Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 20:28
Behavioral task
behavioral1
Sample
dde7ddb5b0e3868bd61677e85a988aff.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
dde7ddb5b0e3868bd61677e85a988aff.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
dde7ddb5b0e3868bd61677e85a988aff.exe
-
Size
121KB
-
MD5
dde7ddb5b0e3868bd61677e85a988aff
-
SHA1
1d898d7e30f246289d2d9971364e55b64ecc55cf
-
SHA256
5a96b06bffa97783042f90404993aa8100a0a38ceb0471a71df53819ac25695e
-
SHA512
b5a228287be877676ca30a6815a0baf16d1bf810d25a112dcd67503252ce1ce050722fe39a2f4ceedc0ac596135df12c81529321e1753f9db21ddb8b53aa0f80
-
SSDEEP
3072:BKIckf/ZE9jej1TZCjJGRoX55Ek0O7AJnD5tvv:A+kej1YGRW5ETOarvv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcglfjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gndima32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdfmcobk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcqjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkangg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcgdbakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njcpok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejoqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomipkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meonklfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkangg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfoqhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abjfqpji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkenpnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnfon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mohbcamn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjkofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alcfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flaaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blabakle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lacicolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbljig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbdip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkalmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbkkbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegqmbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfonfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gldpkfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjlcclfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehnpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fokbbcmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgenoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmphkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oookgbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhldio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgpebf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffggkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfokj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmnbjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhqaokcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomnmfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iobeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blabakle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbmfig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chebcmna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimfji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmggbcmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhifj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knphfklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pegqmbch.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3908-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000300000002276d-6.dat family_berbew behavioral2/memory/2564-7-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000600000001e0ce-14.dat family_berbew behavioral2/memory/2444-15-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000300000001e7dc-22.dat family_berbew behavioral2/memory/912-23-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7e0-30.dat family_berbew behavioral2/memory/1736-32-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7e3-38.dat family_berbew behavioral2/memory/4608-39-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7c9-46.dat family_berbew behavioral2/memory/4132-52-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7e5-54.dat family_berbew behavioral2/memory/1576-55-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7e9-62.dat family_berbew behavioral2/memory/4680-64-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7eb-70.dat family_berbew behavioral2/memory/4300-72-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7ed-78.dat family_berbew behavioral2/memory/3156-80-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f1-86.dat family_berbew behavioral2/memory/4332-88-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f5-94.dat family_berbew behavioral2/memory/5008-96-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f9-102.dat family_berbew behavioral2/memory/3212-104-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7fb-112.dat family_berbew behavioral2/memory/2796-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7fd-118.dat family_berbew behavioral2/memory/3488-120-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000400000001e7ef-126.dat family_berbew behavioral2/memory/4004-128-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000300000001e7ff-134.dat family_berbew behavioral2/memory/4040-136-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e801-142.dat family_berbew behavioral2/memory/960-144-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e803-150.dat family_berbew behavioral2/memory/3500-152-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e805-158.dat family_berbew behavioral2/memory/3148-160-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e807-166.dat family_berbew behavioral2/memory/864-168-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e809-174.dat family_berbew behavioral2/memory/1700-175-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e80b-182.dat family_berbew behavioral2/memory/60-183-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023108-190.dat family_berbew behavioral2/memory/4932-191-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002310b-198.dat family_berbew behavioral2/memory/3240-199-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023110-206.dat family_berbew behavioral2/memory/1928-208-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023112-214.dat family_berbew behavioral2/memory/2228-215-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023115-222.dat family_berbew behavioral2/memory/852-224-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023117-230.dat family_berbew behavioral2/memory/4548-236-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002311a-238.dat family_berbew behavioral2/memory/2432-240-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000600000002311d-246.dat family_berbew behavioral2/memory/4116-248-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000600000002311f-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2564 Ofegni32.exe 2444 Pbekii32.exe 912 Qfjjpf32.exe 1736 Aaiqcnhg.exe 4608 Bboffejp.exe 4132 Bmggingc.exe 1576 Bagmdllg.exe 4680 Cgiohbfi.exe 4300 Cpcpfg32.exe 3156 Cildom32.exe 4332 Dgihop32.exe 5008 Ecgodpgb.exe 3212 Fqdbdbna.exe 2796 Fnhbmgmk.exe 3488 Fgqgfl32.exe 4004 Gbkdod32.exe 4040 Gcqjal32.exe 960 Hqdkkp32.exe 3500 Hnmeodjc.exe 3148 Indkpcdk.exe 864 Idhiii32.exe 1700 Jejbhk32.exe 60 Khabke32.exe 4932 Kblpcndd.exe 3240 Kaaldjil.exe 1928 Ledoegkm.exe 2228 Mhiabbdi.exe 852 Mlgjhp32.exe 4548 Ncmaai32.exe 2432 Pmhkflnj.exe 4116 Qmanljfo.exe 116 Qpbgnecp.exe 2412 Aealll32.exe 1524 Abjfqpji.exe 4364 Beoimjce.exe 4648 Cmmgof32.exe 4928 Dipgpf32.exe 3496 Dekapfke.exe 2092 Eleimp32.exe 3260 Eilfldoi.exe 5020 Eincadmf.exe 1900 Fcbgfhii.exe 4764 Gmfkjl32.exe 1008 Iglhob32.exe 3664 Iepihf32.exe 3944 Ifcben32.exe 3144 Jmdqbg32.exe 4836 Lfmnbjcg.exe 4696 Mkdiog32.exe 4432 Mobbdf32.exe 1336 Mkicjgnn.exe 5036 Mdagbl32.exe 4064 Mmjlkb32.exe 972 Mgbpdgap.exe 372 Necqbo32.exe 1640 Ngifef32.exe 932 Oeopnmoa.exe 4656 Oookgbpj.exe 1040 Akogio32.exe 3608 Bndjfjhl.exe 4848 Cbglgg32.exe 4620 Cldjkl32.exe 3416 Defajqko.exe 4724 Dehnpp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pffghc32.exe Pmnbpm32.exe File created C:\Windows\SysWOW64\Dnhgidka.exe Dcmjpl32.exe File opened for modification C:\Windows\SysWOW64\Fjikeg32.exe Fnbjpf32.exe File created C:\Windows\SysWOW64\Ppmmcbgi.dll Cajqng32.exe File created C:\Windows\SysWOW64\Opjponbf.exe Ojmgggdo.exe File created C:\Windows\SysWOW64\Olejbnna.dll Efgono32.exe File created C:\Windows\SysWOW64\Agagab32.dll Ojjoedfn.exe File created C:\Windows\SysWOW64\Khdiln32.dll Efafqolp.exe File created C:\Windows\SysWOW64\Jngbcj32.exe Jmplbk32.exe File created C:\Windows\SysWOW64\Dcmdnb32.dll Kbebdpca.exe File opened for modification C:\Windows\SysWOW64\Hillnoif.exe Hodgei32.exe File opened for modification C:\Windows\SysWOW64\Ljfodd32.exe Iacbbh32.exe File created C:\Windows\SysWOW64\Kakjpb32.dll Kfimhkbo.exe File opened for modification C:\Windows\SysWOW64\Omjfij32.exe Obebla32.exe File created C:\Windows\SysWOW64\Bjfoqhpo.exe Bdlfdnhb.exe File created C:\Windows\SysWOW64\Anlkecaj.dll Ofegni32.exe File created C:\Windows\SysWOW64\Fgqgfl32.exe Fnhbmgmk.exe File created C:\Windows\SysWOW64\Aified32.exe Aehpof32.exe File opened for modification C:\Windows\SysWOW64\Eomfae32.exe Ecfeldcj.exe File created C:\Windows\SysWOW64\Fokbbcmo.exe Fbgbione.exe File created C:\Windows\SysWOW64\Jfdinf32.exe Ibmmbj32.exe File created C:\Windows\SysWOW64\Ddklnh32.exe Dampal32.exe File opened for modification C:\Windows\SysWOW64\Dhidcffq.exe Doqpkq32.exe File created C:\Windows\SysWOW64\Begaak32.dll Fdfkhh32.exe File created C:\Windows\SysWOW64\Dmmdjp32.exe Djnhne32.exe File opened for modification C:\Windows\SysWOW64\Bnkbmp32.exe Bdbndjld.exe File created C:\Windows\SysWOW64\Mbpoop32.exe Moofmeal.exe File created C:\Windows\SysWOW64\Piaihn32.dll Nijqml32.exe File created C:\Windows\SysWOW64\Oepiipcc.dll Ccmcaicm.exe File created C:\Windows\SysWOW64\Knpdlo32.dll Joddqf32.exe File opened for modification C:\Windows\SysWOW64\Dcglfjgf.exe Dmmdjp32.exe File created C:\Windows\SysWOW64\Ejjigl32.dll Maoionbi.exe File created C:\Windows\SysWOW64\Boijog32.dll Flbhia32.exe File created C:\Windows\SysWOW64\Pcnalbce.exe Pihmojco.exe File opened for modification C:\Windows\SysWOW64\Ihbphcpo.exe Ilkocb32.exe File opened for modification C:\Windows\SysWOW64\Fhngfcdi.exe Fadoii32.exe File created C:\Windows\SysWOW64\Kcobje32.dll Okolppdo.exe File opened for modification C:\Windows\SysWOW64\Hcedfa32.exe Hkjoao32.exe File created C:\Windows\SysWOW64\Dhqaokcd.exe Chebcmna.exe File created C:\Windows\SysWOW64\Oqcedino.exe Nbbefafp.exe File created C:\Windows\SysWOW64\Naamaled.dll Odkaac32.exe File created C:\Windows\SysWOW64\Lnlloj32.exe Liocgc32.exe File opened for modification C:\Windows\SysWOW64\Bboffejp.exe Aaiqcnhg.exe File created C:\Windows\SysWOW64\Hiljpi32.exe Hlhife32.exe File created C:\Windows\SysWOW64\Cojqdhid.exe Bbjmih32.exe File created C:\Windows\SysWOW64\Alplfpbp.exe Qhofjbnl.exe File created C:\Windows\SysWOW64\Jjfaml32.dll Ledoegkm.exe File created C:\Windows\SysWOW64\Gkkimb32.dll Fnbjpf32.exe File created C:\Windows\SysWOW64\Ihgqiiph.dll Hfonfp32.exe File created C:\Windows\SysWOW64\Aadgadai.exe Abcgdm32.exe File opened for modification C:\Windows\SysWOW64\Fnbjpf32.exe Fhhaclqc.exe File created C:\Windows\SysWOW64\Innfan32.dll Fhngfcdi.exe File opened for modification C:\Windows\SysWOW64\Lnlloj32.exe Liocgc32.exe File opened for modification C:\Windows\SysWOW64\Plhgdn32.exe Pbmffi32.exe File created C:\Windows\SysWOW64\Okolppdo.exe Mohbcamn.exe File created C:\Windows\SysWOW64\Lkgdfb32.exe Lkdgqbag.exe File created C:\Windows\SysWOW64\Ahgobbpl.dll Khbpndnp.exe File created C:\Windows\SysWOW64\Mappie32.dll Jkkbnl32.exe File created C:\Windows\SysWOW64\Ipakqcbi.dll Mhpeelnd.exe File created C:\Windows\SysWOW64\Pnbifmla.exe Nofmndkd.exe File created C:\Windows\SysWOW64\Holhmcgf.dll Gcqjal32.exe File opened for modification C:\Windows\SysWOW64\Ncmaai32.exe Mlgjhp32.exe File opened for modification C:\Windows\SysWOW64\Lbcabo32.exe Kmobii32.exe File created C:\Windows\SysWOW64\Dfmcpf32.exe Aichng32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmjlm32.dll" Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mieeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbebdpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmggbcmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfmnbjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmcocn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbmbgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaenkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclbijhm.dll" Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koimkegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmdnb32.dll" Kbebdpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agagab32.dll" Ojjoedfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filicodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbool32.dll" Hehkjpod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iejqeiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbkdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odgqhekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhabe32.dll" Edkddeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oggjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khoeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkmaicl.dll" Amfhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcanghgh.dll" Deehbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odkaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knipik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggglm32.dll" Qppambnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmffmepb.dll" Maaeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oookgbpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgbione.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnlloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfaml32.dll" Ledoegkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihkila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amanfpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgibh32.dll" Mhialhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hehkjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmphkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdkool32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiokacgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgihop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajohpifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kblpcndd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhkflnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnehgmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Likhoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eomfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdim32.dll" Hiljpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamdjk32.dll" Mlgibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhngfcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfggf32.dll" Cbfema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhhaclqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbigapjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnako32.dll" Mbfmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjigl32.dll" Maoionbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcmpgpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfhklabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejiiif.dll" Njhglelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkbhn32.dll" Kajfmqda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohpjh32.dll" Hqdkkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeanfkob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3908 wrote to memory of 2564 3908 dde7ddb5b0e3868bd61677e85a988aff.exe 91 PID 3908 wrote to memory of 2564 3908 dde7ddb5b0e3868bd61677e85a988aff.exe 91 PID 3908 wrote to memory of 2564 3908 dde7ddb5b0e3868bd61677e85a988aff.exe 91 PID 2564 wrote to memory of 2444 2564 Ofegni32.exe 92 PID 2564 wrote to memory of 2444 2564 Ofegni32.exe 92 PID 2564 wrote to memory of 2444 2564 Ofegni32.exe 92 PID 2444 wrote to memory of 912 2444 Pbekii32.exe 93 PID 2444 wrote to memory of 912 2444 Pbekii32.exe 93 PID 2444 wrote to memory of 912 2444 Pbekii32.exe 93 PID 912 wrote to memory of 1736 912 Qfjjpf32.exe 94 PID 912 wrote to memory of 1736 912 Qfjjpf32.exe 94 PID 912 wrote to memory of 1736 912 Qfjjpf32.exe 94 PID 1736 wrote to memory of 4608 1736 Aaiqcnhg.exe 95 PID 1736 wrote to memory of 4608 1736 Aaiqcnhg.exe 95 PID 1736 wrote to memory of 4608 1736 Aaiqcnhg.exe 95 PID 4608 wrote to memory of 4132 4608 Bboffejp.exe 96 PID 4608 wrote to memory of 4132 4608 Bboffejp.exe 96 PID 4608 wrote to memory of 4132 4608 Bboffejp.exe 96 PID 4132 wrote to memory of 1576 4132 Bmggingc.exe 98 PID 4132 wrote to memory of 1576 4132 Bmggingc.exe 98 PID 4132 wrote to memory of 1576 4132 Bmggingc.exe 98 PID 1576 wrote to memory of 4680 1576 Bagmdllg.exe 99 PID 1576 wrote to memory of 4680 1576 Bagmdllg.exe 99 PID 1576 wrote to memory of 4680 1576 Bagmdllg.exe 99 PID 4680 wrote to memory of 4300 4680 Cgiohbfi.exe 100 PID 4680 wrote to memory of 4300 4680 Cgiohbfi.exe 100 PID 4680 wrote to memory of 4300 4680 Cgiohbfi.exe 100 PID 4300 wrote to memory of 3156 4300 Cpcpfg32.exe 101 PID 4300 wrote to memory of 3156 4300 Cpcpfg32.exe 101 PID 4300 wrote to memory of 3156 4300 Cpcpfg32.exe 101 PID 3156 wrote to memory of 4332 3156 Cildom32.exe 102 PID 3156 wrote to memory of 4332 3156 Cildom32.exe 102 PID 3156 wrote to memory of 4332 3156 Cildom32.exe 102 PID 4332 wrote to memory of 5008 4332 Dgihop32.exe 103 PID 4332 wrote to memory of 5008 4332 Dgihop32.exe 103 PID 4332 wrote to memory of 5008 4332 Dgihop32.exe 103 PID 5008 wrote to memory of 3212 5008 Ecgodpgb.exe 104 PID 5008 wrote to memory of 3212 5008 Ecgodpgb.exe 104 PID 5008 wrote to memory of 3212 5008 Ecgodpgb.exe 104 PID 3212 wrote to memory of 2796 3212 Fqdbdbna.exe 105 PID 3212 wrote to memory of 2796 3212 Fqdbdbna.exe 105 PID 3212 wrote to memory of 2796 3212 Fqdbdbna.exe 105 PID 2796 wrote to memory of 3488 2796 Fnhbmgmk.exe 106 PID 2796 wrote to memory of 3488 2796 Fnhbmgmk.exe 106 PID 2796 wrote to memory of 3488 2796 Fnhbmgmk.exe 106 PID 3488 wrote to memory of 4004 3488 Fgqgfl32.exe 107 PID 3488 wrote to memory of 4004 3488 Fgqgfl32.exe 107 PID 3488 wrote to memory of 4004 3488 Fgqgfl32.exe 107 PID 4004 wrote to memory of 4040 4004 Gbkdod32.exe 108 PID 4004 wrote to memory of 4040 4004 Gbkdod32.exe 108 PID 4004 wrote to memory of 4040 4004 Gbkdod32.exe 108 PID 4040 wrote to memory of 960 4040 Gcqjal32.exe 109 PID 4040 wrote to memory of 960 4040 Gcqjal32.exe 109 PID 4040 wrote to memory of 960 4040 Gcqjal32.exe 109 PID 960 wrote to memory of 3500 960 Hqdkkp32.exe 110 PID 960 wrote to memory of 3500 960 Hqdkkp32.exe 110 PID 960 wrote to memory of 3500 960 Hqdkkp32.exe 110 PID 3500 wrote to memory of 3148 3500 Hnmeodjc.exe 111 PID 3500 wrote to memory of 3148 3500 Hnmeodjc.exe 111 PID 3500 wrote to memory of 3148 3500 Hnmeodjc.exe 111 PID 3148 wrote to memory of 864 3148 Indkpcdk.exe 112 PID 3148 wrote to memory of 864 3148 Indkpcdk.exe 112 PID 3148 wrote to memory of 864 3148 Indkpcdk.exe 112 PID 864 wrote to memory of 1700 864 Idhiii32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde7ddb5b0e3868bd61677e85a988aff.exe"C:\Users\Admin\AppData\Local\Temp\dde7ddb5b0e3868bd61677e85a988aff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Gcqjal32.exeC:\Windows\system32\Gcqjal32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe23⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe24⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe26⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe28⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe30⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe32⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe33⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe34⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe36⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe37⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe38⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe39⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe41⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe42⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe43⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe44⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe45⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe46⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe47⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe48⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe50⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe51⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe53⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe54⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe55⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe56⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe58⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe60⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe61⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe62⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe63⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3416 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe66⤵PID:3820
-
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe67⤵PID:4736
-
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe68⤵PID:4424
-
C:\Windows\SysWOW64\Gjdknjep.exeC:\Windows\system32\Gjdknjep.exe69⤵PID:2032
-
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe70⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Hcfcmnce.exeC:\Windows\system32\Hcfcmnce.exe71⤵PID:4292
-
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe73⤵
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe74⤵PID:3036
-
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe75⤵PID:1076
-
C:\Windows\SysWOW64\Jmopmalc.exeC:\Windows\system32\Jmopmalc.exe76⤵PID:1324
-
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe77⤵PID:2356
-
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe78⤵PID:1224
-
C:\Windows\SysWOW64\Kiodha32.exeC:\Windows\system32\Kiodha32.exe79⤵PID:3140
-
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe80⤵PID:3324
-
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe81⤵PID:868
-
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe82⤵PID:2264
-
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe83⤵PID:1452
-
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe84⤵PID:4568
-
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe85⤵PID:5168
-
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe86⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe87⤵
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Cgejkh32.exeC:\Windows\system32\Cgejkh32.exe88⤵PID:5320
-
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe89⤵PID:5360
-
C:\Windows\SysWOW64\Dbbdip32.exeC:\Windows\system32\Dbbdip32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe91⤵PID:5460
-
C:\Windows\SysWOW64\Dicbfhni.exeC:\Windows\system32\Dicbfhni.exe92⤵PID:5500
-
C:\Windows\SysWOW64\Eblgon32.exeC:\Windows\system32\Eblgon32.exe93⤵PID:5536
-
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe94⤵PID:5596
-
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe95⤵PID:5636
-
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe97⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe98⤵PID:5764
-
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe99⤵PID:5812
-
C:\Windows\SysWOW64\Folkjnbc.exeC:\Windows\system32\Folkjnbc.exe100⤵PID:5864
-
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe101⤵PID:5904
-
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe102⤵
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe103⤵PID:6000
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe104⤵PID:6044
-
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe105⤵PID:6088
-
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe106⤵PID:6136
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe107⤵PID:5152
-
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe108⤵PID:4632
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe109⤵PID:3908
-
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe110⤵PID:1152
-
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe111⤵PID:5212
-
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe112⤵PID:3632
-
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe113⤵PID:5308
-
C:\Windows\SysWOW64\Kbinlp32.exeC:\Windows\system32\Kbinlp32.exe114⤵PID:5376
-
C:\Windows\SysWOW64\Kmobii32.exeC:\Windows\system32\Kmobii32.exe115⤵
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Lbcabo32.exeC:\Windows\system32\Lbcabo32.exe116⤵PID:5524
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe117⤵PID:2744
-
C:\Windows\SysWOW64\Mfeccm32.exeC:\Windows\system32\Mfeccm32.exe118⤵PID:5632
-
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe119⤵PID:5712
-
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe120⤵PID:5772
-
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe121⤵
- Drops file in System32 directory
PID:2980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-