berbew | d53e8cf2e36e11fd5b7a192d166fc05f98d7e1b189322ed0c6bc6fc285d7a80b

Analysis

max time kernel
104s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_f6634f01e3cc0aed0222bf4b850e0ffe_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

f6634f01e3cc0aed0222bf4b850e0ffe
SHA1

f0014cacd27a968709ef53df5135577b59db90ed
SHA256

d53e8cf2e36e11fd5b7a192d166fc05f98d7e1b189322ed0c6bc6fc285d7a80b
SHA512

81b04769af54bf54bfcfc95e8156cf849b8f3b629e5a30d42fae76097deec4ac44d11797bacccfa4b8055dd501c538919e15e48134ad14259252d8cdec1ff09e
SSDEEP

12288:ixmE5+2o8wE39uW8wESByvNv54B9f01Zm:ixmE5+2o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icplcpgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
896	Hobkfd32.exe
4488	Hijooifk.exe
5184	Hkikkeeo.exe
1308	Hkmefd32.exe
1360	Hfcicmqp.exe
2012	Iehfdi32.exe
4388	Ipbdmaah.exe
1572	Ibqpimpl.exe
4460	Ieolehop.exe
4440	Iikhfg32.exe
4604	Ilidbbgl.exe
4792	Icplcpgo.exe
4684	Jfoiokfb.exe
5728	Jimekgff.exe
5488	Jpgmha32.exe
4740	Jbeidl32.exe
4832	Jfaedkdp.exe
1628	Jioaqfcc.exe
4744	Jmknaell.exe
3892	Jpijnqkp.exe
2660	Jcefno32.exe
2452	Jfcbjk32.exe
4040	Jianff32.exe
4672	Jlpkba32.exe
3100	Jplfcpin.exe
5752	Jbjcolha.exe
5564	Jehokgge.exe
1228	Jidklf32.exe
2084	Jmpgldhg.exe
1928	Jpnchp32.exe
5428	Jcioiood.exe
2840	Jfhlejnh.exe
5048	Jifhaenk.exe
376	Jmbdbd32.exe
5492	Jlednamo.exe
6100	Jcllonma.exe
6036	Kboljk32.exe
5816	Kemhff32.exe
5296	Kiidgeki.exe
4232	Klgqcqkl.exe
5788	Kpbmco32.exe
5740	Kbaipkbi.exe
1692	Kepelfam.exe
624	Kikame32.exe
2044	Klimip32.exe
3424	Kpeiioac.exe
3840	Kdqejn32.exe
3616	Kfoafi32.exe
1196	Kimnbd32.exe
2284	Klljnp32.exe
3828	Kdcbom32.exe
2756	Kedoge32.exe
5216	Kipkhdeq.exe
5764	Klngdpdd.exe
2760	Kpjcdn32.exe
2820	Kbhoqj32.exe
5552	Kfckahdj.exe
3456	Kibgmdcn.exe
5504	Kmncnb32.exe
4236	Kplpjn32.exe
1156	Kdgljmcd.exe
608	Lbjlfi32.exe
5648	Leihbeib.exe
808	Liddbc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Hkikkeeo.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cdbinofi.dll	Jmpgldhg.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ieolehop.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jmknaell.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Leihbeib.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Jfoiokfb.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Elogmm32.dll	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ooajidfn.dll	Jfoiokfb.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Kiidgeki.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Jfcbjk32.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6668	6436	WerFault.exe	279

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmknaell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcllonma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll"	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndfqbhia.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5976 wrote to memory of 896	5976	2025-04-10_f6634f01e3cc0aed0222bf4b850e0ffe_amadey_elex_rhadamanthys_smoke-loader.exe	85
PID 5976 wrote to memory of 896	5976	2025-04-10_f6634f01e3cc0aed0222bf4b850e0ffe_amadey_elex_rhadamanthys_smoke-loader.exe	85
PID 5976 wrote to memory of 896	5976	2025-04-10_f6634f01e3cc0aed0222bf4b850e0ffe_amadey_elex_rhadamanthys_smoke-loader.exe	85
PID 896 wrote to memory of 4488	896	Hobkfd32.exe	86
PID 896 wrote to memory of 4488	896	Hobkfd32.exe	86
PID 896 wrote to memory of 4488	896	Hobkfd32.exe	86
PID 4488 wrote to memory of 5184	4488	Hijooifk.exe	87
PID 4488 wrote to memory of 5184	4488	Hijooifk.exe	87
PID 4488 wrote to memory of 5184	4488	Hijooifk.exe	87
PID 5184 wrote to memory of 1308	5184	Hkikkeeo.exe	88
PID 5184 wrote to memory of 1308	5184	Hkikkeeo.exe	88
PID 5184 wrote to memory of 1308	5184	Hkikkeeo.exe	88
PID 1308 wrote to memory of 1360	1308	Hkmefd32.exe	89
PID 1308 wrote to memory of 1360	1308	Hkmefd32.exe	89
PID 1308 wrote to memory of 1360	1308	Hkmefd32.exe	89
PID 1360 wrote to memory of 2012	1360	Hfcicmqp.exe	90
PID 1360 wrote to memory of 2012	1360	Hfcicmqp.exe	90
PID 1360 wrote to memory of 2012	1360	Hfcicmqp.exe	90
PID 2012 wrote to memory of 4388	2012	Iehfdi32.exe	91
PID 2012 wrote to memory of 4388	2012	Iehfdi32.exe	91
PID 2012 wrote to memory of 4388	2012	Iehfdi32.exe	91
PID 4388 wrote to memory of 1572	4388	Ipbdmaah.exe	92
PID 4388 wrote to memory of 1572	4388	Ipbdmaah.exe	92
PID 4388 wrote to memory of 1572	4388	Ipbdmaah.exe	92
PID 1572 wrote to memory of 4460	1572	Ibqpimpl.exe	93
PID 1572 wrote to memory of 4460	1572	Ibqpimpl.exe	93
PID 1572 wrote to memory of 4460	1572	Ibqpimpl.exe	93
PID 4460 wrote to memory of 4440	4460	Ieolehop.exe	94
PID 4460 wrote to memory of 4440	4460	Ieolehop.exe	94
PID 4460 wrote to memory of 4440	4460	Ieolehop.exe	94
PID 4440 wrote to memory of 4604	4440	Iikhfg32.exe	95
PID 4440 wrote to memory of 4604	4440	Iikhfg32.exe	95
PID 4440 wrote to memory of 4604	4440	Iikhfg32.exe	95
PID 4604 wrote to memory of 4792	4604	Ilidbbgl.exe	96
PID 4604 wrote to memory of 4792	4604	Ilidbbgl.exe	96
PID 4604 wrote to memory of 4792	4604	Ilidbbgl.exe	96
PID 4792 wrote to memory of 4684	4792	Icplcpgo.exe	97
PID 4792 wrote to memory of 4684	4792	Icplcpgo.exe	97
PID 4792 wrote to memory of 4684	4792	Icplcpgo.exe	97
PID 4684 wrote to memory of 5728	4684	Jfoiokfb.exe	98
PID 4684 wrote to memory of 5728	4684	Jfoiokfb.exe	98
PID 4684 wrote to memory of 5728	4684	Jfoiokfb.exe	98
PID 5728 wrote to memory of 5488	5728	Jimekgff.exe	99
PID 5728 wrote to memory of 5488	5728	Jimekgff.exe	99
PID 5728 wrote to memory of 5488	5728	Jimekgff.exe	99
PID 5488 wrote to memory of 4740	5488	Jpgmha32.exe	100
PID 5488 wrote to memory of 4740	5488	Jpgmha32.exe	100
PID 5488 wrote to memory of 4740	5488	Jpgmha32.exe	100
PID 4740 wrote to memory of 4832	4740	Jbeidl32.exe	101
PID 4740 wrote to memory of 4832	4740	Jbeidl32.exe	101
PID 4740 wrote to memory of 4832	4740	Jbeidl32.exe	101
PID 4832 wrote to memory of 1628	4832	Jfaedkdp.exe	102
PID 4832 wrote to memory of 1628	4832	Jfaedkdp.exe	102
PID 4832 wrote to memory of 1628	4832	Jfaedkdp.exe	102
PID 1628 wrote to memory of 4744	1628	Jioaqfcc.exe	103
PID 1628 wrote to memory of 4744	1628	Jioaqfcc.exe	103
PID 1628 wrote to memory of 4744	1628	Jioaqfcc.exe	103
PID 4744 wrote to memory of 3892	4744	Jmknaell.exe	104
PID 4744 wrote to memory of 3892	4744	Jmknaell.exe	104
PID 4744 wrote to memory of 3892	4744	Jmknaell.exe	104
PID 3892 wrote to memory of 2660	3892	Jpijnqkp.exe	105
PID 3892 wrote to memory of 2660	3892	Jpijnqkp.exe	105
PID 3892 wrote to memory of 2660	3892	Jpijnqkp.exe	105
PID 2660 wrote to memory of 2452	2660	Jcefno32.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-04-10_f6634f01e3cc0aed0222bf4b850e0ffe_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_f6634f01e3cc0aed0222bf4b850e0ffe_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5976
- C:\Windows\SysWOW64\Hobkfd32.exe
  C:\Windows\system32\Hobkfd32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\Hijooifk.exe
    C:\Windows\system32\Hijooifk.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\Hkikkeeo.exe
      C:\Windows\system32\Hkikkeeo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5184
    - - C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5728
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5488
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        25⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        28⤵
        Executes dropped EXE
        
        PID:5564
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        32⤵
        Executes dropped EXE
        
        PID:5428
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        36⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        48⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        50⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        51⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        55⤵
        Executes dropped EXE
        
        PID:5764
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        57⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        59⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        67⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        68⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        69⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        70⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        74⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        75⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        77⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        78⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        81⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        87⤵
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        90⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        91⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        93⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        94⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        95⤵
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        97⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        102⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        104⤵
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        108⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        110⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        112⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        113⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        115⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        117⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        120⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        121⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        122⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        123⤵
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        124⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        126⤵
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        127⤵
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        130⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        132⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        136⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        140⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        141⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        145⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        149⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        153⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        154⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        155⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6344
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6628
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6760
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6848
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        170⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        172⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        174⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        175⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        176⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        179⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        182⤵
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        183⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        184⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        185⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7000
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        187⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        190⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        191⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 416
        192⤵
        Program crash
        
        PID:6668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6436 -ip 6436
1⤵
PID:6576

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5028

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
400KB

MD5
d32c5f28dbe704393ef0ccd09559d07a

SHA1
f8c9645aa7fafb720928bcb892b873a33dce3685

SHA256
860c35d3e4d21fbbc1c46fa6ec0241674afd9dadff26eea5c462fd9bfcb93fec

SHA512
3fb5a2a4dc2b6beafae0a26dd16439bf1cbe68451227de9bc387b300aebb400bcb4df67a61f0058047cae3f48a7ece8c92ab1802a145f8e9d3bb6d0839b95b89

Download Submit
C:\Windows\SysWOW64\Cibifp32.dll

Filesize
7KB

MD5
9fb67cdbc029194ab23de489f86540cf

SHA1
c91f7d5a2c54f7955a7b368bb090b95eef1ebe1b

SHA256
e9801617adbe3f5e3d0792cff4579040aa02ddbbd86dd12fd9c05e4af3dc6b1d

SHA512
159d5c9868591718f15ffde6a3501e97953529e5bd7ae4112d0e0a89fbbbcd031d8c8e4e69b90024ab920f2ff99bfd6ab25902462c8418908c4786d2c1dfaea1

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
400KB

MD5
093a537da3d864683d9914e09d340076

SHA1
cfc9bb063169dcc0610d2113f8c7900b32ed8263

SHA256
b5b97aaea0767632302860754ba300ce0a5f451eada8f7f2bc3f78ee984a2038

SHA512
5962a4af3166611afc7885b09e995bf8ae8859ca3b0ee8d594579b72e821ad1ebdd6cc5ab428f80e2ae47d6aeb9f5536bb27e648aefc4a9c3f8b477b3984fd91

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
400KB

MD5
a21175dd446ae6e04f98fd9074417d16

SHA1
ad3ebb7d25373eaef6424ac72218165417702230

SHA256
1b18a18de4c7b5a7a020c70ce076d33cfa13bc91b82492d9adff3261b686cc01

SHA512
666e80e88958f7441e8896b50d5a7e10c05ed8c851459a25e75760a0cc59823c2b0411645f396a292f6f3cc8ee3026e881c679b6b458c8eaaf4589f2c3173db5

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
400KB

MD5
af5326dc5699400bb83434fe642efb7b

SHA1
755b62b068805c6293313416757ef5b99594a650

SHA256
589c4e3e12b5c3b8be99f58c2568100b504c9644f7dfb968728abf8e4e9ef8c2

SHA512
21ea60a771273a425c6ca80ae04f804bbfd5243d69d23c49dd3e5a9b02d677bbfbdbd262bacf56bb8268c2676a318c8ab40b7fdeac99aa19acf7206e744741cc

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
400KB

MD5
065d16e45ca3c36d01ac843a4a998aac

SHA1
0315a80a5e48fd9840d11e6e376dd479833f6676

SHA256
2e07f3301b492a7c7c59969022632883b9342216e7b45d0228475cb6993bdcd2

SHA512
63ddfe7c87398e4091c5d35991dfe0873dc7707cdc8c65b513f0277583efe7961bf8e4d0b775a5d79f3bcbf80669a325b657df8009c9bcca03e5291e382bdf1b

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
400KB

MD5
a0141fc407a72ef74cf481778950a101

SHA1
56bea46e5559e227ec168d6974770b6ee9dbb2fa

SHA256
189079d64eed3f7db8f3908796456712271777d4ab8c1f8697b2f13457d0826e

SHA512
1e66403ff2308d7c28d91b60a5e5ee2e43bc50c2fadbbfbcafe0cda8fa1764719c4f6f03fa7993cc3bea119a90f762c41abf04fa622872f91c0c8d5903aec0b3

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
400KB

MD5
cf899ce0e514e1d7aa89a963a4c23a66

SHA1
e42c083148fa642d2c00795343e5e0b430b3961a

SHA256
09ca4ab751df3c8740aaaa91072a3afafbca520d79bb505d02a8c9702a8685b6

SHA512
4229e14f715249dd9ec606cbf64c73a1aa8adb606eed7cd35e55be27d1e6e8c9ab4defce796189bcfa035f5cc2ac5c8f1195d7a7994829b8a8fbb1ab240fcd4e

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
400KB

MD5
f6ab9574c23c71c7282380307585eeda

SHA1
e8376fa257b2cdd5c814580ccdfef12b4057418a

SHA256
a4c2a11f9931e3ca3e3314cde6a7f6ae319f3390efea86410d335a646c9bf083

SHA512
7edfe42123b889638de81331c7e0b9ff17ff811cc2b7e5a82dd4d21cf582f2f4374544dfafe940565ae2856b5760f9e69ab323fa27171cfe3476b544ae602ea8

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
400KB

MD5
7b06273d525e754ff75b4398e23ced86

SHA1
f7cb51f7662a667319223ef3254061007e7dbffa

SHA256
66cc4d07f3b5b3a1781b23b76846edfb4a8aceaf04b894732f7bd205bd946ff7

SHA512
1d6b5843668b79ec14e08f1861dea1bfbbf8ffb0fcfd5eb051b9e83706a0dd9cbe98ecd417feb756be6694493428a896a7d5d858b5986eaa0b23f3b222d71e58

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
400KB

MD5
49a27d2852365164750c7fa7a2197900

SHA1
544fd8de87a10e5ec44f64e1ff4cc0f7f2127f20

SHA256
8a118512f2c34f79ad9f26d5a3d8fe027039e345fb14d5f46910a1f85cca0969

SHA512
0474fe11115a76ec2eeafbe82748b5bf2fbd86edb2fd869dd3898588ff9350242625383eb862e91ac5a717d37accc30cae995d958a8b138661c6c1080449c1f4

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
400KB

MD5
2c86071fc9d03fb9f5d45acd924b8413

SHA1
e111e43e3cb18e781546565535a0ed1c66c7c836

SHA256
8a054492edbf87c9ecfc484097b74310a962b0b5f790374018c85379aa852a43

SHA512
c60dda5c2009dd2f081e1954e8f03efda9fb269ca39ab551bde6ac65400c996182d2c168af4d5e7a9c5bd2f55d9f79be8839c780bd351480a26f4fbe74067df1

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
400KB

MD5
9316106c8cde4ed84a64e2b2f90857a9

SHA1
a02991a80a712d8bb16cd347f67a8d8b6447e213

SHA256
c32e1c4002d3b32c000df7fbb76849bbc9b385d6bd690f6ac816bebea0326d37

SHA512
43975c50b19f3a7396c8c0a6ec6c4e7761819912692ae847bbd34ffa9ddbab46b5f7b18be255fcd4b44b9d22100ffd86fbf9b13c56e6397fed6e3a93d66b868d

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
400KB

MD5
c372dae96dab9618cb3cab515b4746f5

SHA1
4ff90f180c559920cf4bb8c02e5a6c6ed6c5c8ed

SHA256
5e1f3d08ccbd521d9116d6c493b7bd1407e10acad2e48614d60fc64908afbd7f

SHA512
a5e61a5a92d30cf65db5d9ca8bd0c610dd252761076252d5cc4b2190d721bc1e436acdd2e2be306f26e4ba29ca2f613c9233d5ed5e961d22ed02d4c7007fb2e1

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
400KB

MD5
4d594341a656023f8c64a6900f99ee96

SHA1
809cf228e8b315d9fa6fd644a7d7a6c212cdd3d6

SHA256
1044e41dd8a55bb61ab2e59e58dd275af83e06a0e7ce756e65610c136b63da7b

SHA512
4eacfeccf92e1a78c6fadaeab1a5cbecf420c0a6fae21eeabbc964b444d39874c1be82121544ffe673742f80d4fc2bfc45bebd526e974847d54584e37f739bb9

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
400KB

MD5
25312fa5157f2be27982baba47b1edf2

SHA1
500107eda7415055800cd5eb3bad9a7608c8cddc

SHA256
53701444bbe1f9109fcc0a4098500aa61bd520e5e7f39d190c71456b5608b496

SHA512
1dc8f184e59ba8f81c14f36f15745f93ac881a97653df6fd2200095e951a6438f063ac9ed1dea33a7ecdc6ce7db78cbfc690ca737d2e29de65957ae43ae3bc84

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
400KB

MD5
41e9bd65239330dcb524e4c8f8dc8d56

SHA1
3ec96873df954a40b04c361c45621934f168046d

SHA256
410500b339388a2c45fd56a6d6e41ae1e1fb645e79cb1585864f30f22f6ad6b7

SHA512
57a4818683a33123650c0406023f1b82b8f9cd32fd15095412090d54e3e00c4e5d4874eafcf22be9cb34d4d23481cf54fe89e12160a134744aeecf1ec030b733

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
400KB

MD5
7e451b69f2ba5bd1c666133e81dade25

SHA1
70259e8873458c394de98e1a6bf5ff9be69f1d5c

SHA256
70f02bef16af8cbcef5fb77b5cc626f0710e441c80b6b2310b04e6476d9c7084

SHA512
de3d31edd49056a75f0fe59eaa6de53a54b9bf86f132635a4eb60487467811da5283613efd41da78130348d0d7385f2037b2db9d89cb7d30fcc1e1366b61df3a

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
400KB

MD5
caf0d2d235c0d947f714d2713cd0a93d

SHA1
2cc7b5fd30f6bf9def72ede2807e8af967757beb

SHA256
6ce9ec30b474a9b63f0ef49d9d90f128ce5d4accec52af57db74f518b9c580bb

SHA512
0d78c7e344308dec57e6e63a65fe7bd63d49815127370a328e228b22949e1e44f7578f28aa8b68b96a4fa8ab019b55e6b1755a94c2487630af929808645e98c7

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
400KB

MD5
789568f98f55fb66c7e0f352ba555085

SHA1
12705b97eb7bef22e44486b85e2eb924882237fb

SHA256
96cf5ea2810847d2cb444da873d2b9e8bd3211c5a2585abbe5e665bd922bb479

SHA512
c0ce77fcc296092c8e141583e26d051ed512d7a2a9abd4c7a411bb173f68ce946d4c1fc13ddd3ae99dff0a44e049f01d8f5daec086d6f6090367cf236f99f5c9

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
400KB

MD5
a6c527423b37f6e2e0743d4d6d17562a

SHA1
fbe73047e11a2459377d7c774a38966f914365fe

SHA256
ebf2c7737dde6fce543774cf23340e59b1db04f7958ea869854de86e942c2e97

SHA512
a8ed9fc47be68d874bf47a7c2a040ba6f6bb8ae7b645d02876b456b5094ff74cd242490de8cff5bbe0327a0330827954f83639b2181acca93c472710ab1518db

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
400KB

MD5
4d63544123ce4e34519bb1f12dc6a7e3

SHA1
a41eeafb890fc8a5e206cb645022121c3b8b37de

SHA256
c9de94390f11ac238524ef042f0ee5874581a6c1f7dd0955973de55c43e822ec

SHA512
084a3c45f71da86f72015f1505d5906c60fb8d1532acd54b6dc04c7c9742f0db61ca8044e5c5cbfc0e633b34ce8504c095b258257542fa71ab5e95ccf2b9feed

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
400KB

MD5
2645436c7ef4fe9cf69b1bdb51c6beec

SHA1
1ff4552102810f86af59e8d5eddd86a5a46b3b78

SHA256
55d8486cb784a7025304929d2d4857dee9b8d5677cf3f7f94cdc0c9c44307baf

SHA512
70e103a40192aabbdf18c7ce0ddd18bc4edbb88cfcee61a93923f33ea75501db40cd76563f913449e94fca036f9f677ef0bb0d5d85d4b023f8134a8120283d30

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
400KB

MD5
a10b3d87da22e67f90dc334c9e30c0de

SHA1
426d0726a35f0f373a3343a6353d328783424cc9

SHA256
7d324841c91a1a8b3118e295ecbec1d111acad602ed47db4ea581d6368d13b8e

SHA512
5b0c9c2bc4581c28469800508f7d3117b39b7ca79f888141adad8f22e38f5bbfd26ce31b0bb7104e851c3882ca6d9edf127752130f9bf08bdf63518702cf1e02

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
400KB

MD5
999c1128d664488b63eb1550d7e831da

SHA1
34e9e6af5a0b5c3198cc3be005df3861ef152540

SHA256
af151c4467b8d0fca7cd3be1bf1855b8944bd4e6b44025d0cd313788e9e1cb01

SHA512
84cee0bca6753e9f8262e708165822550fbcb6244a8c80aefe3319b7162fc49edb13d83500d40cee742b0aa633d51714557c1d5198fe67ce8d76157f4b6f1044

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
400KB

MD5
74eba96cc1ca3365cd31f3b120b08eb5

SHA1
bd93b94aca7035f029d448da05b19e98b777caf4

SHA256
a52abac499607cccae7a2746f94ddff44ec0dc6ddf2975f27fafa43c4ed0a0e6

SHA512
7745f3647a16a7efe35a9a5ce6460839ca7ec305681e3c7a092483e8e0fb19c76b5849cc4b2e3a2e4307a1ba66e3ccaa2d14e7d0aa72f0f32c06dc2fcb5302e6

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
400KB

MD5
004fd53fd9814ef12b55f81a31b8488d

SHA1
86890fa920420f853707abfb467599c4d6017d96

SHA256
7155c48a33164e4d07f84daaa42533a602bcdf0760994c0f367b3d80279b82df

SHA512
8e838ebd24dab958c787e814b1e0b8f4e70d26f3c7820d4ee879db47287023448c2969d97dd5741db5d64a9227a450f0ebd6df430a915567377098d740d020d9

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
400KB

MD5
9bf11bcfa5beafdbde1f2d580f28af52

SHA1
e5acf510fc93aeb3fe8de65fb4544cb4a6699c12

SHA256
52c72dbe107b55c8bfe7cc74313e02afa743e6ed41da20df0940ef6f78ba5afd

SHA512
97abe641358333ad547564c5fab43a78b18f8648452ff0b40f2ce8fbf905bcf8908c732e5e626ed00f4ffc308a57fe0a40acc1c3f87f0389b2bc35f30ef36993

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
400KB

MD5
ce5455ee448c868b54043a94c13dd3ea

SHA1
b125a5fce9ce6b01a42a518ec35d927c94de7d11

SHA256
fa95442c6f6e787f29cc554cba8a85dbe0da4a300c8d47ceb855e5264fae9c73

SHA512
a2f64cf44bf7d6cbcdaa02c27478217882db4c4f17f64948f48a2b3316d4bf81bca43804b7516ff82a3b63b2513ebdc1fa4ace89ac9363d320b82709c68c4304

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
400KB

MD5
a298d8e9d342d3739deea40ee62122e2

SHA1
7af8eb88361c7016e0f1d1922128e59fbddd40c5

SHA256
5d162b380adce43bb2c5bba7d663942bb6f85e1d3c65e915f8a20bde3e2a0507

SHA512
35faf712be35bf51752c04200b79f26552170bcd65688f0da2158d80fac628d69b040e5bb3b26898e9e36b47f170f741cf92d0f898f8d089339396bc89212c73

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
400KB

MD5
556f3e7886c15d8c7ffd87b37cbc2ad9

SHA1
c26ae943a7e9ab5f114e5dc553444c87ee0393d8

SHA256
8acffcd0329f457b2ed6377d8a2b757e8ad962c9174bfb97e3b34e8503a8c044

SHA512
adba97892478c17b11a2e0d0e2fbffda29cd23310ad82aab4461cd656399931461f509b695bd2820d623d8ca37ed3fea1d7735bab3e45a7efb0870db4cae0101

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
400KB

MD5
a9a2c05d0cf241578a7157117154670a

SHA1
5601ee1f6ecbc9b0e1b92cc42c209001e042a38c

SHA256
5af5dc718bc64c2e028321669f6034e7f6db29045b6127c8ae173a8ae206dd51

SHA512
1598858949e2389c30a3ba9ea89e7924c1167787ac37bacf8956ea5857d442d522345e2959e84e982dc5e4f0dca65eec8be0052eb684564787fc997f7bc60923

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
400KB

MD5
e3f8ca7027efdc2411437825108f723f

SHA1
29438042d37e7886085caaf3f2708caaefc1b9a5

SHA256
3639299ed64ccf3fb0f2c96306110b1171c100cdf1487473a55f805f2d03976b

SHA512
08f4d809ec6f9982c8584870ad754854e5b559a02e0afb1df895929c0665a2275ad3adc8b937aaa1c6f36d79e23f706b5de7a59b6c955de1dac92817eeadfab1

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
400KB

MD5
0fd4301fdcd76596b947f86dc9188f54

SHA1
fc2e93b110ba80f88721cf64376f352a5322f2ef

SHA256
76d38ccf20809b853faf9f302c9604d577d986358f9328aaf1027397a0cad9a6

SHA512
9d83aaf9a486198716e74327805454c2e69901335bfab6760b7b2d8f1d23255a0a5121220f4b17539f40156d33bcbdd9da4dcd9b415da72df1a13a3892db0aaf

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
400KB

MD5
c9d13bc18114a928b07438a0313d6239

SHA1
81844fcab8aab071fc38c9791808510f9b1e89ad

SHA256
b5a34e146080b27b2dc88b16a6d2f2eb96f2b19e0b5a250991fa4d7156b55add

SHA512
67aa89c5b1b98724399b3f8884b3ea6a115b92d176baa145372f7e928f4111e811634b8e511152de533ae7b1bb9d0fce7f1ff1fae3ac7a10f22f2e8e67d92151

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
400KB

MD5
c9a7ba92efc3b6cad910193cacb51b02

SHA1
e27ba6b458e15dbf1841e7db9e866107fd09e946

SHA256
c9840259b8dfcda6d4a5e940f4f97289ab60e0222356b03ff1fa286bb77781b6

SHA512
f67a2dc280f406fde85584e187a952922442aabdeb0a4d8b350c31d27ad113f2488593a3b57d288a2b76e7abb52874686abf733a5ae6921feec527c727124359

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
400KB

MD5
a3917cce3ba54a429a58647a893d4231

SHA1
08b3a399a9d48db100847da1ae14804c76a13c6f

SHA256
14b9ef5e71fab95d82dcb1944bc88013c413d746302bcfb9a36e5f802f794da8

SHA512
89e44e493a5cdeb7ac0ece56e0ac47c3bebdd8ec15fe485c197638ebbccfc02710f2ba1007416d2746164c77b2f46cb7cbcef305e355b238ff6ff3f242c54297

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
400KB

MD5
83ca3207f9e14c6e062c7454629ecc54

SHA1
1290f46bf2f4d05f1d8c6a2d7e51056675a947d6

SHA256
385a723b2eaff973d528aa27aa4769d7f0ed3b030e88ee4054c991ee53ccf469

SHA512
df700cfdccae9a5d2570421c496fb1d1381da39b7d97e39a889ce1c7c78510df51aaa952649d9874e5a695a39c38dfe6ee8245dcf3e7ce8eb4daf40a5b40161a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
400KB

MD5
a97d1b0fb7653ecf08697f9e3ae5a11b

SHA1
a1404a269918f0c59113c8b5a4f9d1815df59d09

SHA256
f88e22d14e3e2b9fdd13a35aa733e57b70caba942eb958a6a17f03ba16ad68b0

SHA512
a753fc078c06a5274387cbf3f80ec175e51238c6e17e9187fb6dbcf24a11cca90173b8da805d62afc1b45fd11eaf6974d5e8ef25c71428586f28a5323ef25419

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
400KB

MD5
2c8d16153685fc65a8d3444100342ff7

SHA1
6a0c459a5b761f07442da7be783f5aa94eaba6c1

SHA256
80d3b3f9e42b50bfea2c6a27c71fda375b2f5cb3876c868b5ac0c8acddffbfd4

SHA512
0f7db03f54252e076c4e0d90944bc664ba3449b317be2797dbf2ea1c02c05d5ca82b6effbbc24d43a18e1ba8fef5c7a6b2723f8dc52de33344110ce6816be75a

Download Submit
memory/376-463-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/408-775-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/536-574-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/608-558-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/896-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1020-681-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1096-769-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1108-799-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1120-883-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1156-557-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1308-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1360-40-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1424-693-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1572-69-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-568-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1628-441-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1820-758-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1916-1422-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1928-455-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1944-1340-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1944-723-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2008-623-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2012-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2036-656-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2084-454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2180-746-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2376-717-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2452-450-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2564-586-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2660-449-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2692-845-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2756-545-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2760-1468-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2760-552-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2764-567-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2820-553-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2840-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3076-764-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3100-453-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3136-1442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3184-872-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3316-711-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3604-820-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3608-635-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3652-594-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3888-600-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3892-447-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3940-855-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4040-451-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4048-559-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4072-664-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4136-902-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4328-576-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4376-744-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4388-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4424-781-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4440-85-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4460-77-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4488-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4532-687-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4584-908-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4604-93-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4636-675-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4672-452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4696-705-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4740-439-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4744-446-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4780-833-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4792-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4804-588-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4832-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4904-658-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4956-791-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5028-793-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5048-462-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5164-617-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5184-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5192-1404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5192-560-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5216-546-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5236-839-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5344-805-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5352-885-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5368-699-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5428-456-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5440-861-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5460-565-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5488-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5504-556-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-554-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5624-827-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5728-437-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5764-549-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5844-896-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5884-646-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5932-730-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5972-611-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5976-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6076-633-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6088-575-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6148-919-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6388-1264-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6680-1249-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads