Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 20:54
Behavioral task
behavioral1
Sample
099b28b1ebd9cd02ffae5a8099339d94.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
099b28b1ebd9cd02ffae5a8099339d94.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
099b28b1ebd9cd02ffae5a8099339d94.exe
-
Size
768KB
-
MD5
099b28b1ebd9cd02ffae5a8099339d94
-
SHA1
51b5a739f561d1e9c8ee74a4b7c6ffc0ba4f3fb2
-
SHA256
ee23179bb6e4cf8eff158869cf8a0951e107cea715078570a3cea2a43a2ed904
-
SHA512
add9b02ae72f0c2e1f6e9bb244a70b45a0ba51c9fdce040528cafe4be1793d494d0554b33e6f9abe0af04f1930195eff79fa12fe54801638b862af286d668b14
-
SSDEEP
12288:E5Czo5vv6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC45:E5PFq5h3q5htaSHFaZRBEYyqmaf2qwiv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkadam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpomiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqiiamjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcekfnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amgekh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpqlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnmeejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfchkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnkfelb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoibmmpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keceoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgfhnhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aealll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcifkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edaaccbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jahnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjgic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkbnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfglhfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkooep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oecego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihdnloc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqaheai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lehhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbimjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblpcndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahffqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapmedef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfeibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egnhcgeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmimll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahgpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkabind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poqckdap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koceep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgbmffn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikifhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgdhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acaanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgadake.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklomnmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhegjdag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbhbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggldde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iencmm32.exe -
Malware Dropper & Backdoor - Berbew 29 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000600000002320b-11.dat family_berbew behavioral2/files/0x000a000000023129-19.dat family_berbew behavioral2/files/0x000600000002320f-26.dat family_berbew behavioral2/files/0x000600000002320f-27.dat family_berbew behavioral2/files/0x0006000000023211-34.dat family_berbew behavioral2/files/0x0006000000023213-42.dat family_berbew behavioral2/files/0x0006000000023213-43.dat family_berbew behavioral2/files/0x0006000000023215-50.dat family_berbew behavioral2/files/0x0006000000023217-59.dat family_berbew behavioral2/files/0x000600000002321b-67.dat family_berbew behavioral2/files/0x000600000002321d-75.dat family_berbew behavioral2/files/0x000a000000023127-84.dat family_berbew behavioral2/files/0x0009000000023126-91.dat family_berbew behavioral2/files/0x0009000000023126-92.dat family_berbew behavioral2/files/0x000500000002274f-94.dat family_berbew behavioral2/files/0x000500000002274f-98.dat family_berbew behavioral2/files/0x000500000002274f-100.dat family_berbew behavioral2/files/0x000600000002322c-129.dat family_berbew behavioral2/files/0x000600000002322c-131.dat family_berbew behavioral2/files/0x0008000000023229-138.dat family_berbew behavioral2/files/0x0008000000023229-140.dat family_berbew behavioral2/files/0x0007000000023228-146.dat family_berbew behavioral2/files/0x0007000000023228-147.dat family_berbew behavioral2/files/0x0008000000023232-154.dat family_berbew behavioral2/files/0x0008000000023232-155.dat family_berbew behavioral2/files/0x00060000000232f7-994.dat family_berbew behavioral2/files/0x00060000000232fb-1006.dat family_berbew behavioral2/files/0x0006000000023303-1024.dat family_berbew behavioral2/files/0x0006000000023313-1049.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3084 Hffken32.exe 436 Mcifkf32.exe 4080 Nopfpgip.exe 4932 Njfkmphe.exe 2548 Ngjkfd32.exe 3760 Nncccnol.exe 1520 Ncqlkemc.exe 4392 Gpolbo32.exe 3428 Gpaihooo.exe 3940 Ghojbq32.exe 3876 Hajkqfoe.exe 4616 Hlppno32.exe 3224 Hbihjifh.exe 4736 Aaiqcnhg.exe 4012 Cildom32.exe 4300 Dncpkjoc.exe 3548 Dpalgenf.exe 1856 Ekgqennl.exe 3220 Eaaiahei.exe 4088 Ecbeip32.exe 1744 Edaaccbj.exe 2304 Ejagaj32.exe 4240 Egegjn32.exe 4552 Enopghee.exe 1980 Fggdpnkf.exe 4364 Fqphic32.exe 1652 Fjhmbihg.exe 3276 Fglnkm32.exe 2572 Fbaahf32.exe 2776 Fbdnne32.exe 4048 Fcekfnkb.exe 2052 Fqikob32.exe 2076 Gkoplk32.exe 2176 Gqkhda32.exe 5100 Iencmm32.exe 4508 Ieqpbm32.exe 2188 Inidkb32.exe 4468 Iecmhlhb.exe 3652 Ijpepcfj.exe 2872 Iajmmm32.exe 1344 Iloajfml.exe 1688 Jjkdlall.exe 1972 Jhoeef32.exe 4336 Koimbpbc.exe 2080 Keceoj32.exe 4384 Kbgfhnhi.exe 5132 Kbjbnnfg.exe 5200 Kblpcndd.exe 5272 Kkgdhp32.exe 5328 Ldbefe32.exe 5368 Lkcccn32.exe 5408 Lehhqg32.exe 5480 Moalil32.exe 5532 Mdnebc32.exe 5568 Mociol32.exe 5616 Mdpagc32.exe 5700 Mdbnmbhj.exe 5748 Mccokj32.exe 5792 Mllccpfj.exe 5852 Nooikj32.exe 5896 Nlcidopb.exe 5936 Nbdkhe32.exe 5976 Oljoen32.exe 6060 Ofbdncaj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Odlkfe32.dll Hlppno32.exe File created C:\Windows\SysWOW64\Iajmmm32.exe Ijpepcfj.exe File created C:\Windows\SysWOW64\Mbpfig32.exe Moajmk32.exe File created C:\Windows\SysWOW64\Hlppno32.exe Hajkqfoe.exe File created C:\Windows\SysWOW64\Fcgemhic.exe Fqiiamjp.exe File opened for modification C:\Windows\SysWOW64\Dnqaheai.exe Cggikk32.exe File created C:\Windows\SysWOW64\Hldlmc32.dll Jahnkl32.exe File created C:\Windows\SysWOW64\Haclqq32.dll Gpolbo32.exe File created C:\Windows\SysWOW64\Hchbkneg.dll Apcead32.exe File created C:\Windows\SysWOW64\Miemfb32.dll Hhjqec32.exe File created C:\Windows\SysWOW64\Jdnqgg32.exe Jndhkmfe.exe File opened for modification C:\Windows\SysWOW64\Dgnolj32.exe Dofgklcb.exe File created C:\Windows\SysWOW64\Iffahdpm.dll Fggdpnkf.exe File created C:\Windows\SysWOW64\Dmjnkn32.dll Dedceddg.exe File created C:\Windows\SysWOW64\Kklbop32.exe Knhbflbp.exe File created C:\Windows\SysWOW64\Lkcccn32.exe Ldbefe32.exe File opened for modification C:\Windows\SysWOW64\Koceep32.exe Jdnqgg32.exe File created C:\Windows\SysWOW64\Kijicm32.dll Kfmmajed.exe File opened for modification C:\Windows\SysWOW64\Fnhppa32.exe Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Kejepfgd.exe Eehnnb32.exe File created C:\Windows\SysWOW64\Ghojbq32.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Iamoon32.exe Endnohdp.exe File created C:\Windows\SysWOW64\Dadbgmaf.dll Dqajjp32.exe File opened for modification C:\Windows\SysWOW64\Hphbpehj.exe Hjkigojc.exe File opened for modification C:\Windows\SysWOW64\Ialhdh32.exe Ikbphn32.exe File created C:\Windows\SysWOW64\Iefkmhfm.dll Jkbhok32.exe File created C:\Windows\SysWOW64\Ngpcmj32.exe Ahffqk32.exe File created C:\Windows\SysWOW64\Qelcamcj.exe Qmanljfo.exe File opened for modification C:\Windows\SysWOW64\Mkhkblii.exe Mbpfig32.exe File opened for modification C:\Windows\SysWOW64\Amkabind.exe Afqifo32.exe File created C:\Windows\SysWOW64\Hbihjifh.exe Hlppno32.exe File created C:\Windows\SysWOW64\Ddnmeejo.exe Dmfecgim.exe File created C:\Windows\SysWOW64\Chkggi32.dll Lohggm32.exe File created C:\Windows\SysWOW64\Peodcmeg.exe Ppblkffp.exe File created C:\Windows\SysWOW64\Fggkifmg.exe Fppchile.exe File created C:\Windows\SysWOW64\Gfcnka32.exe Gpjfng32.exe File created C:\Windows\SysWOW64\Kllfakij.dll Mcifkf32.exe File created C:\Windows\SysWOW64\Dmnkdfce.exe Dklomnmf.exe File opened for modification C:\Windows\SysWOW64\Eapmedef.exe Enaaiifb.exe File created C:\Windows\SysWOW64\Klpbko32.dll Peodcmeg.exe File created C:\Windows\SysWOW64\Hfkdkqeo.exe Hpqlof32.exe File created C:\Windows\SysWOW64\Iokbekgb.dll Idhgkcln.exe File opened for modification C:\Windows\SysWOW64\Aealll32.exe Apddce32.exe File created C:\Windows\SysWOW64\Lkafdjmc.dll Amkabind.exe File created C:\Windows\SysWOW64\Empboc32.dll Jndhkmfe.exe File created C:\Windows\SysWOW64\Ekekpd32.dll Jdnqgg32.exe File created C:\Windows\SysWOW64\Eegoch32.dll Neeifa32.exe File created C:\Windows\SysWOW64\Hhegjdag.exe Galonj32.exe File opened for modification C:\Windows\SysWOW64\Hajkqfoe.exe Ghojbq32.exe File created C:\Windows\SysWOW64\Ieqpbm32.exe Iencmm32.exe File opened for modification C:\Windows\SysWOW64\Kbgfhnhi.exe Keceoj32.exe File opened for modification C:\Windows\SysWOW64\Mbiphhhq.exe Mmlhpaji.exe File created C:\Windows\SysWOW64\Belaje32.dll Habeni32.exe File opened for modification C:\Windows\SysWOW64\Ikifhm32.exe Idonlbff.exe File opened for modification C:\Windows\SysWOW64\Fbaahf32.exe Fglnkm32.exe File created C:\Windows\SysWOW64\Jcepnl32.dll Gfcnka32.exe File created C:\Windows\SysWOW64\Ancjef32.exe Aehbmk32.exe File created C:\Windows\SysWOW64\Pfhklabb.exe Poqckdap.exe File created C:\Windows\SysWOW64\Kgjlgghg.dll Plimpg32.exe File opened for modification C:\Windows\SysWOW64\Ifdgaond.exe Hoibmmpi.exe File created C:\Windows\SysWOW64\Kfmmajed.exe Koceep32.exe File created C:\Windows\SysWOW64\Ekheml32.dll Keceoj32.exe File created C:\Windows\SysWOW64\Kfleip32.dll Lbbjhini.exe File created C:\Windows\SysWOW64\Aghdco32.exe Apnkfelb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ancjef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aochga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfclmfhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehnnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejjgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haphiiee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndhkmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjgdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ialhdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaffkdlc.dll" Ahffqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enajobbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keceoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmanljfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll" Dncpkjoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belaje32.dll" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfgiof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqmjen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oomnmfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbddobla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcejbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqlhniij.dll" Meepoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdfpjee.dll" Cjpllgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphbpehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmoak32.dll" Gqkhda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecopk32.dll" Abjkmqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll" Pbimjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peodcmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jknocljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll" Nooikj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oljoen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll" Qcncodki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnknk32.dll" Dqgjoenq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjbfclk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajkohmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mllccpfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnfanjqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egeemiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijlgkjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meepoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjoadbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll" Jhoeef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccjfaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnbdlkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbcofpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbaipdn.dll" Enomic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnheggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flgadake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkooep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opbcdieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjkjd32.dll" Dnqaheai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmdabfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllccpfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jliimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kklbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmjkahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifdgaond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklomnmf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 3084 5012 099b28b1ebd9cd02ffae5a8099339d94.exe 93 PID 5012 wrote to memory of 3084 5012 099b28b1ebd9cd02ffae5a8099339d94.exe 93 PID 5012 wrote to memory of 3084 5012 099b28b1ebd9cd02ffae5a8099339d94.exe 93 PID 3084 wrote to memory of 436 3084 Hffken32.exe 94 PID 3084 wrote to memory of 436 3084 Hffken32.exe 94 PID 3084 wrote to memory of 436 3084 Hffken32.exe 94 PID 436 wrote to memory of 4080 436 Mcifkf32.exe 95 PID 436 wrote to memory of 4080 436 Mcifkf32.exe 95 PID 436 wrote to memory of 4080 436 Mcifkf32.exe 95 PID 4080 wrote to memory of 4932 4080 Nopfpgip.exe 96 PID 4080 wrote to memory of 4932 4080 Nopfpgip.exe 96 PID 4080 wrote to memory of 4932 4080 Nopfpgip.exe 96 PID 4932 wrote to memory of 2548 4932 Njfkmphe.exe 98 PID 4932 wrote to memory of 2548 4932 Njfkmphe.exe 98 PID 4932 wrote to memory of 2548 4932 Njfkmphe.exe 98 PID 2548 wrote to memory of 3760 2548 Ngjkfd32.exe 99 PID 2548 wrote to memory of 3760 2548 Ngjkfd32.exe 99 PID 2548 wrote to memory of 3760 2548 Ngjkfd32.exe 99 PID 3760 wrote to memory of 1520 3760 Nncccnol.exe 100 PID 3760 wrote to memory of 1520 3760 Nncccnol.exe 100 PID 3760 wrote to memory of 1520 3760 Nncccnol.exe 100 PID 1520 wrote to memory of 4392 1520 Ncqlkemc.exe 101 PID 1520 wrote to memory of 4392 1520 Ncqlkemc.exe 101 PID 1520 wrote to memory of 4392 1520 Ncqlkemc.exe 101 PID 4392 wrote to memory of 3428 4392 Gpolbo32.exe 102 PID 4392 wrote to memory of 3428 4392 Gpolbo32.exe 102 PID 4392 wrote to memory of 3428 4392 Gpolbo32.exe 102 PID 3428 wrote to memory of 3940 3428 Gpaihooo.exe 103 PID 3428 wrote to memory of 3940 3428 Gpaihooo.exe 103 PID 3428 wrote to memory of 3940 3428 Gpaihooo.exe 103 PID 3940 wrote to memory of 3876 3940 Ghojbq32.exe 104 PID 3940 wrote to memory of 3876 3940 Ghojbq32.exe 104 PID 3940 wrote to memory of 3876 3940 Ghojbq32.exe 104 PID 3876 wrote to memory of 4616 3876 Hajkqfoe.exe 105 PID 3876 wrote to memory of 4616 3876 Hajkqfoe.exe 105 PID 3876 wrote to memory of 4616 3876 Hajkqfoe.exe 105 PID 4616 wrote to memory of 3224 4616 Hlppno32.exe 106 PID 4616 wrote to memory of 3224 4616 Hlppno32.exe 106 PID 4616 wrote to memory of 3224 4616 Hlppno32.exe 106 PID 3224 wrote to memory of 4736 3224 Hbihjifh.exe 107 PID 3224 wrote to memory of 4736 3224 Hbihjifh.exe 107 PID 3224 wrote to memory of 4736 3224 Hbihjifh.exe 107 PID 4736 wrote to memory of 4012 4736 Aaiqcnhg.exe 108 PID 4736 wrote to memory of 4012 4736 Aaiqcnhg.exe 108 PID 4736 wrote to memory of 4012 4736 Aaiqcnhg.exe 108 PID 4012 wrote to memory of 4300 4012 Cildom32.exe 109 PID 4012 wrote to memory of 4300 4012 Cildom32.exe 109 PID 4012 wrote to memory of 4300 4012 Cildom32.exe 109 PID 4300 wrote to memory of 3548 4300 Dncpkjoc.exe 110 PID 4300 wrote to memory of 3548 4300 Dncpkjoc.exe 110 PID 4300 wrote to memory of 3548 4300 Dncpkjoc.exe 110 PID 3548 wrote to memory of 1856 3548 Dpalgenf.exe 111 PID 3548 wrote to memory of 1856 3548 Dpalgenf.exe 111 PID 3548 wrote to memory of 1856 3548 Dpalgenf.exe 111 PID 1856 wrote to memory of 3220 1856 Ekgqennl.exe 112 PID 1856 wrote to memory of 3220 1856 Ekgqennl.exe 112 PID 1856 wrote to memory of 3220 1856 Ekgqennl.exe 112 PID 3220 wrote to memory of 4088 3220 Eaaiahei.exe 113 PID 3220 wrote to memory of 4088 3220 Eaaiahei.exe 113 PID 3220 wrote to memory of 4088 3220 Eaaiahei.exe 113 PID 4088 wrote to memory of 1744 4088 Ecbeip32.exe 114 PID 4088 wrote to memory of 1744 4088 Ecbeip32.exe 114 PID 4088 wrote to memory of 1744 4088 Ecbeip32.exe 114 PID 1744 wrote to memory of 2304 1744 Edaaccbj.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\099b28b1ebd9cd02ffae5a8099339d94.exe"C:\Users\Admin\AppData\Local\Temp\099b28b1ebd9cd02ffae5a8099339d94.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Hajkqfoe.exeC:\Windows\system32\Hajkqfoe.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe23⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe25⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe27⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe30⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe33⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe37⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe38⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe39⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe41⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe42⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe43⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe45⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe48⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5200 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5328 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe52⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe54⤵
- Executes dropped EXE
PID:5480 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe55⤵
- Executes dropped EXE
PID:5532 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe56⤵
- Executes dropped EXE
PID:5568 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe57⤵
- Executes dropped EXE
PID:5616 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe58⤵
- Executes dropped EXE
PID:5700 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe59⤵
- Executes dropped EXE
PID:5748 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe62⤵
- Executes dropped EXE
PID:5896 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe65⤵
- Executes dropped EXE
PID:6060 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe66⤵PID:6124
-
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe67⤵PID:5160
-
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe68⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe69⤵PID:5404
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe71⤵PID:5608
-
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe73⤵PID:3844
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe74⤵
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe75⤵
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe76⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe78⤵PID:5944
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe79⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe81⤵PID:5308
-
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe82⤵PID:5376
-
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe84⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe86⤵PID:5048
-
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe87⤵PID:2304
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe88⤵
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Ddnmeejo.exeC:\Windows\system32\Ddnmeejo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Dkgeao32.exeC:\Windows\system32\Dkgeao32.exe90⤵PID:5312
-
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe91⤵
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe92⤵PID:4488
-
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe93⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe94⤵PID:4716
-
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe95⤵PID:4408
-
C:\Windows\SysWOW64\Dqgjoenq.exeC:\Windows\system32\Dqgjoenq.exe96⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe98⤵PID:1348
-
C:\Windows\SysWOW64\Dedceddg.exeC:\Windows\system32\Dedceddg.exe99⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe100⤵PID:1536
-
C:\Windows\SysWOW64\Eakdje32.exeC:\Windows\system32\Eakdje32.exe101⤵PID:5356
-
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe102⤵PID:2872
-
C:\Windows\SysWOW64\Embdofop.exeC:\Windows\system32\Embdofop.exe103⤵PID:2980
-
C:\Windows\SysWOW64\Eeimqc32.exeC:\Windows\system32\Eeimqc32.exe104⤵PID:2640
-
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe105⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe107⤵PID:5512
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe108⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe109⤵PID:5532
-
C:\Windows\SysWOW64\Ihfglhfp.exeC:\Windows\system32\Ihfglhfp.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Incpdodg.exeC:\Windows\system32\Incpdodg.exe111⤵PID:1380
-
C:\Windows\SysWOW64\Ildpbfmf.exeC:\Windows\system32\Ildpbfmf.exe112⤵PID:2384
-
C:\Windows\SysWOW64\Iacepmik.exeC:\Windows\system32\Iacepmik.exe113⤵PID:4884
-
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe114⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Jogeia32.exeC:\Windows\system32\Jogeia32.exe115⤵PID:5792
-
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe116⤵PID:4816
-
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe117⤵PID:4680
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe119⤵PID:4520
-
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe120⤵PID:4504
-
C:\Windows\SysWOW64\Jdkdbgpd.exeC:\Windows\system32\Jdkdbgpd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-