Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/04/2024, 10:52
Behavioral task
behavioral1
Sample
e87945421f3cb9c6d221fd9110e7ae25.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e87945421f3cb9c6d221fd9110e7ae25.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e87945421f3cb9c6d221fd9110e7ae25.exe
-
Size
121KB
-
MD5
e87945421f3cb9c6d221fd9110e7ae25
-
SHA1
98adae9e887445e1a3b7ff7358ea360a91cb9ea6
-
SHA256
288016f7ee422311f7572b11882c3544b47be70c42f14e68937770c2919e00ff
-
SHA512
098e7bf3cb623ec5ff31594805c9c39e0b90c96d90706d53281bd93dbca850b5e45ce7cc2ae9985ca1d0dd06850d08128d35df0104786a62e3e9db9417ddd1f7
-
SSDEEP
3072:k799alMV0Frm8FfDHge/8bFC6145+2NkHIO7AJnD5tvv:fZF1FfDHbUCI45+2NkHIOarvv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomhcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helngnie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmifhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoqnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcnpojca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccjdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccigfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahlhkhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioilkblq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkdihhag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1752-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000c00000001313a-5.dat family_berbew behavioral1/memory/1752-6-0x0000000000310000-0x0000000000357000-memory.dmp family_berbew behavioral1/files/0x0008000000015d67-18.dat family_berbew behavioral1/memory/1928-20-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2556-27-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0007000000015d87-33.dat family_berbew behavioral1/memory/2844-40-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0009000000015e3a-46.dat family_berbew behavioral1/memory/2716-53-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016c6b-59.dat family_berbew behavioral1/memory/776-67-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016ce4-75.dat family_berbew behavioral1/memory/2500-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d1e-85.dat family_berbew behavioral1/memory/2988-92-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d3a-98.dat family_berbew behavioral1/memory/2916-105-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d90-111.dat family_berbew behavioral1/files/0x0006000000016dbb-129.dat family_berbew behavioral1/memory/2984-130-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/1712-139-0x0000000000250000-0x0000000000297000-memory.dmp family_berbew behavioral1/memory/1712-136-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016e94-137.dat family_berbew behavioral1/memory/1564-145-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000017052-157.dat family_berbew behavioral1/memory/540-158-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000173d8-164.dat family_berbew behavioral1/memory/2756-171-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000173e0-177.dat family_berbew behavioral1/memory/1272-187-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000600000001745e-192.dat family_berbew behavioral1/memory/1656-199-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000600000001749c-205.dat family_berbew behavioral1/memory/1656-211-0x0000000002000000-0x0000000002047000-memory.dmp family_berbew behavioral1/memory/712-213-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000900000001864e-222.dat family_berbew behavioral1/memory/2376-228-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001866d-231.dat family_berbew behavioral1/memory/2376-230-0x00000000002D0000-0x0000000000317000-memory.dmp family_berbew behavioral1/memory/2376-234-0x00000000002D0000-0x0000000000317000-memory.dmp family_berbew behavioral1/memory/1776-240-0x0000000000250000-0x0000000000297000-memory.dmp family_berbew behavioral1/files/0x0006000000018c0a-242.dat family_berbew behavioral1/memory/1064-244-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000018f3a-250.dat family_berbew behavioral1/memory/1376-255-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000190b6-261.dat family_berbew behavioral1/memory/1312-269-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/564-277-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000191cd-272.dat family_berbew behavioral1/files/0x0005000000019215-284.dat family_berbew behavioral1/memory/3004-288-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001923d-294.dat family_berbew behavioral1/memory/2508-301-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001924a-307.dat family_berbew behavioral1/memory/2176-310-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0005000000019270-316.dat family_berbew behavioral1/memory/2332-321-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001933a-327.dat family_berbew behavioral1/memory/2928-337-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001935d-338.dat family_berbew behavioral1/memory/2636-343-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2928-342-0x00000000002F0000-0x0000000000337000-memory.dmp family_berbew behavioral1/memory/2928-341-0x00000000002F0000-0x0000000000337000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1928 Hodpgjha.exe 2556 Hkkalk32.exe 2844 Iknnbklc.exe 2716 Ifcbodli.exe 776 Inngcfid.exe 2500 Iqmcpahh.exe 2988 Inqcif32.exe 2916 Iqopea32.exe 2984 Ijgdngmf.exe 1712 Idmhkpml.exe 1564 Ifnechbj.exe 540 Jgnamk32.exe 2756 Jqfffqpm.exe 1272 Jbgbni32.exe 1656 Jmmfkafa.exe 712 Jkbcln32.exe 2376 Jkdpanhg.exe 1776 Jbnhng32.exe 1064 Kjjmbj32.exe 1376 Keoapb32.exe 1312 Kcbakpdo.exe 564 Kngfih32.exe 3004 Keanebkb.exe 2508 Kpkofpgq.exe 2176 Kfegbj32.exe 2332 Kjcpii32.exe 2928 Lbnemk32.exe 2636 Lemaif32.exe 3068 Llfifq32.exe 2588 Lliflp32.exe 2540 Limfed32.exe 2444 Lecgje32.exe 2800 Lhbcfa32.exe 2604 Lajhofao.exe 2696 Lefdpe32.exe 1224 Mgimmm32.exe 2668 Maoajf32.exe 2496 Mgljbm32.exe 2772 Mimbdhhb.exe 944 Mmhodf32.exe 1988 Mgqcmlgl.exe 1832 Mpigfa32.exe 568 Najdnj32.exe 2076 Nlphkb32.exe 1400 Nondgn32.exe 2256 Ndkmpe32.exe 784 Nhfipcid.exe 1736 Nncahjgl.exe 2836 Nejiih32.exe 2888 Nglfapnl.exe 1604 Nkgbbo32.exe 3044 Naajoinb.exe 2632 Npdjje32.exe 2740 Ngnbgplj.exe 2428 Nkiogn32.exe 2300 Nacgdhlp.exe 2912 Ndbcpd32.exe 1588 Nceclqan.exe 1760 Oklkmnbp.exe 2680 Olmhdf32.exe 788 Oddpfc32.exe 2776 Onmdoioa.exe 2824 Olpdjf32.exe 2364 Ocimgp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1752 e87945421f3cb9c6d221fd9110e7ae25.exe 1752 e87945421f3cb9c6d221fd9110e7ae25.exe 1928 Hodpgjha.exe 1928 Hodpgjha.exe 2556 Hkkalk32.exe 2556 Hkkalk32.exe 2844 Iknnbklc.exe 2844 Iknnbklc.exe 2716 Ifcbodli.exe 2716 Ifcbodli.exe 776 Inngcfid.exe 776 Inngcfid.exe 2500 Iqmcpahh.exe 2500 Iqmcpahh.exe 2988 Inqcif32.exe 2988 Inqcif32.exe 2916 Iqopea32.exe 2916 Iqopea32.exe 2984 Ijgdngmf.exe 2984 Ijgdngmf.exe 1712 Idmhkpml.exe 1712 Idmhkpml.exe 1564 Ifnechbj.exe 1564 Ifnechbj.exe 540 Jgnamk32.exe 540 Jgnamk32.exe 2756 Jqfffqpm.exe 2756 Jqfffqpm.exe 1272 Jbgbni32.exe 1272 Jbgbni32.exe 1656 Jmmfkafa.exe 1656 Jmmfkafa.exe 712 Jkbcln32.exe 712 Jkbcln32.exe 2376 Jkdpanhg.exe 2376 Jkdpanhg.exe 1776 Jbnhng32.exe 1776 Jbnhng32.exe 1064 Kjjmbj32.exe 1064 Kjjmbj32.exe 1376 Keoapb32.exe 1376 Keoapb32.exe 1312 Kcbakpdo.exe 1312 Kcbakpdo.exe 564 Kngfih32.exe 564 Kngfih32.exe 3004 Keanebkb.exe 3004 Keanebkb.exe 2508 Kpkofpgq.exe 2508 Kpkofpgq.exe 2176 Kfegbj32.exe 2176 Kfegbj32.exe 2332 Kjcpii32.exe 2332 Kjcpii32.exe 2928 Lbnemk32.exe 2928 Lbnemk32.exe 2636 Lemaif32.exe 2636 Lemaif32.exe 3068 Llfifq32.exe 3068 Llfifq32.exe 2588 Lliflp32.exe 2588 Lliflp32.exe 2540 Limfed32.exe 2540 Limfed32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kdcgnide.dll Ggfnopfg.exe File opened for modification C:\Windows\SysWOW64\Ceeieced.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Iipejmko.exe Process not Found File created C:\Windows\SysWOW64\Aopbmapo.dll Process not Found File created C:\Windows\SysWOW64\Fmbgageq.exe Process not Found File created C:\Windows\SysWOW64\Capmemci.exe Process not Found File created C:\Windows\SysWOW64\Jehlkhig.exe Process not Found File created C:\Windows\SysWOW64\Fjjdbf32.dll Process not Found File created C:\Windows\SysWOW64\Mganfp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Fbmcbbki.exe File created C:\Windows\SysWOW64\Oklghebe.dll Hnjplo32.exe File created C:\Windows\SysWOW64\Bikppe32.dll Jjmpbopd.exe File created C:\Windows\SysWOW64\Nefele32.dll Ciifbchf.exe File opened for modification C:\Windows\SysWOW64\Jacibm32.exe Process not Found File created C:\Windows\SysWOW64\Njekpl32.dll Fbpbpkpj.exe File opened for modification C:\Windows\SysWOW64\Khabghdl.exe Kfbfkmeh.exe File created C:\Windows\SysWOW64\Obgkpb32.exe Okpcoe32.exe File created C:\Windows\SysWOW64\Icifjk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pflbpg32.exe Process not Found File created C:\Windows\SysWOW64\Bdodmlcm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oemhjlha.exe Process not Found File created C:\Windows\SysWOW64\Inoaljog.dll Chfbgn32.exe File opened for modification C:\Windows\SysWOW64\Fhbbcail.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmcikd32.exe Process not Found File created C:\Windows\SysWOW64\Pjohgc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Nhcebj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djlbkcfn.exe Process not Found File created C:\Windows\SysWOW64\Gfgdij32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Boplllob.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Kcamjb32.exe Khlili32.exe File created C:\Windows\SysWOW64\Camljoch.dll Obgkpb32.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Process not Found File created C:\Windows\SysWOW64\Eoajgh32.exe Process not Found File created C:\Windows\SysWOW64\Elmabenf.dll Process not Found File created C:\Windows\SysWOW64\Bjidgghp.dll Dlkepi32.exe File opened for modification C:\Windows\SysWOW64\Libicbma.exe Lbiqfied.exe File created C:\Windows\SysWOW64\Enkpahon.exe Efdhpjok.exe File created C:\Windows\SysWOW64\Dcllbhdn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ikfdkc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Efnfbl32.exe Ecpjfq32.exe File created C:\Windows\SysWOW64\Hjgehgnh.exe Process not Found File created C:\Windows\SysWOW64\Mmgofm32.dll Process not Found File created C:\Windows\SysWOW64\Lnnndl32.exe Process not Found File created C:\Windows\SysWOW64\Kklcab32.dll Nodgel32.exe File created C:\Windows\SysWOW64\Ibaaeg32.dll Process not Found File created C:\Windows\SysWOW64\Pefgcifd.dll Faigdn32.exe File created C:\Windows\SysWOW64\Kfeoelgo.dll Bbonei32.exe File created C:\Windows\SysWOW64\Pmclka32.dll Ifoqjo32.exe File created C:\Windows\SysWOW64\Hfiocpon.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bkpglbaj.exe Process not Found File created C:\Windows\SysWOW64\Ffgpgl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aoomflpd.exe Process not Found File created C:\Windows\SysWOW64\Pfpgeall.dll Process not Found File created C:\Windows\SysWOW64\Aphdkpjd.dll Process not Found File created C:\Windows\SysWOW64\Anmmjl32.dll Process not Found File created C:\Windows\SysWOW64\Ncmflp32.dll Cbajkiof.exe File created C:\Windows\SysWOW64\Opdnhdpo.dll Lfmffhde.exe File created C:\Windows\SysWOW64\Hbcicn32.dll Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Nejdjf32.exe Process not Found File created C:\Windows\SysWOW64\Jifnmmhq.dll Anlmmp32.exe File created C:\Windows\SysWOW64\Oflcmqaa.dll Oghopm32.exe File created C:\Windows\SysWOW64\Djgfgkbo.exe Process not Found File created C:\Windows\SysWOW64\Edeppfdk.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 8408 8296 Process not Found 2863 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahlhkhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmjki32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaeljha.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphgbo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggfcl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inphpenn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Degiggjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdibkoon.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiodkmcc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahjegok.dll" Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhinpbh.dll" Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnibjgk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfhpd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmemme32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghkndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmldme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidnidah.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqnlqf32.dll" Nehomq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcjnl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eobchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbcmpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doohjohm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heobhfnp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cheido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfopc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdgbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opfbngfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1928 1752 e87945421f3cb9c6d221fd9110e7ae25.exe 28 PID 1752 wrote to memory of 1928 1752 e87945421f3cb9c6d221fd9110e7ae25.exe 28 PID 1752 wrote to memory of 1928 1752 e87945421f3cb9c6d221fd9110e7ae25.exe 28 PID 1752 wrote to memory of 1928 1752 e87945421f3cb9c6d221fd9110e7ae25.exe 28 PID 1928 wrote to memory of 2556 1928 Hodpgjha.exe 29 PID 1928 wrote to memory of 2556 1928 Hodpgjha.exe 29 PID 1928 wrote to memory of 2556 1928 Hodpgjha.exe 29 PID 1928 wrote to memory of 2556 1928 Hodpgjha.exe 29 PID 2556 wrote to memory of 2844 2556 Hkkalk32.exe 30 PID 2556 wrote to memory of 2844 2556 Hkkalk32.exe 30 PID 2556 wrote to memory of 2844 2556 Hkkalk32.exe 30 PID 2556 wrote to memory of 2844 2556 Hkkalk32.exe 30 PID 2844 wrote to memory of 2716 2844 Iknnbklc.exe 31 PID 2844 wrote to memory of 2716 2844 Iknnbklc.exe 31 PID 2844 wrote to memory of 2716 2844 Iknnbklc.exe 31 PID 2844 wrote to memory of 2716 2844 Iknnbklc.exe 31 PID 2716 wrote to memory of 776 2716 Ifcbodli.exe 32 PID 2716 wrote to memory of 776 2716 Ifcbodli.exe 32 PID 2716 wrote to memory of 776 2716 Ifcbodli.exe 32 PID 2716 wrote to memory of 776 2716 Ifcbodli.exe 32 PID 776 wrote to memory of 2500 776 Inngcfid.exe 33 PID 776 wrote to memory of 2500 776 Inngcfid.exe 33 PID 776 wrote to memory of 2500 776 Inngcfid.exe 33 PID 776 wrote to memory of 2500 776 Inngcfid.exe 33 PID 2500 wrote to memory of 2988 2500 Iqmcpahh.exe 34 PID 2500 wrote to memory of 2988 2500 Iqmcpahh.exe 34 PID 2500 wrote to memory of 2988 2500 Iqmcpahh.exe 34 PID 2500 wrote to memory of 2988 2500 Iqmcpahh.exe 34 PID 2988 wrote to memory of 2916 2988 Inqcif32.exe 35 PID 2988 wrote to memory of 2916 2988 Inqcif32.exe 35 PID 2988 wrote to memory of 2916 2988 Inqcif32.exe 35 PID 2988 wrote to memory of 2916 2988 Inqcif32.exe 35 PID 2916 wrote to memory of 2984 2916 Iqopea32.exe 36 PID 2916 wrote to memory of 2984 2916 Iqopea32.exe 36 PID 2916 wrote to memory of 2984 2916 Iqopea32.exe 36 PID 2916 wrote to memory of 2984 2916 Iqopea32.exe 36 PID 2984 wrote to memory of 1712 2984 Ijgdngmf.exe 37 PID 2984 wrote to memory of 1712 2984 Ijgdngmf.exe 37 PID 2984 wrote to memory of 1712 2984 Ijgdngmf.exe 37 PID 2984 wrote to memory of 1712 2984 Ijgdngmf.exe 37 PID 1712 wrote to memory of 1564 1712 Idmhkpml.exe 38 PID 1712 wrote to memory of 1564 1712 Idmhkpml.exe 38 PID 1712 wrote to memory of 1564 1712 Idmhkpml.exe 38 PID 1712 wrote to memory of 1564 1712 Idmhkpml.exe 38 PID 1564 wrote to memory of 540 1564 Ifnechbj.exe 39 PID 1564 wrote to memory of 540 1564 Ifnechbj.exe 39 PID 1564 wrote to memory of 540 1564 Ifnechbj.exe 39 PID 1564 wrote to memory of 540 1564 Ifnechbj.exe 39 PID 540 wrote to memory of 2756 540 Jgnamk32.exe 40 PID 540 wrote to memory of 2756 540 Jgnamk32.exe 40 PID 540 wrote to memory of 2756 540 Jgnamk32.exe 40 PID 540 wrote to memory of 2756 540 Jgnamk32.exe 40 PID 2756 wrote to memory of 1272 2756 Jqfffqpm.exe 41 PID 2756 wrote to memory of 1272 2756 Jqfffqpm.exe 41 PID 2756 wrote to memory of 1272 2756 Jqfffqpm.exe 41 PID 2756 wrote to memory of 1272 2756 Jqfffqpm.exe 41 PID 1272 wrote to memory of 1656 1272 Jbgbni32.exe 42 PID 1272 wrote to memory of 1656 1272 Jbgbni32.exe 42 PID 1272 wrote to memory of 1656 1272 Jbgbni32.exe 42 PID 1272 wrote to memory of 1656 1272 Jbgbni32.exe 42 PID 1656 wrote to memory of 712 1656 Jmmfkafa.exe 43 PID 1656 wrote to memory of 712 1656 Jmmfkafa.exe 43 PID 1656 wrote to memory of 712 1656 Jmmfkafa.exe 43 PID 1656 wrote to memory of 712 1656 Jmmfkafa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e87945421f3cb9c6d221fd9110e7ae25.exe"C:\Users\Admin\AppData\Local\Temp\e87945421f3cb9c6d221fd9110e7ae25.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:712 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe33⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe34⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe35⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe36⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe37⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe38⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe39⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe40⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe41⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe42⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe43⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe44⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe45⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe46⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe47⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe48⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe49⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe50⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe51⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe52⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe53⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe55⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe56⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe57⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe59⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe60⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe61⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe62⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe63⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe64⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe65⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe66⤵PID:1296
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe67⤵PID:1720
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe69⤵PID:3056
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe70⤵PID:1976
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe71⤵PID:2908
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe72⤵PID:2652
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe73⤵PID:2728
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe74⤵PID:2436
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe75⤵PID:2476
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe76⤵PID:2924
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe77⤵PID:2692
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe78⤵PID:488
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe79⤵PID:2516
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe80⤵PID:2316
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe81⤵PID:1796
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe82⤵PID:452
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe83⤵PID:1872
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe84⤵PID:2080
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe85⤵PID:2512
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe86⤵PID:1940
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe87⤵PID:2220
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe88⤵PID:2344
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe89⤵PID:2736
-
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe90⤵PID:1612
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe91⤵PID:2372
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe92⤵PID:600
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe93⤵PID:2248
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe94⤵PID:1268
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe95⤵PID:2052
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe96⤵PID:3036
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe97⤵PID:1672
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe98⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe99⤵PID:808
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe100⤵PID:908
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe101⤵PID:2744
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe102⤵PID:1788
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe103⤵PID:2432
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe104⤵PID:2276
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe105⤵PID:2948
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe106⤵PID:2244
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe107⤵PID:2044
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe108⤵PID:2232
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe109⤵PID:1936
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe111⤵PID:792
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe112⤵PID:2192
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe113⤵PID:1508
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe114⤵PID:1608
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe115⤵PID:2040
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe116⤵PID:2440
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe117⤵PID:1816
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe118⤵PID:2524
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe119⤵PID:2264
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe120⤵PID:1652
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe121⤵PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-