba84c8a9910985826928ec934cbde2c7e22467533a8652c2da1af2da2a8d62571c79e0
SSDEEP

12288:jT6pZ2o8wE39uW8wESByvNv54B9f01Zm:jTQ2o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2632	Hcmgfbhd.exe
5204	Hijooifk.exe
5432	Heapdjlp.exe
5952	Himldi32.exe
2408	Hkkhqd32.exe
6128	Hoiafcic.exe
4108	Hbgmcnhf.exe
4032	Iefioj32.exe
1452	Iiaephpc.exe
4980	Ibjjhn32.exe
4604	Iehfdi32.exe
4576	Iicbehnq.exe
4760	Ikbnacmd.exe
5800	Ipnjab32.exe
828	Icifbang.exe
4668	Ifgbnlmj.exe
3312	Iejcji32.exe
4028	Imakkfdg.exe
2612	Ildkgc32.exe
5068	Ippggbck.exe
2296	Ickchq32.exe
5284	Ibnccmbo.exe
2320	Ifjodl32.exe
2364	Iihkpg32.exe
848	Imdgqfbd.exe
856	Ilghlc32.exe
4540	Icnpmp32.exe
4416	Ibqpimpl.exe
2280	Ieolehop.exe
3520	Iikhfg32.exe
3496	Imfdff32.exe
3572	Ipdqba32.exe
5724	Icplcpgo.exe
3156	Ibcmom32.exe
6124	Jeaikh32.exe
3852	Jimekgff.exe
5704	Jlkagbej.exe
3728	Jpgmha32.exe
5880	Jcbihpel.exe
4816	Jfaedkdp.exe
1088	Jedeph32.exe
5340	Jioaqfcc.exe
2952	Jlnnmb32.exe
6116	Jpijnqkp.exe
2208	Jbhfjljd.exe
2668	Jfcbjk32.exe
5916	Jianff32.exe
5840	Jmmjgejj.exe
5768	Jplfcpin.exe
3584	Jbjcolha.exe
1568	Jfeopj32.exe
4008	Jidklf32.exe
2156	Jmpgldhg.exe
2608	Jlbgha32.exe
6008	Jcioiood.exe
6048	Jblpek32.exe
3748	Jeklag32.exe
4492	Jmbdbd32.exe
316	Jlednamo.exe
2596	Jcllonma.exe
2624	Kboljk32.exe
2456	Kfjhkjle.exe
3960	Kiidgeki.exe
556	Kmdqgd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iihkpg32.exe	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Mjhmqf32.dll	Himldi32.exe
File opened for modification	C:\Windows\SysWOW64\Hoiafcic.exe	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Gcbifaej.dll	Jimekgff.exe
File created	C:\Windows\SysWOW64\Jfaedkdp.exe	Jcbihpel.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Heapdjlp.exe	Hijooifk.exe
File opened for modification	C:\Windows\SysWOW64\Ibjjhn32.exe	Iiaephpc.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Icifbang.exe	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Kepelfam.exe	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Khchklef.dll	Jcioiood.exe
File created	C:\Windows\SysWOW64\Lnhjmp32.dll	Kboljk32.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icifbang.exe
File opened for modification	C:\Windows\SysWOW64\Kipkhdeq.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmha32.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Jblpek32.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Klqcioba.exe
File created	C:\Windows\SysWOW64\Iejcji32.exe	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Jmmjgejj.exe	Jianff32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7236	8100	WerFault.exe	341

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiaephpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iicbehnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilghlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adecfl32.dll"	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iejcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jedeph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipnjab32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2632	2068	2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 2068 wrote to memory of 2632	2068	2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 2068 wrote to memory of 2632	2068	2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 2632 wrote to memory of 5204	2632	Hcmgfbhd.exe	87
PID 2632 wrote to memory of 5204	2632	Hcmgfbhd.exe	87
PID 2632 wrote to memory of 5204	2632	Hcmgfbhd.exe	87
PID 5204 wrote to memory of 5432	5204	Hijooifk.exe	88
PID 5204 wrote to memory of 5432	5204	Hijooifk.exe	88
PID 5204 wrote to memory of 5432	5204	Hijooifk.exe	88
PID 5432 wrote to memory of 5952	5432	Heapdjlp.exe	89
PID 5432 wrote to memory of 5952	5432	Heapdjlp.exe	89
PID 5432 wrote to memory of 5952	5432	Heapdjlp.exe	89
PID 5952 wrote to memory of 2408	5952	Himldi32.exe	90
PID 5952 wrote to memory of 2408	5952	Himldi32.exe	90
PID 5952 wrote to memory of 2408	5952	Himldi32.exe	90
PID 2408 wrote to memory of 6128	2408	Hkkhqd32.exe	91
PID 2408 wrote to memory of 6128	2408	Hkkhqd32.exe	91
PID 2408 wrote to memory of 6128	2408	Hkkhqd32.exe	91
PID 6128 wrote to memory of 4108	6128	Hoiafcic.exe	92
PID 6128 wrote to memory of 4108	6128	Hoiafcic.exe	92
PID 6128 wrote to memory of 4108	6128	Hoiafcic.exe	92
PID 4108 wrote to memory of 4032	4108	Hbgmcnhf.exe	94
PID 4108 wrote to memory of 4032	4108	Hbgmcnhf.exe	94
PID 4108 wrote to memory of 4032	4108	Hbgmcnhf.exe	94
PID 4032 wrote to memory of 1452	4032	Iefioj32.exe	95
PID 4032 wrote to memory of 1452	4032	Iefioj32.exe	95
PID 4032 wrote to memory of 1452	4032	Iefioj32.exe	95
PID 1452 wrote to memory of 4980	1452	Iiaephpc.exe	96
PID 1452 wrote to memory of 4980	1452	Iiaephpc.exe	96
PID 1452 wrote to memory of 4980	1452	Iiaephpc.exe	96
PID 4980 wrote to memory of 4604	4980	Ibjjhn32.exe	97
PID 4980 wrote to memory of 4604	4980	Ibjjhn32.exe	97
PID 4980 wrote to memory of 4604	4980	Ibjjhn32.exe	97
PID 4604 wrote to memory of 4576	4604	Iehfdi32.exe	98
PID 4604 wrote to memory of 4576	4604	Iehfdi32.exe	98
PID 4604 wrote to memory of 4576	4604	Iehfdi32.exe	98
PID 4576 wrote to memory of 4760	4576	Iicbehnq.exe	99
PID 4576 wrote to memory of 4760	4576	Iicbehnq.exe	99
PID 4576 wrote to memory of 4760	4576	Iicbehnq.exe	99
PID 4760 wrote to memory of 5800	4760	Ikbnacmd.exe	100
PID 4760 wrote to memory of 5800	4760	Ikbnacmd.exe	100
PID 4760 wrote to memory of 5800	4760	Ikbnacmd.exe	100
PID 5800 wrote to memory of 828	5800	Ipnjab32.exe	101
PID 5800 wrote to memory of 828	5800	Ipnjab32.exe	101
PID 5800 wrote to memory of 828	5800	Ipnjab32.exe	101
PID 828 wrote to memory of 4668	828	Icifbang.exe	102
PID 828 wrote to memory of 4668	828	Icifbang.exe	102
PID 828 wrote to memory of 4668	828	Icifbang.exe	102
PID 4668 wrote to memory of 3312	4668	Ifgbnlmj.exe	103
PID 4668 wrote to memory of 3312	4668	Ifgbnlmj.exe	103
PID 4668 wrote to memory of 3312	4668	Ifgbnlmj.exe	103
PID 3312 wrote to memory of 4028	3312	Iejcji32.exe	104
PID 3312 wrote to memory of 4028	3312	Iejcji32.exe	104
PID 3312 wrote to memory of 4028	3312	Iejcji32.exe	104
PID 4028 wrote to memory of 2612	4028	Imakkfdg.exe	105
PID 4028 wrote to memory of 2612	4028	Imakkfdg.exe	105
PID 4028 wrote to memory of 2612	4028	Imakkfdg.exe	105
PID 2612 wrote to memory of 5068	2612	Ildkgc32.exe	106
PID 2612 wrote to memory of 5068	2612	Ildkgc32.exe	106
PID 2612 wrote to memory of 5068	2612	Ildkgc32.exe	106
PID 5068 wrote to memory of 2296	5068	Ippggbck.exe	107
PID 5068 wrote to memory of 2296	5068	Ippggbck.exe	107
PID 5068 wrote to memory of 2296	5068	Ippggbck.exe	107
PID 2296 wrote to memory of 5284	2296	Ickchq32.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_66e4c221eb25be4ff006c3d260720737_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\Hcmgfbhd.exe
  C:\Windows\system32\Hcmgfbhd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Hijooifk.exe
    C:\Windows\system32\Hijooifk.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5204
  - - C:\Windows\SysWOW64\Heapdjlp.exe
      C:\Windows\system32\Heapdjlp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5432
    - - C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5952
      - C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6128
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        23⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        26⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        29⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        31⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        33⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        41⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        43⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        46⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5840
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        52⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        55⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        57⤵
        Executes dropped EXE
        
        PID:6048
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        58⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        61⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        65⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        69⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        71⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        72⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        74⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        76⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        77⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        80⤵
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        83⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        84⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        87⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        89⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3872
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        97⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2472
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        100⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        102⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        103⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        104⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4196
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        106⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        107⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        108⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        110⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        111⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4064
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        114⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        115⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        116⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        117⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        119⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3120
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        122⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        123⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1548
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        126⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        127⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        128⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        130⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        132⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        135⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        137⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        138⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        139⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        141⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        143⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        148⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        149⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        151⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        153⤵
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        154⤵
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        156⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        157⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        161⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        162⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        163⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3660
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        169⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        170⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        171⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        172⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        173⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        174⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        176⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        177⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        178⤵
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        179⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        180⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        181⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        182⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4748
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        184⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        187⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6944
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6816
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        191⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        192⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        193⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        195⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        196⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        197⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        199⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        201⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2316
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        204⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        205⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5052
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        207⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        209⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        210⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        211⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        212⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        213⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        214⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        215⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:7180
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7268
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        219⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7352
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        221⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        222⤵
        Modifies registry class
        
        PID:7440
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7492
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7580
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:7624
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:7672
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7708
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7748
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        230⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7788
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        231⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7872
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        233⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        234⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:8036
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8088
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        237⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        238⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        239⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        240⤵
        System Location Discovery: System Language Discovery
        
        PID:7264
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7312
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        242⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        243⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        244⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        245⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        248⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        249⤵
        Drops file in System32 directory
        
        PID:7864
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        250⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        251⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        252⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8100 -s 416
        253⤵
        Program crash
        
        PID:7236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8100 -ip 8100
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
400KB

MD5
98bd1efb8557a89ba178a2b526ba4d69

SHA1
23c369c29468c946483470a8ddd3485d6c938d80

SHA256
e7d2dba571f99dd21392519042dc8c4c666db4d5434d200d7bc4eef2edaa75a9

SHA512
acc34e73b719b78036d5452b5eb76cdc6bda9ce6498b772efaa0e7169c3afedc6ebfe474955e76bc30df0f3b3db3b39de18c7ea514e5aa1fdf3d8cdd931e3b1c

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
400KB

MD5
ba8fc4552d30dfe98b30bb5328b86e1b

SHA1
d552a5c1bbc96c085316137afc0f31a5461d9ed7

SHA256
890b5366eb6e36a6a583d284f8cb5f28f334b45322be90cba011052b17e1f9ce

SHA512
16e3b3b1ce22d592bf0b5543ad726df70832e6c06aa2fa07d91894db71394e536c9515ddf564c8ec783b1d5e8aeab3d09163b70bca4651243a4a61b43abc1b14

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
400KB

MD5
b8cf51c975d8a02dd48c887a7943259b

SHA1
de8b76182a8c79d682740a94a7b04db3b87d6a62

SHA256
469d84f259899bf9adb92701fde2f88b5c562078695ceee035b9335e82367311

SHA512
6f53abf5eac62d2f8f9c3701711262f0933636d5128b6e162be58146a44acf765df5c0b5a75d93187b413767b77de4c0ec4bd5cdb1c42a1d61886e779790044d

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
400KB

MD5
f8750242670e79fe5c91cd70328e9126

SHA1
eb4aaea99f3898064774395a42c47cbaf365abf4

SHA256
d904f022fd7edadc2092cb4be255c81c937fd5a437dfe57eea6cec1ad3ce5055

SHA512
edac40ac34720de3a0af362c4dfd5e86d098203d11fe754ad103217fa345737df0b2c520aeb27550b2e2fdfb9b4151df3e7d00baba6d65a1074864576344886f

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
400KB

MD5
23cc9416c5f6ac124fae25c2f4341a15

SHA1
2aecccf87dd85558dbd33d64c2793a38879cdf9b

SHA256
18fc582c6461ed72e4c0573ac11de580234c40934752e071b25085d0589e19ac

SHA512
1521858e1076f2ca672ee624f7143d95c9815389538c209a889f6fb969800fc851ab498cbadf445891ebb97b2b1913af217277bad8074dd4322d44664d5a4ec8

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
400KB

MD5
204b72b79e9d4d9c754420ae430b5c07

SHA1
9ec228521bddf57e7e4e220583165391fd040248

SHA256
43f121eaddcfbf4cf1a21297fa108de8b3ffadc863b51ebc46ba1d1867c912a4

SHA512
28809de7de6de3bd843471fd02648325b0fcd4003ad38782759ea67df1550c446d6ace9245b00b1e85352b24862f1cf62dde32f453168008eedf44b770c43d48

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
400KB

MD5
714611d2366485b487662d192760ccc8

SHA1
38565d695fe7e929eb22783d3ef92133751c7042

SHA256
603d49d09d01ebf9c450f641e1a52ac114045c4b97ed4ac1c22c281eab939ca6

SHA512
2b2cbf3d4f9db030aa77f919312bfd1df6ffc8ad88bf2ece467278c91fe434054b626e9407a6c311d81ccb19b77ed7a2b78f9ac337756eed27615c07a97da07d

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
400KB

MD5
7e782a8ec6efd57088f8f3c8c1aa92c9

SHA1
b35d3a6d893dbfeaeacce75727cf3c3682fa2a53

SHA256
e6bae4a51d6f3cc26afd5ae2016a7421aef526162684d2a37ee706d1fe7d1f32

SHA512
08b380675c10782000f9f22a95f0cd49ecbf4606ed0d567da8e7758d3263c7ee6c7484fe8d8866529c417b1564c168073fee5c717788b0fde58b44ca133abfc9

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
400KB

MD5
cb1c63c5bcd18e6cda80594e31d96d4f

SHA1
2243e714f74092e4f2b1db6e166d3096f4afcf65

SHA256
5640a4635a53edd391a8f686805faddba5d4fc47ad2b46030d68094af103c8f1

SHA512
7729ecb7be6ef2ebec6a7fa89cb5e16dca55b6cccb21463f3be47045f264ddbd31c0e78bd019a303485b2b367be094449ec2c0b6e0a528fe8bcfc70ab2473f1d

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
400KB

MD5
065d16e45ca3c36d01ac843a4a998aac

SHA1
0315a80a5e48fd9840d11e6e376dd479833f6676

SHA256
2e07f3301b492a7c7c59969022632883b9342216e7b45d0228475cb6993bdcd2

SHA512
63ddfe7c87398e4091c5d35991dfe0873dc7707cdc8c65b513f0277583efe7961bf8e4d0b775a5d79f3bcbf80669a325b657df8009c9bcca03e5291e382bdf1b

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
400KB

MD5
b3ae42a01a3f49db3e5ddbe6c4143e9a

SHA1
f859b7859041d60393cb8b2c3560366340c8b157

SHA256
6132fd25768cff970da1fed159a3bdfb682df752d4f0eac8d89a1c6d5e566ee2

SHA512
52875192fec2177c6d638b9023a751e6dc3f1aeae893dbf4a8d9998d2eced9bbbaa80c638289ab5b337b3a53fac6a2cfcf3fc46dbf172dacaad86df210f41c9c

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
400KB

MD5
e73df8a4bf296614d7152855dc1ad3f9

SHA1
7c45bd2189aa8012a51f3a87db50e15bea161a6e

SHA256
c83af9d69d65be71e1c3e61791d96a62ecd7ea805fe4f40228bd0da1a7381da4

SHA512
42f04a999cba3edbd1d8d147ecc45ed2d8cd45a58db1cc6068cc27a530624de5db4224917777dd4f45fd8ee364e0d2eed952e6b1b39d05349ebd544c7436f601

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
400KB

MD5
8fe95bba57e7c0bd7e4eaac582eb0003

SHA1
2adf36a0a486390eec5332b5bd65cd8810361658

SHA256
e2b880355e31906b9cfebce86e50dfcdf4f5225f5643a982e375eb47b4287924

SHA512
c88fcba47aa29f2e55549773e18629a12acd42dbad25707804ea402635806f8b8adcb24e190cfd4c57f69f4e29f68d494453f45201f76a1ef92295e38434ad05

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
400KB

MD5
5a5e79481e892997b46dee16015e2589

SHA1
b220e6c3a5e48f8e836fa3a7ba13bbe6378fb8d9

SHA256
1050bc7f17b03708dbde0902d0d9748550b5de37008864421935f5afb1006836

SHA512
efdcef3f5aa304a292ed648fcef82582898619b155f8d53aa41005420ce679a8b5d368f7bb68c389441cda21ab2c94e7f0b74410e2b35b7e6fb16b9c2550d055

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
400KB

MD5
839f942df1251835c7bf5e2e57c59e67

SHA1
63e10cec07ed8b0104eb0dc4148cbe10b0f027c3

SHA256
38f2550f202f4dff3c75355998e917ced9eb1cd10c1d7cac4abc556b23cc29ce

SHA512
a4e9d08a82ae8b97a10a2bbcb546dfdd6650e34ca134b30880ddc8552c607bcb8c0a66d820a2e51ff67174a18fdb5f9b768ba4f9f7e97e42eab9bb7cedbd48a1

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
400KB

MD5
7b06273d525e754ff75b4398e23ced86

SHA1
f7cb51f7662a667319223ef3254061007e7dbffa

SHA256
66cc4d07f3b5b3a1781b23b76846edfb4a8aceaf04b894732f7bd205bd946ff7

SHA512
1d6b5843668b79ec14e08f1861dea1bfbbf8ffb0fcfd5eb051b9e83706a0dd9cbe98ecd417feb756be6694493428a896a7d5d858b5986eaa0b23f3b222d71e58

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
400KB

MD5
6f70826564580b11917f8a222da2a22c

SHA1
641976f18af962cba94c16a17f3949a36713cba1

SHA256
cad757715088facee90d475dbd6fa5368375c1dceabf2af67be2de03640d7411

SHA512
407b317cc8eb339fdb80e09b66f342fe0644739b9f9fdda16ae95e8eab902d8bb493f3c9c57a72f945c5742668282e17f6fc8a70dfa4eb0dc870193f66c1b942

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
400KB

MD5
565414ad2e1c0e0095f2e33e1f34b5f9

SHA1
dc4f59cd4c12afea915343c4eab6fca3eeb1ae79

SHA256
8611328d7e27fb0512e8b524a8b5c39a3d897b133abd6dce11c5c02e79ab5d74

SHA512
01b3b47e5c468f6463a2184c3486b120dda4d56f7a2841424eeed3ed621184397f943fc8a42b6a2a696ddb83bc49c6067cec9117c0fb40dc635590318f97a07a

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
400KB

MD5
c3427cf8542e0419e0768828716eecdc

SHA1
fdceb35fedf362c8c5d9a32b038d1d2031d9a0e3

SHA256
51f5999024c9793e23d12797aafaa598b2f3b1b4afb8ad11eb20a0929819e0e3

SHA512
361dafd0cb64e4401ff0405dc7d734dbb22c6e5b9f6f796877fcd98c7df088a7f0868bf2d4b6154322c991d48fd35b14eccc121328716a4236d6c6b472589430

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
400KB

MD5
87438592511c4558ef8f4eff49caedbd

SHA1
f7b9ad81d1e018910ee5cc77d9118a1d639d6962

SHA256
42c13d83822b360ad23b1b7ba5d9f048d259d6f3b09f5f37831704de632c8d21

SHA512
bd22fd991e7d6a8a8afa0f4c8029a43433dbde75d3f55cfd68fa0808c699f5d28a6480effdd3e566399d3b042729529d9333efdabf8f795b8829bbfdf4a9d222

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
400KB

MD5
46db97923e662789959ef5c39e1e14c9

SHA1
d9360b457535fd2c2ecd9cca09acab47fcf672d7

SHA256
307561be956d6229f2a29dabd52cfe9a6c8bca470b8e0bd3c8d44e75904c1d81

SHA512
1c02810f75a9699d8153c95662f50edf76b0ea2b93cbcd2c8a5e5ce2023a88cb55be81e808642c45ff40119e4fe5b0705a94f6efee3e05acca247ea94f28f64f

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
400KB

MD5
4ea6234f74d93d8ebb4bc225b20c6a8f

SHA1
153d334bcfea2ade8317c4859acadf0bd65395db

SHA256
68f77453c12e7aea110a35327f412ed2eac5200ae819a4c8b68fcca64a2a04a5

SHA512
665e45638e198cd26651bfb0d2779d0672c39c3241f36197e74eecd195453b663a47dc1a7b73813486f1e55436159f684d125d2dedb8069f1605791aef2a6699

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
400KB

MD5
9316106c8cde4ed84a64e2b2f90857a9

SHA1
a02991a80a712d8bb16cd347f67a8d8b6447e213

SHA256
c32e1c4002d3b32c000df7fbb76849bbc9b385d6bd690f6ac816bebea0326d37

SHA512
43975c50b19f3a7396c8c0a6ec6c4e7761819912692ae847bbd34ffa9ddbab46b5f7b18be255fcd4b44b9d22100ffd86fbf9b13c56e6397fed6e3a93d66b868d

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
400KB

MD5
8a4b8132ff81cfa13522c8a9121fcc4c

SHA1
9bb292d1c48c0a228ea3b1c831a0a71bdc37a319

SHA256
cab5cf3995232dbe369e76e4ba111487c39204247a79211f40443f0cb32dfa38

SHA512
ded110828da8741c5d0b82fbeef2f58ee0fdffb6b8aefa44cdb967772ce7a3b05a665b7ecc07729f1b94ed897051e80c36744276d5c9323373e31ec8f296653d

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
400KB

MD5
394371132385512fc0d4f3968159133c

SHA1
4605cbc66b17226b3d12bcb51fc5351d29cdb1f1

SHA256
e2e735341cde5bfc699d873453a9381b89d206ffef935db48fc6914bdc48a923

SHA512
f9dfa1841ba25e92bf7082af276838967bacdc5130234dfe36e3de1f61ba383e4560afa53713d2bb73c418ea422363102c1d7c932c2c7d05928b39a583bad48c

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
400KB

MD5
f3b81cfdba2afa3ac5b7154915b28aec

SHA1
06f3b5ac633c275428d16caec7f01949b1fcca42

SHA256
2063672d8bffda8083c3bfc81eb6e955b8bf1b73f6eab66781f8167bba5663ae

SHA512
1cc12098a5690e665ce075b5e043dd3b492c84f557b0e0051b402612ce51b9565fb113d5de24b4dd34d67bb09dfca98e0a33b8327aaa7b85a088bbd0e9c94f16

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
400KB

MD5
a6ab9477bbef8f0fe4a3c7b2ef29beaa

SHA1
5d620424ae78a6b6932af5485ae839ffb16c0b8b

SHA256
1d9bce9396f4cf85f386ecd0340d6fdb63e0db948ef6c1d92b5294ac7770702f

SHA512
19f84ca178b7804c57872b352f76edee1115ed5a6e478c4a3554c2020b308666bf8f9e1f8a3d74824e46eb9d89d88b5e6627f85cca9339f795bb6ac31b3c720a

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
400KB

MD5
6ff438ec91d9dadcdaf7c1076eb303d8

SHA1
a3afb61c51f11407fbdc4f8dc360ec3004c434c5

SHA256
b07c07b8fed25e451c076665fb557d536635185a2378e58988aad4e270aff343

SHA512
9b19114572bbe80cf5884e6bfc4cf16a707d649e079d3578f8dd14a336ef8722539ac5981c106f3b7d50cf153a7b237bfd94beac0a909d4c49d689030836f39c

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
400KB

MD5
c372dae96dab9618cb3cab515b4746f5

SHA1
4ff90f180c559920cf4bb8c02e5a6c6ed6c5c8ed

SHA256
5e1f3d08ccbd521d9116d6c493b7bd1407e10acad2e48614d60fc64908afbd7f

SHA512
a5e61a5a92d30cf65db5d9ca8bd0c610dd252761076252d5cc4b2190d721bc1e436acdd2e2be306f26e4ba29ca2f613c9233d5ed5e961d22ed02d4c7007fb2e1

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
400KB

MD5
34cdd0ffa03f3919c6ce0ecf922d2b2d

SHA1
66d4d95e794405b8bdbc98ccaf3efb8595ca6bf7

SHA256
0c34af1690f30f71b8d2f6bcb04fda1de95ada8d98a4db1588a368132aa77e13

SHA512
2d337225af4215b78dab252f39e6a978f8e264eafc507c5aea7aca13762060448ff81e31fe661933b58bb2938d3abb8c7a2e96b4d5f29021beb35a62d44eef8c

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
400KB

MD5
88c3b199fbd88182e8f1b50bfb0669ce

SHA1
63cec3e49b1f654d9f414615b2b538665ab0fd03

SHA256
e25022f14458e7ad92cdb37dafcdb199a2a656c831949342bbe084c6e0f89df6

SHA512
a689af68a65244d8851b44970ea60b85fc198a9d799f361a1fd0e079b63a8e626a3387c66aabca57d95ce5fd3e7535bbc9cc8415eeaf3e490b32529fbc0310ab

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
400KB

MD5
e0b0b0a4e0bf647814fd285a37ccd5b8

SHA1
6e1295ef9cf0d0dc087cf5837ca777baad6c2365

SHA256
076c433d0ef2c53166abd533238d5d105e8e9c2119c8a9cd75290b767050f2f4

SHA512
0f22a2585f101b72ce0469fa3a00f3d300ab22443eb95a944cfbd0953add4ed9bd74b15c50f980d5cf0da55100d69c1c1595090d8ee354b39cc8d3aaac369d99

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
400KB

MD5
5779ae77b353d66430772d8d0dfd2477

SHA1
c6b6c8ace69d9fb3ba4a971c7a74cdb4a8fbb53c

SHA256
c9df24179736774857b1a6872a65864492dce4431235ff9abbedc4721714034c

SHA512
9ebb44f1e41d1f1c92881afffbd148ae1431ca051d21b67f4e8ec86eac7fad4f57b8f87032c4fbcfe3c230b6ad995d919520bde1d18d6d8a22783e60784a4b2a

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
400KB

MD5
671cd6ce63c8a9b826ce1174ec0b3007

SHA1
764f905f30997b8bc287628d8952c282db81ca2a

SHA256
fedf6242cccddf6f91dd51af8780e9f6cac5ab0366cf6d2b109001e9f1719ab3

SHA512
fc2f834810e03646c366117151e8fd2172ebda5672faa6963c33333191e05f6a22b3a0dd8616489ec31d665f573bee26889ec42ad4c14cc1405742cfd91b3f33

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
400KB

MD5
b046aa0e7dbc0b90fd7c9a4e05e32fbf

SHA1
d0d8a0f7406db54d5567563f751130fed0178bfe

SHA256
a7a46f60c660ff5ae67ee65e827548c30f95ae5940f1832383e810455da87367

SHA512
8f3e83b0f9f9e2d89cd11957a87efb0438b52778980e0ac3f564876a831e9fa0bb18204e08a84e19aa2270831fcd55528dbb111186886990a765cafb91e2120a

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
400KB

MD5
0c639831a629b54a5f87edc928454904

SHA1
5b64afe6e16a0084b172b7d4cad4efa206088dc2

SHA256
f49689b35bec50e4c92ac0513961e89c72c1e0ad483e2c93e83547d8bb386f43

SHA512
3111c9be411849c448b4a9b1157576c44be20a970bf5788709a5b278a6dbf36aef94ffe28c610094f65dfd7fd272a42f5aec775e14cebce2899af4a40f3aaf75

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
400KB

MD5
a214f994b75ed922af1187137e1a9a4b

SHA1
089900eb4086a02389841ad3dab6bdbb40e7d362

SHA256
59d92ed0293bcd9612b0f889603168b2f6998e564de67b6ef969a98fa742b555

SHA512
108ca5e29bdeab9311d87cd385597f0a1aff1da25a0b9fd5c4038f9c0f231a40449a14fbb338d65b958b85029dfb8c8fcdec74f078ee2a9a2abdf72e06a10864

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
400KB

MD5
19079de581353360a0ef59751b3460e5

SHA1
ac66ff9f5bd5a6b82e5fef7b584729a9d7010b2d

SHA256
57b1c047457fe368abe4164292878f16e66df67004e59a0ec38402b80daf2f74

SHA512
9426f7b450303fe8420be93d621ac40e20f463983a65901461e2ed1dbde58eb2f14bb0b3fa08bcf0534948fbc7c8d7334b325928f82cc3d0b6a34d056a1d09b1

Download Submit
C:\Windows\SysWOW64\Mjhmqf32.dll

Filesize
7KB

MD5
27479c105c6f3d26ebc46a5394d7e33a

SHA1
f0a3f4231d837439b91d1de89418b63f9e94af2e

SHA256
c76e739abd71e670d3e4121c140480fec036bcd6bbfda23fe9cf23baae403b93

SHA512
815a3f5932c8e8b5936fd02ed94e8fce8ba77888cf2678aa86d26b1e2eed55a931180487ecfefee6ead961ef4e477acc8faf3f96fb8f02c37e6af4b3874a7d5d

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
400KB

MD5
98a6091a9863cfc29d3316e91bdaab85

SHA1
c61126b62af809c48544a6367cb85625ba376736

SHA256
114339829a2c26b4b7ff8484854b17b652189d126794bd9af230efea562068cf

SHA512
36e2fd37fa6859451c7e565a00ed64ab849d8dfe09e24ac4a6c4e4ecf9dc68772ca2c47aebd67371f150981dcc5c180696e76266a1fe6603acf85b6a560d3f6e

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
400KB

MD5
fd5d530dc7eb9adbf3aed0803f9b4255

SHA1
99dd36dc734d9823b1ea5a0567682a4a679ce2d3

SHA256
32e9f05d10d58f6eb1531d91dbc9c69b3decee03abfd2c4c336c3018d09cf3f0

SHA512
0c603f1252038e254f8f2ba87ac6ad38e778c10172ee8b5f2fe9198d5e56556f88ef39b1d174b7ccbe81d28bced501976561edb54150a2ad62fcb997dafa5d42

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
400KB

MD5
f3b082b80d4c868e02c62915b9e8ba38

SHA1
1230caa04cc5dfe703fd3a452734c5e5534aa04f

SHA256
401850db26e8da05655895b24e685ff59cbba9d1251f70783345c6a2cf61c14d

SHA512
f9563c28140a210e419e2ee3d46ffd686ef97fb4ef249dde2e15187dc73ad1c87aa4d494de79d8c81391f93a8e67fd8ab683852b35cd77c6bfd1a11bde6d49a5

Download Submit
memory/316-417-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/656-534-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/804-469-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/828-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/828-636-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-202-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/856-211-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1088-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1452-76-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1452-597-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1568-370-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1628-555-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2068-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2068-540-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2156-381-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2208-333-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2280-234-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2296-172-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2316-1702-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2320-186-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2336-1906-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2364-194-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2392-481-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2408-39-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2408-573-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2456-435-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2472-654-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2596-423-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2608-388-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-155-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2624-429-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2632-546-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2632-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2648-475-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2668-339-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2692-541-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2876-522-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2952-322-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2952-2020-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-451-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3312-140-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3312-646-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3392-528-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3464-487-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3496-251-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3520-242-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3572-258-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3584-364-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3660-1772-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3728-293-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3748-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3784-630-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3852-281-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3872-611-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4008-376-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4028-653-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4032-67-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4032-591-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4064-1884-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4108-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4108-586-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4192-493-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4352-516-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4416-227-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4540-218-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4576-101-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4576-616-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4604-609-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4604-92-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4668-133-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4760-108-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4760-623-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4816-304-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4836-463-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4840-504-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4980-604-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4980-84-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4996-457-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5068-163-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5068-2067-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5192-548-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5204-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5204-553-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5276-580-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5340-317-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5432-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5432-561-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5580-510-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5704-288-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5724-265-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5768-357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5772-1932-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5800-117-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5800-628-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5840-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5916-346-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5952-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5952-566-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6008-394-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6048-400-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6124-275-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6128-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6128-578-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6568-1832-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6780-1768-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6932-1762-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads