Analysis
-
max time kernel
159s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 15:01
Behavioral task
behavioral1
Sample
09b3385485cdb2b746763b6efb04472b.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
09b3385485cdb2b746763b6efb04472b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
09b3385485cdb2b746763b6efb04472b.exe
-
Size
125KB
-
MD5
09b3385485cdb2b746763b6efb04472b
-
SHA1
afda485ad7df83f81ca9470444822ce76c2ed847
-
SHA256
8fa4af4668301fe0249174ea9d2873fa68b8cfcaf0919257af5c5b3c2a053fd6
-
SHA512
b71d10a3e0e1a25f76206f5aeea7858163e4ca4c11621e780e69cd60a968dac9d7d57f4b11b71c3b431a4f64c57d034bdd69e8b80d3112f3a615bfec9dd67ce6
-
SSDEEP
3072:B61DuIJE+Mc01WdTCn93OGey/ZhJakrPF:BEuImNcLTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhheepbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emldhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aokkknbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqihgcma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahiiqafa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnjan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegkdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkadb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdhmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hebkid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galoin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilbnkiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kppphe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmqnkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhalcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfcfnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndphpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkagfba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhkdjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiiffjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iphihnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbmbiqqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmglbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdmpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anogbohj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bminokil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfhhho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbiede32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelchhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmodqdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peeakakg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnekcei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkehk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnqld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofidlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nofmndkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepfbflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mceccbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpglqgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilglgfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabiak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbndgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oggqho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlidkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjicnbba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndblcdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkfkilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqnokaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pehnaqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjngp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiilmofe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knofif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjakbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dehkbkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahiiqafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmpljlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiakf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2844-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000500000001e7c9-6.dat family_berbew behavioral2/memory/2664-8-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000300000001e7e0-14.dat family_berbew behavioral2/memory/4180-15-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000400000001e7e2-22.dat family_berbew behavioral2/memory/4436-23-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000500000001e7e6-30.dat family_berbew behavioral2/memory/1792-31-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7e8-38.dat family_berbew behavioral2/memory/4724-40-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7ea-46.dat family_berbew behavioral2/memory/1992-47-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7ec-54.dat family_berbew behavioral2/memory/4816-55-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7ec-56.dat family_berbew behavioral2/files/0x000200000001e7ee-57.dat family_berbew behavioral2/memory/3656-63-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f0-70.dat family_berbew behavioral2/memory/2912-71-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f2-78.dat family_berbew behavioral2/memory/2100-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f4-86.dat family_berbew behavioral2/memory/1160-88-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f6-94.dat family_berbew behavioral2/memory/2592-95-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7f9-102.dat family_berbew behavioral2/memory/4804-103-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7fb-110.dat family_berbew behavioral2/memory/4544-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7fd-118.dat family_berbew behavioral2/memory/2972-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e7ff-126.dat family_berbew behavioral2/memory/3360-127-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e801-134.dat family_berbew behavioral2/memory/4744-135-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e803-141.dat family_berbew behavioral2/memory/2712-143-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e805-150.dat family_berbew behavioral2/memory/1872-151-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e807-153.dat family_berbew behavioral2/memory/4380-160-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e809-166.dat family_berbew behavioral2/memory/1580-167-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000200000001e80b-174.dat family_berbew behavioral2/memory/2264-176-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023151-182.dat family_berbew behavioral2/memory/2528-184-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023153-185.dat family_berbew behavioral2/files/0x0006000000023153-190.dat family_berbew behavioral2/memory/2152-192-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/memory/3312-200-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023157-199.dat family_berbew behavioral2/memory/4060-207-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023159-208.dat family_berbew behavioral2/files/0x000600000002315b-214.dat family_berbew behavioral2/memory/3680-216-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000600000002315e-222.dat family_berbew behavioral2/memory/1120-223-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023160-230.dat family_berbew behavioral2/memory/2304-231-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000023162-233.dat family_berbew behavioral2/files/0x0006000000023162-238.dat family_berbew behavioral2/memory/4360-240-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2664 Hjpkjh32.exe 4180 Ihjafd32.exe 4436 Igpkok32.exe 1792 Jonlimkg.exe 4724 Jcpojk32.exe 1992 Kfhnme32.exe 4816 Lhcjbfag.exe 3656 Mabdlk32.exe 2912 Mphamg32.exe 2100 Ndejcemn.exe 1160 Nffceq32.exe 2592 Opfnne32.exe 4804 Oknnanhj.exe 4544 Pjgemi32.exe 2972 Qjeaog32.exe 3360 Aaofedkl.exe 4744 Aqilaplo.exe 2712 Bndblcdq.exe 1872 Cgcmeh32.exe 4380 Dbijinfl.exe 1580 Enbhdojn.exe 2264 Ehmibdol.exe 2528 Elkbhbeb.exe 2152 Flmonbbp.exe 3312 Fkiapn32.exe 4060 Gbcffk32.exe 3680 Giokid32.exe 1120 Hoefgj32.exe 2304 Hebkid32.exe 4360 Iefedcmk.exe 876 Ijgjpaao.exe 2184 Kmhlijpm.exe 4552 Kjnihnmd.exe 1696 Kicfijal.exe 1724 Lmcldhfp.exe 4064 Lijlii32.exe 4320 Lkkekdhe.exe 652 Lfcfnm32.exe 4384 Mfhpilbc.exe 2632 Niblafgi.exe 1000 Nlbdba32.exe 3980 Njfafhjf.exe 4792 Ofmbkipk.exe 4908 Oiphbd32.exe 1564 Pmbjcb32.exe 2408 Pmipdq32.exe 4832 Qpjifl32.exe 1816 Agkgceeh.exe 2284 Bpmobi32.exe 5016 Cdbmifdl.exe 5100 Cdfgdf32.exe 5072 Ddkpoelb.exe 3692 Emikpeig.exe 2156 Fhalcm32.exe 260 Fchlhnlo.exe 3844 Fnpmkg32.exe 892 Fmejlcoj.exe 3288 Ilglgfjd.exe 780 Jdnqgg32.exe 4940 Khpcid32.exe 1584 Onjmjegg.exe 4072 Pimmil32.exe 4796 Apnkfelb.exe 1272 Apqhldjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Memhpe32.dll Ekemap32.exe File created C:\Windows\SysWOW64\Pjfhbkgc.dll Qnfdlpqd.exe File created C:\Windows\SysWOW64\Knjqkggm.dll Bnhjinpo.exe File created C:\Windows\SysWOW64\Mojhphij.exe Mimphakb.exe File created C:\Windows\SysWOW64\Lbkekk32.dll Kndodehf.exe File created C:\Windows\SysWOW64\Oqakag32.dll Fdqffaql.exe File created C:\Windows\SysWOW64\Oopjchnh.exe Odjeepna.exe File created C:\Windows\SysWOW64\Kjeiij32.exe Kjblcj32.exe File opened for modification C:\Windows\SysWOW64\Ajkgmd32.exe Qkjgomgb.exe File created C:\Windows\SysWOW64\Bdmpljlj.exe Blkdgheg.exe File created C:\Windows\SysWOW64\Gofkckoe.exe Gfngke32.exe File created C:\Windows\SysWOW64\Agcbqecp.exe Anjngp32.exe File created C:\Windows\SysWOW64\Ekdolcbm.exe Eidbbp32.exe File created C:\Windows\SysWOW64\Pahiebeq.exe Plkpmlfi.exe File opened for modification C:\Windows\SysWOW64\Qjfmda32.exe Qanhkk32.exe File opened for modification C:\Windows\SysWOW64\Qjeaog32.exe Pjgemi32.exe File created C:\Windows\SysWOW64\Gbcffk32.exe Fkiapn32.exe File created C:\Windows\SysWOW64\Giokid32.exe Gbcffk32.exe File opened for modification C:\Windows\SysWOW64\Knfliefc.exe Kglcmk32.exe File created C:\Windows\SysWOW64\Bhfmic32.exe Bmqhlk32.exe File created C:\Windows\SysWOW64\Ndlalabo.dll Mllcocna.exe File opened for modification C:\Windows\SysWOW64\Andqnn32.exe Ajfhhp32.exe File opened for modification C:\Windows\SysWOW64\Bnhjinpo.exe Bminokil.exe File opened for modification C:\Windows\SysWOW64\Afmmibga.exe Qjfmda32.exe File created C:\Windows\SysWOW64\Kngcfgbg.dll Aegidp32.exe File created C:\Windows\SysWOW64\Cpfaao32.dll Pjnbfmom.exe File opened for modification C:\Windows\SysWOW64\Efoiko32.exe Djhifnho.exe File created C:\Windows\SysWOW64\Ichkpb32.exe Ilnbch32.exe File created C:\Windows\SysWOW64\Jdpkoalc.exe Jhijjp32.exe File created C:\Windows\SysWOW64\Gaafqjcd.dll Bjgghc32.exe File created C:\Windows\SysWOW64\Khjnmlap.dll Ahmqnkbp.exe File created C:\Windows\SysWOW64\Ilglgfjd.exe Fmejlcoj.exe File created C:\Windows\SysWOW64\Oidopn32.exe Oplkgi32.exe File created C:\Windows\SysWOW64\Ljibdifc.exe Kodnfqgm.exe File created C:\Windows\SysWOW64\Fdegkdim.exe Eekanh32.exe File opened for modification C:\Windows\SysWOW64\Nlfeeelm.exe Nbnpmp32.exe File opened for modification C:\Windows\SysWOW64\Pcepdl32.exe Phpkgc32.exe File created C:\Windows\SysWOW64\Hmmffnai.exe Hefneq32.exe File opened for modification C:\Windows\SysWOW64\Paelpcgc.exe Pacojc32.exe File created C:\Windows\SysWOW64\Bkmaomkp.dll Iioplg32.exe File opened for modification C:\Windows\SysWOW64\Fdnipbbo.exe Fmbdnhme.exe File created C:\Windows\SysWOW64\Bjnjjg32.dll Fijknbmk.exe File created C:\Windows\SysWOW64\Pfmdbd32.exe Ojfcmc32.exe File created C:\Windows\SysWOW64\Dpbmfghh.dll Mabdlk32.exe File opened for modification C:\Windows\SysWOW64\Pmipdq32.exe Pmbjcb32.exe File created C:\Windows\SysWOW64\Kbbodj32.exe Keonke32.exe File opened for modification C:\Windows\SysWOW64\Nlknqd32.exe Neafdjak.exe File opened for modification C:\Windows\SysWOW64\Moacbe32.exe Mbmbiqqp.exe File created C:\Windows\SysWOW64\Pliaqdlp.dll Lmnjan32.exe File created C:\Windows\SysWOW64\Jelhphdq.dll Iqfcmdpj.exe File created C:\Windows\SysWOW64\Gkjhif32.exe Gnfhob32.exe File opened for modification C:\Windows\SysWOW64\Kilpgnfi.exe Knfliefc.exe File created C:\Windows\SysWOW64\Jqcopdaa.dll Odjeepna.exe File created C:\Windows\SysWOW64\Fmiajm32.dll Oclkqihc.exe File opened for modification C:\Windows\SysWOW64\Pkcepl32.exe Pbkagfba.exe File created C:\Windows\SysWOW64\Nlknqd32.exe Neafdjak.exe File opened for modification C:\Windows\SysWOW64\Kjblcj32.exe Kcfgaq32.exe File created C:\Windows\SysWOW64\Ghjjdkjd.dll Nombnc32.exe File opened for modification C:\Windows\SysWOW64\Jbfphh32.exe Jdqcglqh.exe File created C:\Windows\SysWOW64\Mpkbohhd.exe Mknjgajl.exe File created C:\Windows\SysWOW64\Bjjfnk32.dll Ppopcf32.exe File created C:\Windows\SysWOW64\Pidpnknl.dll Cdggoi32.exe File opened for modification C:\Windows\SysWOW64\Lfpcijlg.exe Lqcjqcnp.exe File opened for modification C:\Windows\SysWOW64\Lbhojo32.exe Kedoqkbe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7888 8152 WerFault.exe 780 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlnpdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kglcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nacmnlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feegfd32.dll" Ndcoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbhpg32.dll" Lgnekcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npnjhn32.dll" Anmagenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ompfnoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genmbb32.dll" Apnkfelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopigjbp.dll" Bkgekock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkofpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkgeipah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmmffnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmllk32.dll" Cdhmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmeobin.dll" Ihjafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jikojcaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeemop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabfqkan.dll" Kbbodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poggnnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndkgp32.dll" Dhgoimlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejldginl.dll" Okloomoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchpnh32.dll" Eipigqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghkebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpfonnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggilbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aklddmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcfgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acihep32.dll" Pfilfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfaddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gikdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnokhonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efkfkilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopmaddf.dll" Idfaolpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aojepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpelchhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anogbohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eidbbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgoibfd.dll" Gkdaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijlii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgjicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcldcd32.dll" Ckkilhjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diccal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gejoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqclgoc.dll" Kjeiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpkbohhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikqqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iempingp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfhhho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddecpgko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbggme32.dll" Faeihogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiainm32.dll" Jdnqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pflikm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pehnaqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbbnim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndhqb32.dll" Dfglpjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iemdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flqeap32.dll" Lemjlcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfneamlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnklomi.dll" Hahcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmmmim.dll" Pfmdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hojibgkm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2664 2844 09b3385485cdb2b746763b6efb04472b.exe 93 PID 2844 wrote to memory of 2664 2844 09b3385485cdb2b746763b6efb04472b.exe 93 PID 2844 wrote to memory of 2664 2844 09b3385485cdb2b746763b6efb04472b.exe 93 PID 2664 wrote to memory of 4180 2664 Hjpkjh32.exe 94 PID 2664 wrote to memory of 4180 2664 Hjpkjh32.exe 94 PID 2664 wrote to memory of 4180 2664 Hjpkjh32.exe 94 PID 4180 wrote to memory of 4436 4180 Ihjafd32.exe 95 PID 4180 wrote to memory of 4436 4180 Ihjafd32.exe 95 PID 4180 wrote to memory of 4436 4180 Ihjafd32.exe 95 PID 4436 wrote to memory of 1792 4436 Igpkok32.exe 96 PID 4436 wrote to memory of 1792 4436 Igpkok32.exe 96 PID 4436 wrote to memory of 1792 4436 Igpkok32.exe 96 PID 1792 wrote to memory of 4724 1792 Jonlimkg.exe 97 PID 1792 wrote to memory of 4724 1792 Jonlimkg.exe 97 PID 1792 wrote to memory of 4724 1792 Jonlimkg.exe 97 PID 4724 wrote to memory of 1992 4724 Jcpojk32.exe 98 PID 4724 wrote to memory of 1992 4724 Jcpojk32.exe 98 PID 4724 wrote to memory of 1992 4724 Jcpojk32.exe 98 PID 1992 wrote to memory of 4816 1992 Kfhnme32.exe 99 PID 1992 wrote to memory of 4816 1992 Kfhnme32.exe 99 PID 1992 wrote to memory of 4816 1992 Kfhnme32.exe 99 PID 4816 wrote to memory of 3656 4816 Lhcjbfag.exe 100 PID 4816 wrote to memory of 3656 4816 Lhcjbfag.exe 100 PID 4816 wrote to memory of 3656 4816 Lhcjbfag.exe 100 PID 3656 wrote to memory of 2912 3656 Mabdlk32.exe 101 PID 3656 wrote to memory of 2912 3656 Mabdlk32.exe 101 PID 3656 wrote to memory of 2912 3656 Mabdlk32.exe 101 PID 2912 wrote to memory of 2100 2912 Mphamg32.exe 102 PID 2912 wrote to memory of 2100 2912 Mphamg32.exe 102 PID 2912 wrote to memory of 2100 2912 Mphamg32.exe 102 PID 2100 wrote to memory of 1160 2100 Ndejcemn.exe 103 PID 2100 wrote to memory of 1160 2100 Ndejcemn.exe 103 PID 2100 wrote to memory of 1160 2100 Ndejcemn.exe 103 PID 1160 wrote to memory of 2592 1160 Nffceq32.exe 104 PID 1160 wrote to memory of 2592 1160 Nffceq32.exe 104 PID 1160 wrote to memory of 2592 1160 Nffceq32.exe 104 PID 2592 wrote to memory of 4804 2592 Opfnne32.exe 105 PID 2592 wrote to memory of 4804 2592 Opfnne32.exe 105 PID 2592 wrote to memory of 4804 2592 Opfnne32.exe 105 PID 4804 wrote to memory of 4544 4804 Oknnanhj.exe 106 PID 4804 wrote to memory of 4544 4804 Oknnanhj.exe 106 PID 4804 wrote to memory of 4544 4804 Oknnanhj.exe 106 PID 4544 wrote to memory of 2972 4544 Pjgemi32.exe 107 PID 4544 wrote to memory of 2972 4544 Pjgemi32.exe 107 PID 4544 wrote to memory of 2972 4544 Pjgemi32.exe 107 PID 2972 wrote to memory of 3360 2972 Qjeaog32.exe 108 PID 2972 wrote to memory of 3360 2972 Qjeaog32.exe 108 PID 2972 wrote to memory of 3360 2972 Qjeaog32.exe 108 PID 3360 wrote to memory of 4744 3360 Aaofedkl.exe 109 PID 3360 wrote to memory of 4744 3360 Aaofedkl.exe 109 PID 3360 wrote to memory of 4744 3360 Aaofedkl.exe 109 PID 4744 wrote to memory of 2712 4744 Aqilaplo.exe 110 PID 4744 wrote to memory of 2712 4744 Aqilaplo.exe 110 PID 4744 wrote to memory of 2712 4744 Aqilaplo.exe 110 PID 2712 wrote to memory of 1872 2712 Bndblcdq.exe 111 PID 2712 wrote to memory of 1872 2712 Bndblcdq.exe 111 PID 2712 wrote to memory of 1872 2712 Bndblcdq.exe 111 PID 1872 wrote to memory of 4380 1872 Cgcmeh32.exe 112 PID 1872 wrote to memory of 4380 1872 Cgcmeh32.exe 112 PID 1872 wrote to memory of 4380 1872 Cgcmeh32.exe 112 PID 4380 wrote to memory of 1580 4380 Dbijinfl.exe 113 PID 4380 wrote to memory of 1580 4380 Dbijinfl.exe 113 PID 4380 wrote to memory of 1580 4380 Dbijinfl.exe 113 PID 1580 wrote to memory of 2264 1580 Enbhdojn.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b3385485cdb2b746763b6efb04472b.exe"C:\Users\Admin\AppData\Local\Temp\09b3385485cdb2b746763b6efb04472b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Jcpojk32.exeC:\Windows\system32\Jcpojk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Nffceq32.exeC:\Windows\system32\Nffceq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Dbijinfl.exeC:\Windows\system32\Dbijinfl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Enbhdojn.exeC:\Windows\system32\Enbhdojn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Ehmibdol.exeC:\Windows\system32\Ehmibdol.exe23⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Flmonbbp.exeC:\Windows\system32\Flmonbbp.exe25⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Giokid32.exeC:\Windows\system32\Giokid32.exe28⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe29⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Iefedcmk.exeC:\Windows\system32\Iefedcmk.exe31⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe32⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Kmhlijpm.exeC:\Windows\system32\Kmhlijpm.exe33⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kjnihnmd.exeC:\Windows\system32\Kjnihnmd.exe34⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe35⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Lmcldhfp.exeC:\Windows\system32\Lmcldhfp.exe36⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Lkkekdhe.exeC:\Windows\system32\Lkkekdhe.exe38⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Lfcfnm32.exeC:\Windows\system32\Lfcfnm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe40⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe41⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nlbdba32.exeC:\Windows\system32\Nlbdba32.exe42⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe43⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe44⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe45⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe47⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe48⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Agkgceeh.exeC:\Windows\system32\Agkgceeh.exe49⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe50⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe51⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe52⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe53⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Emikpeig.exeC:\Windows\system32\Emikpeig.exe54⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe56⤵
- Executes dropped EXE
PID:260 -
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe57⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Khpcid32.exeC:\Windows\system32\Khpcid32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe62⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe63⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Apqhldjp.exeC:\Windows\system32\Apqhldjp.exe65⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Bekmei32.exeC:\Windows\system32\Bekmei32.exe66⤵PID:1980
-
C:\Windows\SysWOW64\Cfeplh32.exeC:\Windows\system32\Cfeplh32.exe67⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Cfglahbj.exeC:\Windows\system32\Cfglahbj.exe68⤵PID:2272
-
C:\Windows\SysWOW64\Doidql32.exeC:\Windows\system32\Doidql32.exe69⤵PID:3220
-
C:\Windows\SysWOW64\Ecpomiok.exeC:\Windows\system32\Ecpomiok.exe70⤵PID:3412
-
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe71⤵PID:2320
-
C:\Windows\SysWOW64\Gpelchhp.exeC:\Windows\system32\Gpelchhp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Gmimll32.exeC:\Windows\system32\Gmimll32.exe73⤵PID:1500
-
C:\Windows\SysWOW64\Gnhifonl.exeC:\Windows\system32\Gnhifonl.exe74⤵PID:2504
-
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe75⤵PID:2032
-
C:\Windows\SysWOW64\Ionlhlld.exeC:\Windows\system32\Ionlhlld.exe76⤵PID:816
-
C:\Windows\SysWOW64\Lhiodm32.exeC:\Windows\system32\Lhiodm32.exe77⤵PID:1964
-
C:\Windows\SysWOW64\Lgnleiid.exeC:\Windows\system32\Lgnleiid.exe78⤵PID:712
-
C:\Windows\SysWOW64\Mkoaagmh.exeC:\Windows\system32\Mkoaagmh.exe79⤵PID:4472
-
C:\Windows\SysWOW64\Mbmbiqqp.exeC:\Windows\system32\Mbmbiqqp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4828 -
C:\Windows\SysWOW64\Moacbe32.exeC:\Windows\system32\Moacbe32.exe81⤵PID:4668
-
C:\Windows\SysWOW64\Mdnlkl32.exeC:\Windows\system32\Mdnlkl32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Nocphd32.exeC:\Windows\system32\Nocphd32.exe83⤵PID:3424
-
C:\Windows\SysWOW64\Ndphpk32.exeC:\Windows\system32\Ndphpk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:264 -
C:\Windows\SysWOW64\Nofmndkd.exeC:\Windows\system32\Nofmndkd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4752 -
C:\Windows\SysWOW64\Nkmmbe32.exeC:\Windows\system32\Nkmmbe32.exe86⤵PID:4724
-
C:\Windows\SysWOW64\Neebkkgi.exeC:\Windows\system32\Neebkkgi.exe87⤵PID:2236
-
C:\Windows\SysWOW64\Negoaj32.exeC:\Windows\system32\Negoaj32.exe88⤵PID:3988
-
C:\Windows\SysWOW64\Nombnc32.exeC:\Windows\system32\Nombnc32.exe89⤵
- Drops file in System32 directory
PID:3560 -
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe90⤵PID:5024
-
C:\Windows\SysWOW64\Obnlpnbm.exeC:\Windows\system32\Obnlpnbm.exe91⤵PID:112
-
C:\Windows\SysWOW64\Oabiak32.exeC:\Windows\system32\Oabiak32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Ogmaneoa.exeC:\Windows\system32\Ogmaneoa.exe93⤵PID:4652
-
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe94⤵PID:1220
-
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Plfipakk.exeC:\Windows\system32\Plfipakk.exe96⤵PID:1412
-
C:\Windows\SysWOW64\Pngbam32.exeC:\Windows\system32\Pngbam32.exe97⤵PID:4920
-
C:\Windows\SysWOW64\Qiocde32.exeC:\Windows\system32\Qiocde32.exe98⤵PID:5132
-
C:\Windows\SysWOW64\Ahiiqafa.exeC:\Windows\system32\Ahiiqafa.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Algbfo32.exeC:\Windows\system32\Algbfo32.exe100⤵PID:5216
-
C:\Windows\SysWOW64\Abqjci32.exeC:\Windows\system32\Abqjci32.exe101⤵PID:5256
-
C:\Windows\SysWOW64\Ahnclp32.exeC:\Windows\system32\Ahnclp32.exe102⤵PID:5300
-
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe103⤵PID:5356
-
C:\Windows\SysWOW64\Boanniao.exeC:\Windows\system32\Boanniao.exe104⤵PID:5400
-
C:\Windows\SysWOW64\Bhibgo32.exeC:\Windows\system32\Bhibgo32.exe105⤵PID:5448
-
C:\Windows\SysWOW64\Clgkmm32.exeC:\Windows\system32\Clgkmm32.exe106⤵PID:5500
-
C:\Windows\SysWOW64\Cpljdjnd.exeC:\Windows\system32\Cpljdjnd.exe107⤵PID:5540
-
C:\Windows\SysWOW64\Dhgoimlo.exeC:\Windows\system32\Dhgoimlo.exe108⤵
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Ejpnin32.exeC:\Windows\system32\Ejpnin32.exe109⤵PID:5632
-
C:\Windows\SysWOW64\Efgono32.exeC:\Windows\system32\Efgono32.exe110⤵PID:5676
-
C:\Windows\SysWOW64\Ehhgpj32.exeC:\Windows\system32\Ehhgpj32.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Ecmlmcmb.exeC:\Windows\system32\Ecmlmcmb.exe112⤵PID:5764
-
C:\Windows\SysWOW64\Eodlad32.exeC:\Windows\system32\Eodlad32.exe113⤵PID:5824
-
C:\Windows\SysWOW64\Gcbnopkj.exeC:\Windows\system32\Gcbnopkj.exe114⤵PID:5860
-
C:\Windows\SysWOW64\Giofggia.exeC:\Windows\system32\Giofggia.exe115⤵PID:5936
-
C:\Windows\SysWOW64\Hmdend32.exeC:\Windows\system32\Hmdend32.exe116⤵
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe117⤵PID:6048
-
C:\Windows\SysWOW64\Iiffoc32.exeC:\Windows\system32\Iiffoc32.exe118⤵PID:6096
-
C:\Windows\SysWOW64\Iapjeq32.exeC:\Windows\system32\Iapjeq32.exe119⤵PID:6140
-
C:\Windows\SysWOW64\Jikojcaa.exeC:\Windows\system32\Jikojcaa.exe120⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe121⤵
- Drops file in System32 directory
PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-