Analysis
-
max time kernel
158s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 18:51
Behavioral task
behavioral1
Sample
6071df3a321420022524cb07893ee1cf.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6071df3a321420022524cb07893ee1cf.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6071df3a321420022524cb07893ee1cf.exe
-
Size
1.2MB
-
MD5
6071df3a321420022524cb07893ee1cf
-
SHA1
ce052da87a7c593f96ce29eea821ed29138645f6
-
SHA256
80d2cbf160d6b739052872bd8d549dc709500333728111f99d9b69e876f68b0e
-
SHA512
f0badf794aa465afcce9a6fea9fad1370dc8c0be4f35616f9429530b6a8c7051952158ceb53527784fc112b4f18b143a6807ee039a7f727fca2398172e9d60ba
-
SSDEEP
24576:a5m0BmmvFimm0MTP7hm0BmmvFimm0SGT8P402fo06YE1+91vK3xDWGk4A:kiLiZGT8P4Zfo06h1+91vOaGBA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlcaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqknbmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfigib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcfhlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnehifk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcikfcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfanlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plcmiofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knfepldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knmkak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgcgje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmqhlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okailj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnabladg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbjpmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgnnedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppfnige.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljleil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkndijd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peodcmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgimjmfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbifmla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdbhpbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkliaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjlalkmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccldebeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdlil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppeikjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcidoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcjiagf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddokabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkpmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhhgmlli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enigjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadnfkji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpqono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhplnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmahojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcehaof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcaahbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kklbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qefkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnohnffc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbaoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peodcmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bohbackj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adoamfhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohqpjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgakkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoboofnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghhjq32.exe -
Malware Dropper & Backdoor - Berbew 60 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000200000001e7dd-6.dat family_berbew behavioral2/files/0x000200000001e7e1-14.dat family_berbew behavioral2/files/0x000200000001e7e4-22.dat family_berbew behavioral2/files/0x000700000001e0ce-30.dat family_berbew behavioral2/files/0x000200000001e7e7-38.dat family_berbew behavioral2/files/0x000300000001e7c9-46.dat family_berbew behavioral2/files/0x000200000001e7ea-49.dat family_berbew behavioral2/files/0x000200000001e7ea-54.dat family_berbew behavioral2/files/0x000200000001e7ec-58.dat family_berbew behavioral2/files/0x000200000001e7f0-70.dat family_berbew behavioral2/files/0x000200000001e7f2-78.dat family_berbew behavioral2/files/0x000200000001e7f4-86.dat family_berbew behavioral2/files/0x000200000001e7f8-94.dat family_berbew behavioral2/files/0x000200000001e7fa-102.dat family_berbew behavioral2/files/0x000200000001e7fc-105.dat family_berbew behavioral2/files/0x000200000001e7fc-110.dat family_berbew behavioral2/files/0x000200000001e7fe-118.dat family_berbew behavioral2/files/0x000200000001e800-121.dat family_berbew behavioral2/files/0x000200000001e802-134.dat family_berbew behavioral2/files/0x000200000001e807-142.dat family_berbew behavioral2/files/0x000200000001e80b-150.dat family_berbew behavioral2/files/0x000600000002312b-158.dat family_berbew behavioral2/files/0x000600000002312e-166.dat family_berbew behavioral2/files/0x0006000000023130-174.dat family_berbew behavioral2/files/0x0006000000023132-182.dat family_berbew behavioral2/files/0x0006000000023134-185.dat family_berbew behavioral2/files/0x0006000000023134-190.dat family_berbew behavioral2/files/0x0006000000023136-198.dat family_berbew behavioral2/files/0x0006000000023138-206.dat family_berbew behavioral2/files/0x000600000002313a-209.dat family_berbew behavioral2/files/0x000600000002313a-214.dat family_berbew behavioral2/files/0x000600000002313c-222.dat family_berbew behavioral2/files/0x0006000000023142-230.dat family_berbew behavioral2/files/0x000400000001e805-238.dat family_berbew behavioral2/files/0x000400000001e80a-246.dat family_berbew behavioral2/files/0x000900000002313f-249.dat family_berbew behavioral2/files/0x0006000000023158-311.dat family_berbew behavioral2/files/0x0006000000023168-360.dat family_berbew behavioral2/files/0x0006000000023175-395.dat family_berbew behavioral2/files/0x000600000002318c-461.dat family_berbew behavioral2/files/0x0006000000023190-473.dat family_berbew behavioral2/files/0x000600000002319c-509.dat family_berbew behavioral2/files/0x00060000000231ae-567.dat family_berbew behavioral2/files/0x00060000000231b9-602.dat family_berbew behavioral2/files/0x0006000000023284-1269.dat family_berbew behavioral2/files/0x0006000000023296-1334.dat family_berbew behavioral2/files/0x00060000000232bc-1458.dat family_berbew behavioral2/files/0x00060000000232d0-1523.dat family_berbew behavioral2/files/0x00060000000232d8-1549.dat family_berbew behavioral2/files/0x000600000002333c-1867.dat family_berbew behavioral2/files/0x000600000002335c-1975.dat family_berbew behavioral2/files/0x000600000002344c-2730.dat family_berbew behavioral2/files/0x000600000002345c-2774.dat family_berbew behavioral2/files/0x0006000000023477-2864.dat family_berbew behavioral2/files/0x00060000000234ba-3091.dat family_berbew behavioral2/files/0x00060000000234c8-3138.dat family_berbew behavioral2/files/0x0006000000023558-3605.dat family_berbew behavioral2/files/0x000600000002355c-3618.dat family_berbew behavioral2/files/0x000600000002359a-3822.dat family_berbew behavioral2/files/0x00060000000235a0-3844.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3704 Emoadlfo.exe 2000 Gifkpknp.exe 3768 Gmimai32.exe 5032 Hoaojp32.exe 3024 Ipjoja32.exe 1036 Kncaec32.exe 3272 Modgdicm.exe 2244 Mfchlbfd.exe 940 Mcifkf32.exe 2832 Njmqnobn.exe 4344 Oabhfg32.exe 648 Pdjgha32.exe 4176 Apmhiq32.exe 3656 Bhpofl32.exe 4708 Dpiplm32.exe 3256 Ehndnh32.exe 1972 Edionhpn.exe 3644 Gnpphljo.exe 1248 Gndick32.exe 4316 Hemmac32.exe 4400 Iahgad32.exe 4020 Jlikkkhn.exe 2652 Kabcopmg.exe 3552 Mjlalkmd.exe 4404 Nfqnbjfi.exe 1840 Ocnabm32.exe 2696 Pmkofa32.exe 1376 Aiplmq32.exe 1732 Aalmimfd.exe 3116 Cajjjk32.exe 4848 Cdjblf32.exe 1580 Ccdihbgg.exe 3108 Eaceghcg.exe 4008 Edfknb32.exe 2956 Fcbnpnme.exe 640 Gnohnffc.exe 1140 Gclafmej.exe 3372 Gjkbnfha.exe 2864 Hnhkdd32.exe 1408 Hkaeih32.exe 3668 Hkcbnh32.exe 1268 Indkpcdk.exe 4412 Ijmhkchl.exe 4964 Iloajfml.exe 2692 Jlanpfkj.exe 4216 Jejbhk32.exe 3332 Jelonkph.exe 4668 Kahinkaf.exe 4940 Kocphojh.exe 4436 Loemnnhe.exe 1372 Lolcnman.exe 3440 Lhgdmb32.exe 2328 Mdghhb32.exe 2188 Ncjdki32.exe 4748 Ncmaai32.exe 3640 Nkjckkcg.exe 3012 Ohqpjo32.exe 564 Okailj32.exe 1244 Omcbkl32.exe 832 Pdqcenmg.exe 3804 Piaiqlak.exe 3096 Pbljoafi.exe 3488 Qckfid32.exe 1616 Qcncodki.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Abgmacde.dll Mgfqgkib.exe File created C:\Windows\SysWOW64\Hldnegjg.dll Klfjbpmn.exe File created C:\Windows\SysWOW64\Qhfcbfdl.exe Pnmojp32.exe File created C:\Windows\SysWOW64\Blamdb32.dll Adanbffk.exe File created C:\Windows\SysWOW64\Mfchlbfd.exe Modgdicm.exe File created C:\Windows\SysWOW64\Cckaddao.dll Lifqbi32.exe File created C:\Windows\SysWOW64\Ghlbcolh.dll Ppamjcpj.exe File created C:\Windows\SysWOW64\Npkocp32.dll Adoamfhn.exe File created C:\Windows\SysWOW64\Mhoaqa32.dll Cgcmeh32.exe File opened for modification C:\Windows\SysWOW64\Qejkfp32.exe Phfjmlhh.exe File created C:\Windows\SysWOW64\Abebpcbd.dll Dbnmek32.exe File created C:\Windows\SysWOW64\Eeaqfo32.exe Elilmi32.exe File opened for modification C:\Windows\SysWOW64\Iecmcpoj.exe Hoonjjgk.exe File created C:\Windows\SysWOW64\Dcmdnb32.dll Kbebdpca.exe File opened for modification C:\Windows\SysWOW64\Bgpceogl.exe Bngnmjql.exe File created C:\Windows\SysWOW64\Fnbjpf32.exe Fdmfcn32.exe File opened for modification C:\Windows\SysWOW64\Aichng32.exe Acfoep32.exe File created C:\Windows\SysWOW64\Bnfiapfj.exe Bldljh32.exe File created C:\Windows\SysWOW64\Ikodjj32.dll Fmfgoa32.exe File created C:\Windows\SysWOW64\Ngdmhimb.exe Nnlhod32.exe File created C:\Windows\SysWOW64\Moiheebb.exe Meadlo32.exe File created C:\Windows\SysWOW64\Mcggga32.exe Liabjh32.exe File created C:\Windows\SysWOW64\Keilgoad.dll Pqpgnl32.exe File created C:\Windows\SysWOW64\Bkcbaf32.dll Qqamieno.exe File opened for modification C:\Windows\SysWOW64\Hnhkdd32.exe Gjkbnfha.exe File created C:\Windows\SysWOW64\Olgbff32.dll Eojcao32.exe File created C:\Windows\SysWOW64\Bddjijia.exe Bohbackj.exe File created C:\Windows\SysWOW64\Lchood32.dll Ccipelcf.exe File created C:\Windows\SysWOW64\Gbjlgj32.exe Ghdhja32.exe File opened for modification C:\Windows\SysWOW64\Nmhglopl.exe Mpdgbkab.exe File created C:\Windows\SysWOW64\Giplpe32.dll Fhnichde.exe File opened for modification C:\Windows\SysWOW64\Omcbkl32.exe Okailj32.exe File created C:\Windows\SysWOW64\Bipdih32.dll Eibmlc32.exe File opened for modification C:\Windows\SysWOW64\Obcled32.exe Oijgmokc.exe File opened for modification C:\Windows\SysWOW64\Ffpadn32.exe Ejiqom32.exe File created C:\Windows\SysWOW64\Ljnjmcie.dll Gpkliaol.exe File created C:\Windows\SysWOW64\Iohjle32.dll Emenhcdf.exe File opened for modification C:\Windows\SysWOW64\Dpiplm32.exe Bhpofl32.exe File opened for modification C:\Windows\SysWOW64\Hllkqdli.exe Hfbbdj32.exe File created C:\Windows\SysWOW64\Aohbbqme.exe Acaanp32.exe File created C:\Windows\SysWOW64\Fbhplnca.exe Fipkch32.exe File created C:\Windows\SysWOW64\Ldpbaelj.dll Jeneidji.exe File created C:\Windows\SysWOW64\Gegchl32.exe Gpjjpe32.exe File opened for modification C:\Windows\SysWOW64\Hebkid32.exe Hikkdc32.exe File opened for modification C:\Windows\SysWOW64\Genobp32.exe Fjikeg32.exe File opened for modification C:\Windows\SysWOW64\Khimhefk.exe Jndhkmfe.exe File created C:\Windows\SysWOW64\Ebdoljdi.dll Kabcopmg.exe File created C:\Windows\SysWOW64\Pcdjic32.exe Ohnelj32.exe File created C:\Windows\SysWOW64\Glgolo32.dll Jggjpgmc.exe File opened for modification C:\Windows\SysWOW64\Onhhmpoo.exe Nhkpdi32.exe File opened for modification C:\Windows\SysWOW64\Loemnnhe.exe Kocphojh.exe File opened for modification C:\Windows\SysWOW64\Fcbgfhii.exe Fpandm32.exe File created C:\Windows\SysWOW64\Gnckooob.exe Gdkffi32.exe File created C:\Windows\SysWOW64\Elngne32.dll Nhdicjfp.exe File created C:\Windows\SysWOW64\Ggilgn32.exe Gpodkdll.exe File created C:\Windows\SysWOW64\Pjfffd32.dll Lpdefc32.exe File created C:\Windows\SysWOW64\Hemgeg32.dll Kdqecc32.exe File created C:\Windows\SysWOW64\Pknjieep.dll Aalmimfd.exe File created C:\Windows\SysWOW64\Geamaapg.dll Fjikeg32.exe File created C:\Windows\SysWOW64\Cgbppknb.exe Cllkcbnl.exe File created C:\Windows\SysWOW64\Ohbfmj32.dll Liddligi.exe File created C:\Windows\SysWOW64\Dnkkcmdb.exe Dhnbkfek.exe File created C:\Windows\SysWOW64\Bhpofl32.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Gngckfdj.exe Genobp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjhpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahffqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fipkch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aojepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbdgngl.dll" Engaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbpkfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Didqkeeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nppfnige.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olaeqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cigcjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgakkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmnbpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hemmac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Japmcfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkimb32.dll" Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akamab32.dll" Nlmdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnokeqm.dll" Cggikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlgmjdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Libggiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpjpj32.dll" Oncopcqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijkj32.dll" Bdnkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhhgmlli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpfob32.dll" Ehappnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boeelcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagapc32.dll" Gclafmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcgmffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfnnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckeigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enbhdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkaijl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqgegp32.dll" Ejiqom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjoeoedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncjpfei.dll" Mpdgbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqkchi32.dll" Hpqlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhdeoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoffjidl.dll" Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clffalkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekcemmgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecpomiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mphoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhnlelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmqhlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chfepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnmglk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Engaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kccbjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akmjdpac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecoiapdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlgmjdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anjifbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfeidbm.dll" Fbbpgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemgeg32.dll" Kdqecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blbodh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Conagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnfjbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qefkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbhdogo.dll" Ekcemmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfkdhnj.dll" Chfepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll" Pdqcenmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Andqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjdkc32.dll" Ooaghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlenm32.dll" Fipkch32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3180 wrote to memory of 3704 3180 6071df3a321420022524cb07893ee1cf.exe 92 PID 3180 wrote to memory of 3704 3180 6071df3a321420022524cb07893ee1cf.exe 92 PID 3180 wrote to memory of 3704 3180 6071df3a321420022524cb07893ee1cf.exe 92 PID 3704 wrote to memory of 2000 3704 Emoadlfo.exe 93 PID 3704 wrote to memory of 2000 3704 Emoadlfo.exe 93 PID 3704 wrote to memory of 2000 3704 Emoadlfo.exe 93 PID 2000 wrote to memory of 3768 2000 Gifkpknp.exe 94 PID 2000 wrote to memory of 3768 2000 Gifkpknp.exe 94 PID 2000 wrote to memory of 3768 2000 Gifkpknp.exe 94 PID 3768 wrote to memory of 5032 3768 Gmimai32.exe 95 PID 3768 wrote to memory of 5032 3768 Gmimai32.exe 95 PID 3768 wrote to memory of 5032 3768 Gmimai32.exe 95 PID 5032 wrote to memory of 3024 5032 Hoaojp32.exe 96 PID 5032 wrote to memory of 3024 5032 Hoaojp32.exe 96 PID 5032 wrote to memory of 3024 5032 Hoaojp32.exe 96 PID 3024 wrote to memory of 1036 3024 Ipjoja32.exe 98 PID 3024 wrote to memory of 1036 3024 Ipjoja32.exe 98 PID 3024 wrote to memory of 1036 3024 Ipjoja32.exe 98 PID 1036 wrote to memory of 3272 1036 Kncaec32.exe 99 PID 1036 wrote to memory of 3272 1036 Kncaec32.exe 99 PID 1036 wrote to memory of 3272 1036 Kncaec32.exe 99 PID 3272 wrote to memory of 2244 3272 Modgdicm.exe 100 PID 3272 wrote to memory of 2244 3272 Modgdicm.exe 100 PID 3272 wrote to memory of 2244 3272 Modgdicm.exe 100 PID 2244 wrote to memory of 940 2244 Mfchlbfd.exe 101 PID 2244 wrote to memory of 940 2244 Mfchlbfd.exe 101 PID 2244 wrote to memory of 940 2244 Mfchlbfd.exe 101 PID 940 wrote to memory of 2832 940 Mcifkf32.exe 102 PID 940 wrote to memory of 2832 940 Mcifkf32.exe 102 PID 940 wrote to memory of 2832 940 Mcifkf32.exe 102 PID 2832 wrote to memory of 4344 2832 Njmqnobn.exe 103 PID 2832 wrote to memory of 4344 2832 Njmqnobn.exe 103 PID 2832 wrote to memory of 4344 2832 Njmqnobn.exe 103 PID 4344 wrote to memory of 648 4344 Oabhfg32.exe 104 PID 4344 wrote to memory of 648 4344 Oabhfg32.exe 104 PID 4344 wrote to memory of 648 4344 Oabhfg32.exe 104 PID 648 wrote to memory of 4176 648 Pdjgha32.exe 105 PID 648 wrote to memory of 4176 648 Pdjgha32.exe 105 PID 648 wrote to memory of 4176 648 Pdjgha32.exe 105 PID 4176 wrote to memory of 3656 4176 Apmhiq32.exe 106 PID 4176 wrote to memory of 3656 4176 Apmhiq32.exe 106 PID 4176 wrote to memory of 3656 4176 Apmhiq32.exe 106 PID 3656 wrote to memory of 4708 3656 Bhpofl32.exe 107 PID 3656 wrote to memory of 4708 3656 Bhpofl32.exe 107 PID 3656 wrote to memory of 4708 3656 Bhpofl32.exe 107 PID 4708 wrote to memory of 3256 4708 Dpiplm32.exe 108 PID 4708 wrote to memory of 3256 4708 Dpiplm32.exe 108 PID 4708 wrote to memory of 3256 4708 Dpiplm32.exe 108 PID 3256 wrote to memory of 1972 3256 Ehndnh32.exe 109 PID 3256 wrote to memory of 1972 3256 Ehndnh32.exe 109 PID 3256 wrote to memory of 1972 3256 Ehndnh32.exe 109 PID 1972 wrote to memory of 3644 1972 Edionhpn.exe 110 PID 1972 wrote to memory of 3644 1972 Edionhpn.exe 110 PID 1972 wrote to memory of 3644 1972 Edionhpn.exe 110 PID 3644 wrote to memory of 1248 3644 Gnpphljo.exe 111 PID 3644 wrote to memory of 1248 3644 Gnpphljo.exe 111 PID 3644 wrote to memory of 1248 3644 Gnpphljo.exe 111 PID 1248 wrote to memory of 4316 1248 Gndick32.exe 112 PID 1248 wrote to memory of 4316 1248 Gndick32.exe 112 PID 1248 wrote to memory of 4316 1248 Gndick32.exe 112 PID 4316 wrote to memory of 4400 4316 Hemmac32.exe 113 PID 4316 wrote to memory of 4400 4316 Hemmac32.exe 113 PID 4316 wrote to memory of 4400 4316 Hemmac32.exe 113 PID 4400 wrote to memory of 4020 4400 Iahgad32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\6071df3a321420022524cb07893ee1cf.exe"C:\Users\Admin\AppData\Local\Temp\6071df3a321420022524cb07893ee1cf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Hemmac32.exeC:\Windows\system32\Hemmac32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Iahgad32.exeC:\Windows\system32\Iahgad32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe23⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe26⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe27⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe28⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe29⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe31⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe32⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe33⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe34⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe35⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe36⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe40⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe41⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe42⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe43⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe44⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe45⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe46⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe47⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe48⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe49⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe51⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe52⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe53⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe54⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe56⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe57⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe60⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe62⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe63⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe65⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe66⤵PID:808
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe67⤵PID:1184
-
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe68⤵PID:4536
-
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe69⤵PID:1536
-
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe70⤵PID:5100
-
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe71⤵PID:3680
-
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe72⤵PID:3556
-
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe73⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe74⤵PID:4552
-
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe75⤵PID:2868
-
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe76⤵PID:1204
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe77⤵PID:1468
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe78⤵PID:3696
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe79⤵PID:3380
-
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe80⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe81⤵PID:5132
-
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe82⤵PID:5172
-
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe83⤵PID:5216
-
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe84⤵
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe85⤵PID:5304
-
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe86⤵PID:5348
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe87⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5428 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe89⤵PID:5488
-
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe90⤵PID:5532
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe91⤵PID:5576
-
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe92⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe93⤵PID:5668
-
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe95⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe96⤵PID:5796
-
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe97⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe98⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe99⤵
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe100⤵PID:5968
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe101⤵PID:6016
-
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe102⤵PID:6064
-
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe103⤵PID:6108
-
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe104⤵PID:3968
-
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe105⤵PID:5208
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe106⤵PID:5264
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe107⤵PID:5376
-
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe108⤵PID:5416
-
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe109⤵PID:5508
-
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe110⤵PID:5568
-
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe111⤵PID:3180
-
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe112⤵PID:3768
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe113⤵PID:5636
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe114⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe115⤵PID:5788
-
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe117⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe119⤵PID:6008
-
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe120⤵PID:6116
-
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe121⤵PID:5164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-