Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 10:01
Behavioral task
behavioral1
Sample
2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe
-
Size
400KB
-
MD5
b669c5fc42e0fc071f7873fe34c0fc8b
-
SHA1
ed408c518e20c4dca461fb6628bacfc92c8a861b
-
SHA256
977149c71ee0451de4e7358a5074510d1113262ec85b3bcaa727a5005c39d3fc
-
SHA512
6eba48feb4c8330e6873417c929f780d47cb2186e7e2cb97f779506f2407729829d3ad5fc37c06342c938edc37f92133ccf0e1be5d7faafde5e33f35d2e1d044
-
SSDEEP
6144:vuqsLtf5d6/CSQYJ8wEbbL5lULW8wEbq9ByvZ6Mxv5Rar3O6B9fZSLhZmz:vyp82o8wE39uW8wESByvNv54B9f01Zm
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnkfjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phmiimlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmplm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qklfqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oegdcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caccnllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljjjmeie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmiimlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbffj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooqceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibjikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeglqpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmomelml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncpmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjlgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Andkbien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdqfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhobldaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igjckcbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiaij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikibkhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkddjkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahjahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikafpbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoaaqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehiiop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iionacad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmnkpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgacaaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oheieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicddki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keekeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nekbjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbeqjpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afjplj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdhqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpedghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lijepc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfijmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdlclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqeogll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobmkj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2260 Jbakpi32.exe 2920 Jngkdj32.exe 2016 Kjcedj32.exe 2828 Kmfklepl.exe 2884 Kbeqjl32.exe 812 Lamjph32.exe 1828 Lpddgd32.exe 2540 Moqgiopk.exe 2504 Moccnoni.exe 2428 Nahfkigd.exe 1924 Nejkdm32.exe 2508 Oecnkk32.exe 1076 Onapdmma.exe 2320 Pbhoip32.exe 2168 Polobd32.exe 900 Ajjinaco.exe 1056 Ammoel32.exe 2404 Abldccka.exe 1564 Bepjjn32.exe 1736 Bimbql32.exe 1304 Ckchcc32.exe 576 Cdqfgh32.exe 692 Cllkkk32.exe 1508 Coldmfkf.exe 2192 Dooqceid.exe 3020 Dkjkcfjc.exe 1996 Egchmfnd.exe 3016 Elpqemll.exe 2784 Ebofcd32.exe 2788 Emggflfc.exe 804 Fnkpcd32.exe 2040 Fcjeakfd.exe 2984 Fmdfppkb.exe 892 Fmgcepio.exe 2580 Gindjqnc.exe 2044 Geddoa32.exe 580 Glaiak32.exe 472 Hjkpng32.exe 2112 Hdcdfmqe.exe 2108 Hagepa32.exe 772 Hffjng32.exe 108 Ibmkbh32.exe 2668 Iockhigl.exe 2008 Ibadnhmb.exe 2100 Ikmibjkm.exe 2264 Iebmpcjc.exe 2744 Ihcfan32.exe 2248 Jkabmi32.exe 2624 Jcmgal32.exe 1684 Jdlclo32.exe 3032 Jjilde32.exe 3068 Jcfjhj32.exe 2364 Kgjlgm32.exe 2516 Kfbemi32.exe 2752 Lmnkpc32.exe 1472 Lbkchj32.exe 2348 Lckpbm32.exe 1740 Lkfdfo32.exe 1264 Lijepc32.exe 2496 Laeidfdn.exe 2080 Mecbjd32.exe 676 Majcoepi.exe 968 Malpee32.exe 2332 Migdig32.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe 2268 2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe 2260 Jbakpi32.exe 2260 Jbakpi32.exe 2920 Jngkdj32.exe 2920 Jngkdj32.exe 2016 Kjcedj32.exe 2016 Kjcedj32.exe 2828 Kmfklepl.exe 2828 Kmfklepl.exe 2884 Kbeqjl32.exe 2884 Kbeqjl32.exe 812 Lamjph32.exe 812 Lamjph32.exe 1828 Lpddgd32.exe 1828 Lpddgd32.exe 2540 Moqgiopk.exe 2540 Moqgiopk.exe 2504 Moccnoni.exe 2504 Moccnoni.exe 2428 Nahfkigd.exe 2428 Nahfkigd.exe 1924 Nejkdm32.exe 1924 Nejkdm32.exe 2508 Oecnkk32.exe 2508 Oecnkk32.exe 1076 Onapdmma.exe 1076 Onapdmma.exe 2320 Pbhoip32.exe 2320 Pbhoip32.exe 2168 Polobd32.exe 2168 Polobd32.exe 900 Ajjinaco.exe 900 Ajjinaco.exe 1056 Ammoel32.exe 1056 Ammoel32.exe 2404 Abldccka.exe 2404 Abldccka.exe 1564 Bepjjn32.exe 1564 Bepjjn32.exe 1736 Bimbql32.exe 1736 Bimbql32.exe 1304 Ckchcc32.exe 1304 Ckchcc32.exe 576 Cdqfgh32.exe 576 Cdqfgh32.exe 692 Cllkkk32.exe 692 Cllkkk32.exe 1508 Coldmfkf.exe 1508 Coldmfkf.exe 2192 Dooqceid.exe 2192 Dooqceid.exe 3020 Dkjkcfjc.exe 3020 Dkjkcfjc.exe 1996 Egchmfnd.exe 1996 Egchmfnd.exe 3016 Elpqemll.exe 3016 Elpqemll.exe 2784 Ebofcd32.exe 2784 Ebofcd32.exe 2788 Emggflfc.exe 2788 Emggflfc.exe 804 Fnkpcd32.exe 804 Fnkpcd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nlcckc32.dll Oiglfm32.exe File created C:\Windows\SysWOW64\Bhqdgm32.exe Bgagnjbi.exe File opened for modification C:\Windows\SysWOW64\Dlcfnk32.exe Dnpedghl.exe File created C:\Windows\SysWOW64\Kqleff32.dll Oeobfgak.exe File opened for modification C:\Windows\SysWOW64\Jgnflmia.exe Jnfbcg32.exe File opened for modification C:\Windows\SysWOW64\Clehoiam.exe Cpogjh32.exe File opened for modification C:\Windows\SysWOW64\Fnifbaja.exe Fgmaphdg.exe File created C:\Windows\SysWOW64\Agdnkj32.dll Dcjleq32.exe File created C:\Windows\SysWOW64\Bhbodpkg.dll Mbehgabe.exe File created C:\Windows\SysWOW64\Mbginggd.dll Afcbgd32.exe File created C:\Windows\SysWOW64\Aogpmcmb.exe Aeokdn32.exe File opened for modification C:\Windows\SysWOW64\Gjhfkqdm.exe Gigjch32.exe File opened for modification C:\Windows\SysWOW64\Nhfdqb32.exe Nomphm32.exe File created C:\Windows\SysWOW64\Jepoao32.exe Janihlcf.exe File created C:\Windows\SysWOW64\Aledbn32.dll Obdjjb32.exe File created C:\Windows\SysWOW64\Lplfkgmm.dll Hakani32.exe File created C:\Windows\SysWOW64\Gekbbi32.dll Hffjng32.exe File created C:\Windows\SysWOW64\Kjagag32.dll Dlokegib.exe File opened for modification C:\Windows\SysWOW64\Hbcdfq32.exe Hoflpbmo.exe File opened for modification C:\Windows\SysWOW64\Nadoiccn.exe Maabcc32.exe File created C:\Windows\SysWOW64\Mkdfdn32.dll Emilqb32.exe File created C:\Windows\SysWOW64\Ddlloi32.exe Dfgpnm32.exe File created C:\Windows\SysWOW64\Alhaho32.exe Ancdgcab.exe File created C:\Windows\SysWOW64\Kiopjgdl.dll Feklja32.exe File created C:\Windows\SysWOW64\Jkqpfmje.exe Jcekbk32.exe File opened for modification C:\Windows\SysWOW64\Caomgjnk.exe Clbdobpc.exe File created C:\Windows\SysWOW64\Ogmmfl32.dll Abldccka.exe File opened for modification C:\Windows\SysWOW64\Doapanne.exe Dplbpaim.exe File created C:\Windows\SysWOW64\Lngjjj32.dll Conpdm32.exe File opened for modification C:\Windows\SysWOW64\Mmigdend.exe Mdqclpgd.exe File created C:\Windows\SysWOW64\Dfgpnm32.exe Dlokegib.exe File created C:\Windows\SysWOW64\Cefpmiji.exe Cioohh32.exe File created C:\Windows\SysWOW64\Ghdehmnj.dll Iapfmg32.exe File created C:\Windows\SysWOW64\Nkadhg32.dll Homfboco.exe File created C:\Windows\SysWOW64\Kelqff32.exe Kldlmqml.exe File opened for modification C:\Windows\SysWOW64\Bkjbgk32.exe Bmfamg32.exe File created C:\Windows\SysWOW64\Hmcnaamn.dll Koejqi32.exe File created C:\Windows\SysWOW64\Klmfgnjo.dll Ohncdp32.exe File opened for modification C:\Windows\SysWOW64\Polakmbi.exe Pjpicfdb.exe File opened for modification C:\Windows\SysWOW64\Gnphfppi.exe Gicpnhbb.exe File created C:\Windows\SysWOW64\Lccepqdo.exe Koelibnh.exe File created C:\Windows\SysWOW64\Mfkohm32.dll Mhobldaf.exe File created C:\Windows\SysWOW64\Jcpglhpo.exe Jcmjfiab.exe File opened for modification C:\Windows\SysWOW64\Cllkkk32.exe Cdqfgh32.exe File created C:\Windows\SysWOW64\Igocej32.dll Gcgnphgf.exe File opened for modification C:\Windows\SysWOW64\Kdgoelnk.exe Jhpopk32.exe File created C:\Windows\SysWOW64\Nfcdfiob.exe Nmkpnd32.exe File opened for modification C:\Windows\SysWOW64\Ehlmnfeo.exe Eabeal32.exe File created C:\Windows\SysWOW64\Idjfdadn.dll Lnmfpnqn.exe File opened for modification C:\Windows\SysWOW64\Pbcahgjd.exe Peoanckj.exe File created C:\Windows\SysWOW64\Ikafpbon.exe Hkoikcaq.exe File created C:\Windows\SysWOW64\Helmiiec.exe Gnphfppi.exe File opened for modification C:\Windows\SysWOW64\Pebbeq32.exe Pikaqppk.exe File created C:\Windows\SysWOW64\Ppqolemj.dll Aqanke32.exe File created C:\Windows\SysWOW64\Aapkdi32.exe Ajfcgoec.exe File created C:\Windows\SysWOW64\Qckajclq.dll Kkbbqjgb.exe File created C:\Windows\SysWOW64\Ebkibk32.exe Edghighp.exe File opened for modification C:\Windows\SysWOW64\Pjpicfdb.exe Pojdem32.exe File created C:\Windows\SysWOW64\Emilqb32.exe Dfpcdh32.exe File created C:\Windows\SysWOW64\Ncpdlhhj.dll Pfpdcm32.exe File created C:\Windows\SysWOW64\Lkfdfo32.exe Lckpbm32.exe File created C:\Windows\SysWOW64\Celbik32.exe Ciebdj32.exe File created C:\Windows\SysWOW64\Pppnia32.exe Oheieo32.exe File created C:\Windows\SysWOW64\Lijepc32.exe Lkfdfo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 676 2228 WerFault.exe 756 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkcedgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiodnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffabman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gindjqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgffck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncaejie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlqpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkfdmpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfdnnlbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjohbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoanckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polobd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbodpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkkabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cealdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkqhbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdjgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjglppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igomfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnkfjho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpooiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagepa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhmai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnhcgma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciknhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfbcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbajci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamohenq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahgejhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdifda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojdem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkoemji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjmpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeblgodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deahcneh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caomgjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqcnfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkabmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkckdhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeicenni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paemac32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfddnb32.dll" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlfgehqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plildb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qkcbpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beplcfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiglfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgibijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coldmfkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biahijec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnjnnie.dll" Ajpgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkkfdmpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfkjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lakqoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfjibdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnoadiak.dll" Oheieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifahpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdgab32.dll" Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pikkfilp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdkgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joqdfghn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiphmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koenkl32.dll" Jdfqomom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fibqhibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibadnhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkpppmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebdo32.dll" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgbmipo.dll" Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ickaaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcgnphgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bimbql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiicell.dll" Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndgpjek.dll" Pegaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdamkj.dll" Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkjdikj.dll" Kfbemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cealdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigngdee.dll" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhobldaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clehoiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjlicgq.dll" Ibjikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjlqpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcpglhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkddaih.dll" Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnjaegb.dll" Ecabfpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhenggfi.dll" Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbflqccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iebmpcjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oakaheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkkpm32.dll" Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdkhjjg.dll" Cjifpdib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhgeao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjephakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlkmo32.dll" Gaajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eampgb32.dll" Omjgkjof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2260 2268 2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe 30 PID 2268 wrote to memory of 2260 2268 2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe 30 PID 2268 wrote to memory of 2260 2268 2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe 30 PID 2268 wrote to memory of 2260 2268 2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe 30 PID 2260 wrote to memory of 2920 2260 Jbakpi32.exe 31 PID 2260 wrote to memory of 2920 2260 Jbakpi32.exe 31 PID 2260 wrote to memory of 2920 2260 Jbakpi32.exe 31 PID 2260 wrote to memory of 2920 2260 Jbakpi32.exe 31 PID 2920 wrote to memory of 2016 2920 Jngkdj32.exe 32 PID 2920 wrote to memory of 2016 2920 Jngkdj32.exe 32 PID 2920 wrote to memory of 2016 2920 Jngkdj32.exe 32 PID 2920 wrote to memory of 2016 2920 Jngkdj32.exe 32 PID 2016 wrote to memory of 2828 2016 Kjcedj32.exe 33 PID 2016 wrote to memory of 2828 2016 Kjcedj32.exe 33 PID 2016 wrote to memory of 2828 2016 Kjcedj32.exe 33 PID 2016 wrote to memory of 2828 2016 Kjcedj32.exe 33 PID 2828 wrote to memory of 2884 2828 Kmfklepl.exe 34 PID 2828 wrote to memory of 2884 2828 Kmfklepl.exe 34 PID 2828 wrote to memory of 2884 2828 Kmfklepl.exe 34 PID 2828 wrote to memory of 2884 2828 Kmfklepl.exe 34 PID 2884 wrote to memory of 812 2884 Kbeqjl32.exe 35 PID 2884 wrote to memory of 812 2884 Kbeqjl32.exe 35 PID 2884 wrote to memory of 812 2884 Kbeqjl32.exe 35 PID 2884 wrote to memory of 812 2884 Kbeqjl32.exe 35 PID 812 wrote to memory of 1828 812 Lamjph32.exe 36 PID 812 wrote to memory of 1828 812 Lamjph32.exe 36 PID 812 wrote to memory of 1828 812 Lamjph32.exe 36 PID 812 wrote to memory of 1828 812 Lamjph32.exe 36 PID 1828 wrote to memory of 2540 1828 Lpddgd32.exe 37 PID 1828 wrote to memory of 2540 1828 Lpddgd32.exe 37 PID 1828 wrote to memory of 2540 1828 Lpddgd32.exe 37 PID 1828 wrote to memory of 2540 1828 Lpddgd32.exe 37 PID 2540 wrote to memory of 2504 2540 Moqgiopk.exe 38 PID 2540 wrote to memory of 2504 2540 Moqgiopk.exe 38 PID 2540 wrote to memory of 2504 2540 Moqgiopk.exe 38 PID 2540 wrote to memory of 2504 2540 Moqgiopk.exe 38 PID 2504 wrote to memory of 2428 2504 Moccnoni.exe 39 PID 2504 wrote to memory of 2428 2504 Moccnoni.exe 39 PID 2504 wrote to memory of 2428 2504 Moccnoni.exe 39 PID 2504 wrote to memory of 2428 2504 Moccnoni.exe 39 PID 2428 wrote to memory of 1924 2428 Nahfkigd.exe 40 PID 2428 wrote to memory of 1924 2428 Nahfkigd.exe 40 PID 2428 wrote to memory of 1924 2428 Nahfkigd.exe 40 PID 2428 wrote to memory of 1924 2428 Nahfkigd.exe 40 PID 1924 wrote to memory of 2508 1924 Nejkdm32.exe 41 PID 1924 wrote to memory of 2508 1924 Nejkdm32.exe 41 PID 1924 wrote to memory of 2508 1924 Nejkdm32.exe 41 PID 1924 wrote to memory of 2508 1924 Nejkdm32.exe 41 PID 2508 wrote to memory of 1076 2508 Oecnkk32.exe 42 PID 2508 wrote to memory of 1076 2508 Oecnkk32.exe 42 PID 2508 wrote to memory of 1076 2508 Oecnkk32.exe 42 PID 2508 wrote to memory of 1076 2508 Oecnkk32.exe 42 PID 1076 wrote to memory of 2320 1076 Onapdmma.exe 43 PID 1076 wrote to memory of 2320 1076 Onapdmma.exe 43 PID 1076 wrote to memory of 2320 1076 Onapdmma.exe 43 PID 1076 wrote to memory of 2320 1076 Onapdmma.exe 43 PID 2320 wrote to memory of 2168 2320 Pbhoip32.exe 44 PID 2320 wrote to memory of 2168 2320 Pbhoip32.exe 44 PID 2320 wrote to memory of 2168 2320 Pbhoip32.exe 44 PID 2320 wrote to memory of 2168 2320 Pbhoip32.exe 44 PID 2168 wrote to memory of 900 2168 Polobd32.exe 45 PID 2168 wrote to memory of 900 2168 Polobd32.exe 45 PID 2168 wrote to memory of 900 2168 Polobd32.exe 45 PID 2168 wrote to memory of 900 2168 Polobd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_b669c5fc42e0fc071f7873fe34c0fc8b_amadey_rhadamanthys_smoke-loader.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Jbakpi32.exeC:\Windows\system32\Jbakpi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Jngkdj32.exeC:\Windows\system32\Jngkdj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kbeqjl32.exeC:\Windows\system32\Kbeqjl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Lamjph32.exeC:\Windows\system32\Lamjph32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Moqgiopk.exeC:\Windows\system32\Moqgiopk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Onapdmma.exeC:\Windows\system32\Onapdmma.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Coldmfkf.exeC:\Windows\system32\Coldmfkf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Egchmfnd.exeC:\Windows\system32\Egchmfnd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe33⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe34⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe35⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe38⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe39⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe43⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe44⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe46⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe48⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe50⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe52⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe57⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe61⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe64⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe66⤵PID:1476
-
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe67⤵PID:868
-
C:\Windows\SysWOW64\Nphbfplf.exeC:\Windows\system32\Nphbfplf.exe68⤵PID:2288
-
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe69⤵PID:2868
-
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe70⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe71⤵PID:2928
-
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe72⤵PID:2120
-
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe74⤵PID:2244
-
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe75⤵PID:2276
-
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe76⤵PID:884
-
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe77⤵PID:944
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Pkfiaqgk.exeC:\Windows\system32\Pkfiaqgk.exe80⤵PID:3000
-
C:\Windows\SysWOW64\Plffkc32.exeC:\Windows\system32\Plffkc32.exe81⤵PID:2440
-
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe82⤵PID:1268
-
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Pqjhjf32.exeC:\Windows\system32\Pqjhjf32.exe84⤵PID:768
-
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:532 -
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe87⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe88⤵PID:1716
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe89⤵PID:3036
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe90⤵PID:2228
-
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe91⤵PID:628
-
C:\Windows\SysWOW64\Biahijec.exeC:\Windows\system32\Biahijec.exe92⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe93⤵PID:2232
-
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe94⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe95⤵PID:324
-
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe99⤵PID:2084
-
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe100⤵PID:2308
-
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe101⤵PID:1964
-
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe102⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe103⤵PID:2060
-
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe104⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe105⤵PID:1820
-
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe106⤵PID:1628
-
C:\Windows\SysWOW64\Egikle32.exeC:\Windows\system32\Egikle32.exe107⤵PID:1228
-
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe108⤵PID:2780
-
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe109⤵PID:3052
-
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe110⤵PID:2376
-
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe111⤵PID:1548
-
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe112⤵PID:2524
-
C:\Windows\SysWOW64\Fmacpj32.exeC:\Windows\system32\Fmacpj32.exe113⤵PID:952
-
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe114⤵PID:2380
-
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe115⤵PID:2188
-
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe116⤵PID:1764
-
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe118⤵PID:1080
-
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe119⤵PID:2124
-
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe120⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe121⤵PID:2480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-