berbew | 86f2d7930f47a8a607a93da799b173aa3dfd34f8d61a40916e937e45d3c9bcc4

Analysis

max time kernel
105s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

da18a26759ba8756886abf05193e7e00
SHA1

ef0b29f650fd828398f07b904e6069db15515b68
SHA256

86f2d7930f47a8a607a93da799b173aa3dfd34f8d61a40916e937e45d3c9bcc4
SHA512

030aa1285309dbe9dffb44a302a70daa57606c49d04a6b3d5db7e08e92cf60e755d2a1bb471ba17dd3ae3d9599532c40c56a18322c08f0670a2e86286251f7a4
SSDEEP

12288:Jf7W942o8wE39uW8wESByvNv54B9f01Zm:R7j2o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3672	Leihbeib.exe
1604	Llcpoo32.exe
5748	Lpqiemge.exe
5272	Lenamdem.exe
3944	Lgmngglp.exe
3320	Lepncd32.exe
2172	Lmgfda32.exe
316	Lpebpm32.exe
4704	Medgncoe.exe
4516	Mdehlk32.exe
4672	Mibpda32.exe
4364	Mgfqmfde.exe
5380	Miemjaci.exe
4916	Mmpijp32.exe
4924	Mpoefk32.exe
4896	Miifeq32.exe
3620	Ndokbi32.exe
4888	Nilcjp32.exe
2628	Nljofl32.exe
4256	Npfkgjdn.exe
4308	Ncfdie32.exe
744	Nnlhfn32.exe
2044	Ngdmod32.exe
5496	Nggjdc32.exe
3500	Odkjng32.exe
6004	Ocnjidkf.exe
6056	Olfobjbg.exe
1716	Ogkcpbam.exe
3992	Ojjolnaq.exe
1636	Ocbddc32.exe
2968	Ognpebpj.exe
3964	Ojoign32.exe
1640	Ogbipa32.exe
2240	Ojaelm32.exe
384	Pmoahijl.exe
5248	Pgefeajb.exe
1192	Pjcbbmif.exe
1500	Pqmjog32.exe
6000	Pggbkagp.exe
5924	Pnakhkol.exe
1928	Pdkcde32.exe
2196	Pgioqq32.exe
5084	Pncgmkmj.exe
5416	Pdmpje32.exe
4980	Pfolbmje.exe
5396	Pjjhbl32.exe
1548	Pmidog32.exe
1524	Pcbmka32.exe
4356	Pfaigm32.exe
592	Qqfmde32.exe
2468	Qgqeappe.exe
2116	Qjoankoi.exe
640	Qmmnjfnl.exe
904	Qddfkd32.exe
5252	Ajanck32.exe
3064	Ampkof32.exe
5552	Adgbpc32.exe
4588	Ageolo32.exe
5532	Ajckij32.exe
4832	Ambgef32.exe
4960	Agglboim.exe
4856	Afjlnk32.exe
4860	Acnlgp32.exe
5692	Aeniabfd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Miemjaci.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	5920	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3672	2660	2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe	87
PID 2660 wrote to memory of 3672	2660	2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe	87
PID 2660 wrote to memory of 3672	2660	2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe	87
PID 3672 wrote to memory of 1604	3672	Leihbeib.exe	88
PID 3672 wrote to memory of 1604	3672	Leihbeib.exe	88
PID 3672 wrote to memory of 1604	3672	Leihbeib.exe	88
PID 1604 wrote to memory of 5748	1604	Llcpoo32.exe	89
PID 1604 wrote to memory of 5748	1604	Llcpoo32.exe	89
PID 1604 wrote to memory of 5748	1604	Llcpoo32.exe	89
PID 5748 wrote to memory of 5272	5748	Lpqiemge.exe	90
PID 5748 wrote to memory of 5272	5748	Lpqiemge.exe	90
PID 5748 wrote to memory of 5272	5748	Lpqiemge.exe	90
PID 5272 wrote to memory of 3944	5272	Lenamdem.exe	92
PID 5272 wrote to memory of 3944	5272	Lenamdem.exe	92
PID 5272 wrote to memory of 3944	5272	Lenamdem.exe	92
PID 3944 wrote to memory of 3320	3944	Lgmngglp.exe	93
PID 3944 wrote to memory of 3320	3944	Lgmngglp.exe	93
PID 3944 wrote to memory of 3320	3944	Lgmngglp.exe	93
PID 3320 wrote to memory of 2172	3320	Lepncd32.exe	94
PID 3320 wrote to memory of 2172	3320	Lepncd32.exe	94
PID 3320 wrote to memory of 2172	3320	Lepncd32.exe	94
PID 2172 wrote to memory of 316	2172	Lmgfda32.exe	96
PID 2172 wrote to memory of 316	2172	Lmgfda32.exe	96
PID 2172 wrote to memory of 316	2172	Lmgfda32.exe	96
PID 316 wrote to memory of 4704	316	Lpebpm32.exe	97
PID 316 wrote to memory of 4704	316	Lpebpm32.exe	97
PID 316 wrote to memory of 4704	316	Lpebpm32.exe	97
PID 4704 wrote to memory of 4516	4704	Medgncoe.exe	98
PID 4704 wrote to memory of 4516	4704	Medgncoe.exe	98
PID 4704 wrote to memory of 4516	4704	Medgncoe.exe	98
PID 4516 wrote to memory of 4672	4516	Mdehlk32.exe	100
PID 4516 wrote to memory of 4672	4516	Mdehlk32.exe	100
PID 4516 wrote to memory of 4672	4516	Mdehlk32.exe	100
PID 4672 wrote to memory of 4364	4672	Mibpda32.exe	101
PID 4672 wrote to memory of 4364	4672	Mibpda32.exe	101
PID 4672 wrote to memory of 4364	4672	Mibpda32.exe	101
PID 4364 wrote to memory of 5380	4364	Mgfqmfde.exe	102
PID 4364 wrote to memory of 5380	4364	Mgfqmfde.exe	102
PID 4364 wrote to memory of 5380	4364	Mgfqmfde.exe	102
PID 5380 wrote to memory of 4916	5380	Miemjaci.exe	103
PID 5380 wrote to memory of 4916	5380	Miemjaci.exe	103
PID 5380 wrote to memory of 4916	5380	Miemjaci.exe	103
PID 4916 wrote to memory of 4924	4916	Mmpijp32.exe	104
PID 4916 wrote to memory of 4924	4916	Mmpijp32.exe	104
PID 4916 wrote to memory of 4924	4916	Mmpijp32.exe	104
PID 4924 wrote to memory of 4896	4924	Mpoefk32.exe	105
PID 4924 wrote to memory of 4896	4924	Mpoefk32.exe	105
PID 4924 wrote to memory of 4896	4924	Mpoefk32.exe	105
PID 4896 wrote to memory of 3620	4896	Miifeq32.exe	106
PID 4896 wrote to memory of 3620	4896	Miifeq32.exe	106
PID 4896 wrote to memory of 3620	4896	Miifeq32.exe	106
PID 3620 wrote to memory of 4888	3620	Ndokbi32.exe	107
PID 3620 wrote to memory of 4888	3620	Ndokbi32.exe	107
PID 3620 wrote to memory of 4888	3620	Ndokbi32.exe	107
PID 4888 wrote to memory of 2628	4888	Nilcjp32.exe	108
PID 4888 wrote to memory of 2628	4888	Nilcjp32.exe	108
PID 4888 wrote to memory of 2628	4888	Nilcjp32.exe	108
PID 2628 wrote to memory of 4256	2628	Nljofl32.exe	109
PID 2628 wrote to memory of 4256	2628	Nljofl32.exe	109
PID 2628 wrote to memory of 4256	2628	Nljofl32.exe	109
PID 4256 wrote to memory of 4308	4256	Npfkgjdn.exe	110
PID 4256 wrote to memory of 4308	4256	Npfkgjdn.exe	110
PID 4256 wrote to memory of 4308	4256	Npfkgjdn.exe	110
PID 4308 wrote to memory of 744	4308	Ncfdie32.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_da18a26759ba8756886abf05193e7e00_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\Leihbeib.exe
  C:\Windows\system32\Leihbeib.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\Llcpoo32.exe
    C:\Windows\system32\Llcpoo32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\Lpqiemge.exe
      C:\Windows\system32\Lpqiemge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5748
    - - C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5272
      - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5380
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5496
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        74⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2364
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        106⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        109⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 408
        110⤵
        Program crash
        
        PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5920 -ip 5920
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
400KB

MD5
b40de81b8ef72ca0482b602e14b29ef5

SHA1
2d70b01d1ec983c2233ea85c0910f32e9e752171

SHA256
64708351bb6712cf2ab33c3e2cda117cda6c52662ba2bf8cee222f51e4fa4f24

SHA512
d93d3f10792d69cea2d2f1a936a38984ff3a6bbd72cafd2396a3f57e4804a65a160d13eb241e1e6a70caec92872edebe35fb4b5e30424127ad88131476dd4147

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
400KB

MD5
01a50ee7e2178a96dc4eada663b54d3c

SHA1
aa7f0a82dcc1decf3aebbe4a0eec56d8dc05feb2

SHA256
c3ae7af2b0812691e571d6f9668387127d7b541aa21607a1d2673cdb2249b14c

SHA512
28c2139c1a2136998d3d3dbfc5ab325dbe154860a7ec48f18cefd9308490fac969d158bb17560901fab8f0dd19b17b6bdc4eaca4f2cf5aada8c95aab0c466e56

Download Submit
C:\Windows\SysWOW64\Fplmmdoj.dll

Filesize
7KB

MD5
e764745795e1792e217f23968ecb1734

SHA1
994a1cb07c62f1cca5ff5fbadcf1c5a91854b5a5

SHA256
9629fe70b11739190b754b5da6ede5a0bbe28fb0fce7c4b89ff2f987d7981765

SHA512
94eb1ccf2dbdbdd31f42a767e83908912e43ca3e566466a3913eac7da617336dd2f99b8b61a71b74bfb2b0e236e85b4c38565bc1ca88bdf59f6202abfb355ee0

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
400KB

MD5
49328e7292782e1daa76027a7f0b56fe

SHA1
1d0f41500f46ad80696f08f4bcf8c6eb6d6c8ad6

SHA256
be503009ba9ee2e754a45209264106b51485e44866af0d11a10a56ef878522eb

SHA512
365daab4bf1de37d143f88aeb7dd379fd27497fd384a9a411719cbb9e851d8b56de2887385e65e7933afb8dc94c7c39d3fe0dcd0b64690e5a1a2136f6c327ac5

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
400KB

MD5
19baa45a7549ef088f7984e7870f466c

SHA1
92c20db1fbac7061ba15dfe83409d809de4984b5

SHA256
1b66fdada9f59760387634b59c16b69a61afa6704b0de887feb5fe791277b9b7

SHA512
5b50e953dff8ea896380c2e8e140f9c49dc9e9bbee841144e15dfb6a8e54d9568ca0313079b0c87385cd572379858465be814bd64fa5816a2f5b738a92d4a64a

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
400KB

MD5
24228c948e921a4e7ab01a1bfa4d403f

SHA1
4bde99ed79ed14dba3ec452f8200b9e3727d59df

SHA256
f25d9e15626c0de1376fbbc899e4739b078d653bc085bb936c44a131ad54b265

SHA512
3ceadec8b4559f63058ee880ebfef5d94ef96b7a8c4629d7fbf2bf7b630f5a83287ae151c9ac11f5473fb1701ffdd1ce2193620868516c6464ace6476c7dbdfa

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
400KB

MD5
77440fe2104cc9b84e6cddb821be05ef

SHA1
ffc81b0e3dbff33e7ac60cb389939c786e57145a

SHA256
2b4a6c354127a4eae601975ad34d5d8fe68345bbcb0ccd8595599f57cf5893c5

SHA512
b617d91708797c82703b5462345bfef43709e641c3f55fa255ac1e01719d399acdf23afc97eef167b44a54d9d90d542cb9fdcecd32486315d307fd0b35c8734f

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
400KB

MD5
e50d7ab26e2e4b9f107007e1f54e5db4

SHA1
6f4fe7a755428121d363e4e8ac0d521671ea0624

SHA256
7874873a6233cf745e23504f86deac5b78f68aafd253174ea16278f2e3ea1791

SHA512
b04284e24b10b6aa167f9f89a17cadd26452f7f3cdff911bdbb6d1da3aad73ed2c6ce56e5f92056a97472be12473d7c87d0013062324e0c3f2ca721f83f05c04

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
400KB

MD5
c94944848d740b8929d6387f154e4a46

SHA1
9427343659639c82b306b3956ea21fd4d0ce403e

SHA256
25217178de8054c577d26eba40c0f09d47aa9cb28bf797123a68de3523aecda8

SHA512
dec1ce23b78162668af15e4ba3e12aad1585e16255f2a9281266896c1db5c6e077be15e3428d9100549603b89824ae08f49ffd3ca92bc28a95784195dd63ce7b

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
400KB

MD5
6d8f94139dc47f0717c4410a93a02eae

SHA1
d6c524d6f176e452868dba73364fc428ec6ef04f

SHA256
961f595e22ec1f68c263e46da077738cda45e0a6342329746a4b7c57bfb17709

SHA512
205a685c0004a60afeb22d604274f72583839d9d75c20f7c034316b66efea1dbfd3c5906a6362457e171fe2ff20cd4263e7e3c83610f83ceace9c6a04b5ce71f

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
400KB

MD5
ba925605a9f2e08afd8ca188ed9e4ef6

SHA1
175a51b4937f623e24e3a25889f342e8cba0d058

SHA256
5d5c5ee1de5fa662693657e2f96eca99ad88b3b50f735bafae93755ffd3e710a

SHA512
3647db04496703a9f1f283344ef1ba153b02a4dcf831fbded58ecb6543ef3070b5f2aa313d9ea6b111922c20c39f06ecc38f9b13ba85e845d777fe25bc741b9d

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
400KB

MD5
41769514f78785623e95d59809a56610

SHA1
fdba0728e2260cbd0aa1790c39bae57bc90e4bcb

SHA256
a6870ebbe7ee02c1a6c08ea0501f64241ace99eb884134a720f5c462a1db817a

SHA512
59cbe64cc1515955749291c8222a9d3d6d3862c44f952a16a822301ccf8c1ca4824769efcde75da538c5d4f792011bc1e0550d6fd2741cd2c565d9622a2feb65

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
400KB

MD5
ef574c652086b7e84f17f188a61184c9

SHA1
15b3851677305664ad6ca55fbb6d90b4a6e4adc4

SHA256
a0b9f8ad26cf9d15af5193becf0c143514fce78a8bf00feeb8476833f2030b31

SHA512
8d00d45f06ac9a4f9d0cd5c293f3de4be393eb22135f2fc19cd330c3eeaa7606cd51419f5ba83992cd5351c38010ddb840d95857b14f0736dfc66c766852fc7c

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
400KB

MD5
33a2cf8da4208f0e89c6461f685ff97b

SHA1
59924d1bbba9ee0c773ae012b4df6f0d4b4ff898

SHA256
a723144bbe2f9680193839d255e63b907baa62d2dd5b54d83dadf72a15306f93

SHA512
e7483d0631ea019988af38dd846a3b82bc15a4e93ac677f8d03c16c61c21ff771f187fb25cf64e4120d0fab127a40693593c9af923175d4d2da6c8cc20669d22

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
400KB

MD5
9973ad1185192ab548586866038adaca

SHA1
f398bc101973ec58491d7379df187661f4446e8b

SHA256
c426c3ae5582240c500f1c1b6c358a1b30ad050fc2e5acc16deeb3c8ede99225

SHA512
011866322f6b3b6f9fd3602dfd246b7f36899c639aaf26d9a43114298dc6f5ea30ff4ab5b9d86c869fc6cc9ef36671258c0799a6adb5752b28ebad1553b481d5

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
400KB

MD5
318cf809fd5807038fa1ef70f20d48a7

SHA1
cc307ce904ccf414aa8c3982dbe7b88fc9efa5c7

SHA256
a8968cc23d882e27fde6c33eed4f9637480d6ee6618ab75caf3372c6cf8e6b3a

SHA512
19382053b0abe564bb0cb8dc1c0a3df8b2173289ae3b6affb7ef4dbd051fe3fb83ff3101a61e11bb2d93f66851f38e74cad57b48b4059283e086dd2798479956

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
400KB

MD5
f1e45ebd0e99cb7d32f760b0b4abdc66

SHA1
931df02c2831180e70e45d59eb8cbf2792f248ed

SHA256
a92eb7f76be401660841d512990aef494e8f50887b331efeed7e2fd740f1ca63

SHA512
51e7404e48b02f5f89b4c022dbc296d86c8c6a7c4ca9762138cbcf121afbfe011a4d988fd5d403caa6266bc38385b3cebb86b8f938e2d19fea17608e6c060b34

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
400KB

MD5
f41c1b9661ae7207052f9704de594d5a

SHA1
cf9d9052c44e4e5f298d94aec10b0093a9fb0cbe

SHA256
7261571ffed07d096795574fae330ec4ae560290df3dc3d80174ddc4448c14c4

SHA512
55ddffa203e8d8a0203731573f451f0002946e966bef514ea35e1762122b62431d5cd41a12d91ffc03afcc45df6c6a4e22b83f1e24eda7724bb33818b0dcfd18

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
400KB

MD5
533a653c89e73f5da15d05b3cce5d624

SHA1
c546a2fbf6132c8555509ba3bf8f14c867cbe5d8

SHA256
a13419115fb22e884ef5404cc8d7fa27d4c36e439dbf45d455fc114da4b416b3

SHA512
7ebdc8c43891d513c268371fe8127ff40173b305e3f6f2810ed1cd7ecfa5362be205e2786ef7605c42affc93d1036659d95eaa79bb03b0510b391632efdd0289

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
400KB

MD5
b0f13e22190bae9eddfeca76435d0c67

SHA1
0ae60c7de785a7b5eb336b0930e122b7109c508f

SHA256
792c8ac9c76c183d09028c2e710157a086fce9c396a7757adb74f727998e5f15

SHA512
2a4c8a3bef898da1c1be1211ac1e6d33174b6c6854806f458935e17b5a816f9ee3acccd213dae6992fbdf8330b19d83fe4234d896ecc43a1e333134e68161cee

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
400KB

MD5
3d2d6518fd84c2002e7912c68fe1b456

SHA1
c3f3acfc07aca18a548c419230e213716ad922c0

SHA256
2003a6715c758e59785979f7516a3e10538430d47c362bd6d2a5c7a480d7368d

SHA512
1eda9d14add4d80c008afeb256e50c1e37d48573dde43dba9d4746a1de869bd3ff5c62fffec678f2c6a72af619332aa19f47bfde7f732ebfbccfc6d1d64d7543

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
400KB

MD5
c7f0c57f67251de0373b663704bc9c7e

SHA1
2b9000a93579671c67651c10fffb10cac15698d1

SHA256
fd86f5bf3880860c0bf3fe3ebd8d6766322f8ebd1111977729d73f904552d6be

SHA512
e5481941b66752bdb0cb69a60be3d12d19aa983068ae6e012a3dd1219b69b5510dc70ed036fe06b3873b35c60e5a540dcfbcad8ec194421eb76480b40a03d798

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
400KB

MD5
eefd4d5f305179efc5911f1bfe653c11

SHA1
b46375f28291ccbbc2d992ac2bbe9f36ef0ffcb2

SHA256
17e7e7d508d06938ad5e54bddb11d97100dc41ceb558030e7138de4f86cb1cec

SHA512
37915778653adad7259b3e0d82a87a8ed85f2d5d2c8cf46ed3a7f92f6e788296088099561ac32ad6389e4b9d2c10ba66a95c41678242177bd75c89b72debb53c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
400KB

MD5
53c27ce30463859e9a5eb938ed153126

SHA1
19aaa2032158b1aa7fae6edd4c25f883bd50b5b5

SHA256
a7db3082945a1ada36ce23e35aab0097c95fad84b040b9c5f3ee233b253b1469

SHA512
b1f99c76537bb2238641057f7a7d82c63a12a2dcde910a77850df3ce43d615e652fc40628c6548e408897cd62b732b9390f6fc95af5fa02a791340c4f16702f9

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
400KB

MD5
235a47ed5320ac186373dd03d1d0d1a8

SHA1
5c9ec2978ca3c2feb83d53f472535b5c3c0d2883

SHA256
f85af42b6cc16cacd86ce08d80da6fb8060242bfc4d8bcc37d331c26ba912b1e

SHA512
1e6e9645d82650bc2f5fe2188da6aa79aa38e32b798a48e5402d4ceced485630f8686b411fba78ec6634265b3f7dd829139770eac3e9119abba8e44b6e5a5784

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
400KB

MD5
e89a6e5680e51f1a61699761d6dfda4d

SHA1
1451cae461ea9e99b5cafb7a3b19fdebbc8e5ff5

SHA256
34d1eeddc58c918987a99daf58659a3d049bfb22bf009f0ca3fb049f85e5f188

SHA512
613526cbed36f1bd152434514b11e91b760efe4e47f155d63e9ec6526c0bf472413cfc7030e4bfd62892caf5b3c7ba82f5f9777c02d8c5ef637013026beb4d0d

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
400KB

MD5
79a9009d6e641b636db1b698f0492c82

SHA1
c58257b1c3163df8f2eccb04c64285887b4f6941

SHA256
c98d145ffff9af570fec3ed96c0a732b0cfa78d785e9ebc83d757a06127a64d3

SHA512
ff20497878a1535c6f2ce67b31a8598b85cf98391f14655ab7072471ea63a65f6a5ec30eac472c8bdae7bbe6f4d00b39366f65c418c3244941fec01f74a6f82f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
400KB

MD5
7bcc0b21caa50aab66d9aaae359d06c4

SHA1
c30822247f3ac4d3dbc4717ab31d24c8cff197d2

SHA256
65eb2aa4ba45e6fe35397308650b1d122b6ed293698c64d5da1f9c5e94a35be5

SHA512
380bf23f24cafc793913fe16f0e243d7fae0f4c1af9a232f93a38398e44c25eab0455d00413c316231f4c5922d61f575bdde363dc127d580fdf1c99750fb947f

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
400KB

MD5
784bfab33bf042c427278d78a004fc5a

SHA1
8ee3695bd6c821a186a1f4adbe367618d4a4b004

SHA256
834f27f6d668e35f1bef3f0be39df5f9acffe9551f29a19a70a5af67d3d0ce95

SHA512
af2dc14c442a321d9155b3e48aa3634bee735307a900afeda3432998cb7bcafd598b022be1f554ce3548dcaef848191ed575f96d095fda3e1de3269a2ae9eb51

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
400KB

MD5
36d0a4164234be1fca91d41b23bff23e

SHA1
82844babcf2faff4c7224a4099de46e5231ed059

SHA256
75f9e0173bc4185f6a40704df3e6da9280f927a2076303c4f76ab43df62d1fb0

SHA512
dd71b34411ea95eb3f611c6564040b6cbd3b223a392b0b80d941d4b1f38240f9c89ad95cd38e3fb96f2d95e4bba64bee4bce7b8f9b9075e88a56646e09e18fcf

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
400KB

MD5
9250d40d54b5134d86ea0c16bdffd943

SHA1
d1b8a242317984a9ac390da29d96c2429ae2c092

SHA256
5e944cc87ea64750db893d786ff3f0544c1e0666a2816980b4b92cc8e3f18426

SHA512
73b4486fc13cef6b000e9f5996e933c00b894896f6a5187a3ba5876cb616edfceebf0fb5d5f1deeb978b3a3fcfffec144f52ef2c4b6c92a60025d1f6a7b57ee9

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
400KB

MD5
3cd84ccb51bb8797270c322113889aa5

SHA1
f3535e4571beb34bbcb1985f6be6d4fcfeb57279

SHA256
435653f1b5f16db0919b63922a414707eb88dd478370e195b221363437fa93da

SHA512
cc0344005188b1758cfae0d3e75704d463926346cb744343a0b985df787e76dcd8415572854ef5fa6b0ef9452da8a8aa29065d009cca38dc511166742fbe882e

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
400KB

MD5
5a6e52ca73701595f7c32967ee1f2686

SHA1
db6634aaafd11519d7a73c6b804978a169afecae

SHA256
9b5193b819b2d42c2b04ad4efe7a2101b07f9d18f3a343b12010a70e75d302f0

SHA512
23367ef1336b1c946cede67389b6331c1a390302508a6cb5717a164104c37639e80e947cf877583e90ce38bcfbe604faee89e705f1f3e34cbc2a87bf80dc4494

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
400KB

MD5
1350be9b498e09c2c59235de1687f2b6

SHA1
92927fec07c34dcbb26763f8104d6083e80a11ee

SHA256
3173786048af71f66604dae6d2e1c2247dbecba2a5b7ff301dbd477b0c134de7

SHA512
01509751a1df05b4768177021c2e65c8663b2cbf1965ebdf5af51d4ae4acf86e59f5f7a18dcaa620430bb18f6f4cdb01746ba1ab34a44d66db4f06fa4758ac68

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
400KB

MD5
15add7441b95bab9b3dc2e87cc8bc70e

SHA1
628bbae3366d14e9f407a438d2e1d52fbafd6caf

SHA256
8e4805279b16b5dd1699f157dd33c810634e8d2c2a0a461a66a573855f110357

SHA512
955866febcaebd842bb64a64431ec8e12b3c471bf5c5213d906c8fc0d61dc49b5f47d2b106b67fe595cab79cab6ea84d5ca36f55d6ec8406d4ab14b61903b818

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
400KB

MD5
e0139e236b0f7a872674704959fc7e18

SHA1
2ca3f324bf9b032bb748294ebddd138dbcd04ab3

SHA256
17972a02b4132076faa5c37a974384f12646e8e54e90a8b1759464b9d717275e

SHA512
9e9f3c91b0d4dc158aab68cd98f8639492f2be829484c62bff2d2af87489a740d928fd12b823078626f7f703d39e2845f46e4e5fc8234be46f825ff562d54263

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
400KB

MD5
05db23997e51343149842d973318391f

SHA1
1fdb029dbcc93cb1eb776dd21459ffa45f3d6e29

SHA256
7adfc711d7737cb15a8b4da16d6716e75c04e2985088b65116b22d048f228176

SHA512
44e4c8b9334cdcf6894bfd7a0ae0a2bbe2329220c7c9b5214e719694e3b9e484bb33d6e110fb2939993c2a81a9900d657b639bf9b971e386dbe0e1c9e3e13c4b

Download Submit
memory/232-579-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/316-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/316-599-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/384-274-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/592-364-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/640-382-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/744-180-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/904-846-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/904-388-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1016-478-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1148-502-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1192-286-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1500-878-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1500-292-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1524-356-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1528-496-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1548-346-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-557-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1636-245-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1640-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1716-223-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-572-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1928-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2044-183-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2116-376-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2172-592-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2172-59-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2196-316-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2200-484-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2240-268-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2276-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2364-519-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2468-370-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2628-156-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2660-543-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2660-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2668-466-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2912-544-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2968-248-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3048-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-400-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3320-585-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3320-52-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3396-454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3500-200-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3620-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3620-920-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3672-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3672-550-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3844-490-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3944-44-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3944-578-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3964-256-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3992-231-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4116-586-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4256-160-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4308-167-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4356-358-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4364-96-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4388-551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4448-558-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4516-79-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4588-416-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4672-87-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4704-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4832-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4840-535-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4856-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4860-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4888-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4896-128-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4916-117-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4924-119-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4960-430-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4980-334-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5084-322-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5132-508-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5248-280-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5252-394-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5272-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5272-571-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5380-108-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5396-340-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5416-328-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5496-191-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5504-541-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5532-418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5676-593-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5692-825-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5692-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5736-788-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5736-565-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5748-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5748-564-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5924-304-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6000-298-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6004-208-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6056-216-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6060-525-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads