Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 11:12
Behavioral task
behavioral1
Sample
af2d03ceed48b868e96552990002f404.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
af2d03ceed48b868e96552990002f404.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
af2d03ceed48b868e96552990002f404.exe
-
Size
456KB
-
MD5
af2d03ceed48b868e96552990002f404
-
SHA1
9830898f83313d1b0412bb2693d633764bbbad65
-
SHA256
cee9afc19fd9349bdef46c7db8162e2dc81d75ebc5c373d4ae00884383946cc2
-
SHA512
41987cdda5e3444c0b6027d34d1088364d577c496e166a6edcc5f2d5845c2688b5f68baaf2c50e7eb7f154ebab4e1db96a3b50947c64367ca7ee04106bcadc3f
-
SSDEEP
12288:liwIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:liwFfDy/phgeczlqczZd7LFB3oFHoGn+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abedecjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaedgjjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchhggno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhfhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmioonpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkamqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjmee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkljak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclhhnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihicplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpapkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfqjafdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejfpjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidjpqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekohk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbapjafe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlclim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdimopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebdoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chgoogfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgneampk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghieg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepelfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidemmnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbocea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccnefa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andqdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphifcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmncnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnnig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljkdig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimjhafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnebeogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhqaefng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eadopc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000d000000023ae7-7.dat family_berbew behavioral2/files/0x000a000000023b79-15.dat family_berbew behavioral2/files/0x000a000000023b7b-23.dat family_berbew behavioral2/files/0x000a000000023b7d-31.dat family_berbew behavioral2/files/0x000a000000023b7f-39.dat family_berbew behavioral2/files/0x000a000000023b81-47.dat family_berbew behavioral2/files/0x000a000000023b83-56.dat family_berbew behavioral2/files/0x000a000000023b85-63.dat family_berbew behavioral2/files/0x000a000000023b87-71.dat family_berbew behavioral2/files/0x000a000000023b89-78.dat family_berbew behavioral2/files/0x000a000000023b8b-87.dat family_berbew behavioral2/files/0x000a000000023b8d-95.dat family_berbew behavioral2/files/0x000a000000023b8f-103.dat family_berbew behavioral2/files/0x000a000000023b92-111.dat family_berbew behavioral2/files/0x000e000000023b6d-119.dat family_berbew behavioral2/files/0x000a000000023b95-127.dat family_berbew behavioral2/files/0x000a000000023b97-135.dat family_berbew behavioral2/files/0x000a000000023b99-138.dat family_berbew behavioral2/files/0x000a000000023b9b-152.dat family_berbew behavioral2/files/0x000a000000023b9d-160.dat family_berbew behavioral2/files/0x000a000000023b9f-167.dat family_berbew behavioral2/files/0x000a000000023ba1-176.dat family_berbew behavioral2/files/0x000a000000023ba3-184.dat family_berbew behavioral2/files/0x000a000000023bab-212.dat family_berbew behavioral2/files/0x000a000000023bad-219.dat family_berbew behavioral2/files/0x000a000000023bb5-247.dat family_berbew behavioral2/files/0x000a000000023bb3-240.dat family_berbew behavioral2/files/0x000a000000023bb1-233.dat family_berbew behavioral2/files/0x000a000000023baf-226.dat family_berbew behavioral2/files/0x000a000000023ba9-205.dat family_berbew behavioral2/files/0x000a000000023ba7-198.dat family_berbew behavioral2/files/0x000a000000023ba5-191.dat family_berbew behavioral2/files/0x0007000000023cd7-713.dat family_berbew behavioral2/files/0x0007000000023cf1-786.dat family_berbew behavioral2/files/0x0007000000023cf7-804.dat family_berbew behavioral2/files/0x0007000000023d07-852.dat family_berbew behavioral2/files/0x0007000000023d0f-879.dat family_berbew behavioral2/files/0x0007000000023d1d-927.dat family_berbew behavioral2/files/0x0007000000023d21-941.dat family_berbew behavioral2/files/0x0007000000023d2f-989.dat family_berbew behavioral2/files/0x0007000000023d4b-1081.dat family_berbew behavioral2/files/0x0007000000023d4f-1096.dat family_berbew behavioral2/files/0x0007000000023d5a-1142.dat family_berbew behavioral2/files/0x0007000000023d72-1221.dat family_berbew behavioral2/files/0x0007000000023d98-1344.dat family_berbew behavioral2/files/0x0007000000023da0-1371.dat family_berbew behavioral2/files/0x0007000000023da4-1385.dat family_berbew behavioral2/files/0x0007000000023da8-1399.dat family_berbew behavioral2/files/0x0007000000023daa-1407.dat family_berbew behavioral2/files/0x0007000000023daf-1420.dat family_berbew behavioral2/files/0x0007000000023dbb-1460.dat family_berbew behavioral2/files/0x0007000000023dc1-1481.dat family_berbew behavioral2/files/0x0007000000023dc9-1506.dat family_berbew behavioral2/files/0x0007000000023dcd-1520.dat family_berbew behavioral2/files/0x0007000000023dd7-1551.dat family_berbew behavioral2/files/0x0007000000023dd9-1559.dat family_berbew behavioral2/files/0x0007000000023de3-1591.dat family_berbew behavioral2/files/0x0007000000023de9-1609.dat family_berbew behavioral2/files/0x0007000000023ded-1622.dat family_berbew behavioral2/files/0x0007000000023df7-1655.dat family_berbew behavioral2/files/0x0007000000023dfd-1675.dat family_berbew behavioral2/files/0x0007000000023e07-1711.dat family_berbew behavioral2/files/0x0007000000023e12-1748.dat family_berbew behavioral2/files/0x0007000000023e1c-1786.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 512 Aoqenf32.exe 3620 Ahiigkqd.exe 3436 Aocace32.exe 4956 Aoeniefo.exe 4448 Aeoffo32.exe 2272 Aliobieh.exe 3804 Alkkhi32.exe 3180 Abedecjb.exe 780 Blnhni32.exe 4212 Bibigmpl.exe 4056 Booaodnd.exe 3324 Bidemmnj.exe 3836 Bpnnig32.exe 4724 Blennh32.exe 4972 Bemcgmak.exe 4520 Bhlocipo.exe 2716 Badcln32.exe 2256 Cpedjf32.exe 4464 Cafpanem.exe 1752 Ccfmla32.exe 696 Chbedh32.exe 4396 Cpjmee32.exe 2300 Cchiaqjm.exe 2224 Cakjmm32.exe 3752 Cefemliq.exe 4984 Chebighd.exe 3104 Clqnjf32.exe 3156 Cpljkdig.exe 2156 Coojfa32.exe 4716 Camfbm32.exe 2592 Ceibclgn.exe 2004 Cidncj32.exe 2324 Chgoogfa.exe 2264 Clckpf32.exe 836 Cpofpdgd.exe 884 Coagla32.exe 3764 Ccmclp32.exe 640 Cekohk32.exe 4088 Digkijmd.exe 4884 Dhjkdg32.exe 4584 Dlegeemh.exe 2520 Dpacfd32.exe 3792 Dcopbp32.exe 2608 Dabpnlkp.exe 2452 Denlnk32.exe 316 Diihojkb.exe 1032 Dlgdkeje.exe 4324 Dpcpkc32.exe 2460 Dcalgo32.exe 2952 Dadlclim.exe 4104 Dephckaf.exe 4168 Dhnepfpj.exe 3500 Dljqpd32.exe 1576 Dpemacql.exe 344 Dcdimopp.exe 4312 Dagiil32.exe 3068 Debeijoc.exe 5088 Dhqaefng.exe 4352 Dllmfd32.exe 4508 Dphifcoi.exe 4604 Dcfebonm.exe 3872 Djpnohej.exe 4524 Dakbckbe.exe 3920 Efgodj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kgphpo32.exe Kbdmpqcb.exe File opened for modification C:\Windows\SysWOW64\Kaemnhla.exe Kinemkko.exe File created C:\Windows\SysWOW64\Joamagmq.dll Kmlnbi32.exe File opened for modification C:\Windows\SysWOW64\Mnlfigcc.exe Lknjmkdo.exe File created C:\Windows\SysWOW64\Bejogg32.exe Bjdkjo32.exe File created C:\Windows\SysWOW64\Ldleel32.exe Llemdo32.exe File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Gmhfhp32.exe Gimjhafg.exe File created C:\Windows\SysWOW64\Fjcclf32.exe Fcikolnh.exe File opened for modification C:\Windows\SysWOW64\Kbfbkj32.exe Kdcbom32.exe File created C:\Windows\SysWOW64\Mmpijp32.exe Meiaib32.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Deokon32.exe File created C:\Windows\SysWOW64\Bademghm.dll Ficgacna.exe File opened for modification C:\Windows\SysWOW64\Dadlclim.exe Dcalgo32.exe File created C:\Windows\SysWOW64\Kncfca32.dll Fjhmgeao.exe File created C:\Windows\SysWOW64\Jpckhigh.dll Gimjhafg.exe File opened for modification C:\Windows\SysWOW64\Imbaemhc.exe Ijdeiaio.exe File created C:\Windows\SysWOW64\Iabgaklg.exe Iikopmkd.exe File created C:\Windows\SysWOW64\Higchddh.dll Dojcgi32.exe File opened for modification C:\Windows\SysWOW64\Faihkbci.exe Fhqcam32.exe File created C:\Windows\SysWOW64\Bidemmnj.exe Booaodnd.exe File created C:\Windows\SysWOW64\Nngokoej.exe Nepgjaeg.exe File created C:\Windows\SysWOW64\Mfilim32.dll Pnakhkol.exe File created C:\Windows\SysWOW64\Ccdlci32.dll Pmidog32.exe File created C:\Windows\SysWOW64\Adgbpc32.exe Ampkof32.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Oijgnaaa.dll Fdlnbm32.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Nqklmpdd.exe File created C:\Windows\SysWOW64\Qecppkdm.exe Peqcjkfp.exe File created C:\Windows\SysWOW64\Bgdpie32.dll Bajjli32.exe File opened for modification C:\Windows\SysWOW64\Clbceo32.exe Cbjoljdo.exe File created C:\Windows\SysWOW64\Eapedd32.exe Eoaihhlp.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bmkjkd32.exe File opened for modification C:\Windows\SysWOW64\Fijmbb32.exe Fjhmgeao.exe File created C:\Windows\SysWOW64\Ifhmhq32.dll Hfachc32.exe File opened for modification C:\Windows\SysWOW64\Kbapjafe.exe Kdopod32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Njljefql.exe File created C:\Windows\SysWOW64\Odgqdlnj.exe Oqkdcn32.exe File opened for modification C:\Windows\SysWOW64\Dhnnep32.exe Doeiljfn.exe File created C:\Windows\SysWOW64\Flnakb32.dll Echknh32.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jbjcolha.exe File created C:\Windows\SysWOW64\Dephckaf.exe Dadlclim.exe File created C:\Windows\SysWOW64\Hppdbdbc.dll Ogpmjb32.exe File created C:\Windows\SysWOW64\Jianff32.exe Jbhfjljd.exe File created C:\Windows\SysWOW64\Kimnbd32.exe Kpeiioac.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Ageolo32.exe File created C:\Windows\SysWOW64\Eheqhpfp.dll Hfcicmqp.exe File created C:\Windows\SysWOW64\Djmdfpmb.dll Gbjhlfhb.exe File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe Idofhfmm.exe File created C:\Windows\SysWOW64\Jfdida32.exe Jbhmdbnp.exe File created C:\Windows\SysWOW64\Nphqml32.dll Jiikak32.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Njljefql.exe File created C:\Windows\SysWOW64\Odbgim32.exe Odpjcm32.exe File created C:\Windows\SysWOW64\Ijfjal32.dll Mipcob32.exe File created C:\Windows\SysWOW64\Fqmlhpla.exe Fjcclf32.exe File created C:\Windows\SysWOW64\Fhemmlhc.exe Ffgqqaip.exe File created C:\Windows\SysWOW64\Nlmllkja.exe Nebdoa32.exe File opened for modification C:\Windows\SysWOW64\Ngdmod32.exe Npjebj32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cfdhkhjj.exe File created C:\Windows\SysWOW64\Nilhco32.dll Jmbklj32.exe File created C:\Windows\SysWOW64\Filmeaek.dll Qalnjkgo.exe File opened for modification C:\Windows\SysWOW64\Gohhpe32.exe Ghopckpi.exe File created C:\Windows\SysWOW64\Hmcojh32.exe Hfifmnij.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12152 11908 WerFault.exe 605 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjodl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll" Fodeolof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll" Opakbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmfmbhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjoke32.dll" Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll" Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll" Ecdbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll" Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmidh32.dll" Ogljjiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll" Gfembo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdimopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmfp32.dll" Pghieg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodldljj.dll" Cpjmee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijgnaaa.dll" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfkoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kepelfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpcpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll" Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaeonmc.dll" Blfdia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Menjdbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihicplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimjhafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eefhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Badcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljfpnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bmkjkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmccchkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcalgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhqaefng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gimjhafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkalchij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afoeiklb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 512 5096 af2d03ceed48b868e96552990002f404.exe 83 PID 5096 wrote to memory of 512 5096 af2d03ceed48b868e96552990002f404.exe 83 PID 5096 wrote to memory of 512 5096 af2d03ceed48b868e96552990002f404.exe 83 PID 512 wrote to memory of 3620 512 Aoqenf32.exe 84 PID 512 wrote to memory of 3620 512 Aoqenf32.exe 84 PID 512 wrote to memory of 3620 512 Aoqenf32.exe 84 PID 3620 wrote to memory of 3436 3620 Ahiigkqd.exe 85 PID 3620 wrote to memory of 3436 3620 Ahiigkqd.exe 85 PID 3620 wrote to memory of 3436 3620 Ahiigkqd.exe 85 PID 3436 wrote to memory of 4956 3436 Aocace32.exe 86 PID 3436 wrote to memory of 4956 3436 Aocace32.exe 86 PID 3436 wrote to memory of 4956 3436 Aocace32.exe 86 PID 4956 wrote to memory of 4448 4956 Aoeniefo.exe 87 PID 4956 wrote to memory of 4448 4956 Aoeniefo.exe 87 PID 4956 wrote to memory of 4448 4956 Aoeniefo.exe 87 PID 4448 wrote to memory of 2272 4448 Aeoffo32.exe 89 PID 4448 wrote to memory of 2272 4448 Aeoffo32.exe 89 PID 4448 wrote to memory of 2272 4448 Aeoffo32.exe 89 PID 2272 wrote to memory of 3804 2272 Aliobieh.exe 91 PID 2272 wrote to memory of 3804 2272 Aliobieh.exe 91 PID 2272 wrote to memory of 3804 2272 Aliobieh.exe 91 PID 3804 wrote to memory of 3180 3804 Alkkhi32.exe 93 PID 3804 wrote to memory of 3180 3804 Alkkhi32.exe 93 PID 3804 wrote to memory of 3180 3804 Alkkhi32.exe 93 PID 3180 wrote to memory of 780 3180 Abedecjb.exe 94 PID 3180 wrote to memory of 780 3180 Abedecjb.exe 94 PID 3180 wrote to memory of 780 3180 Abedecjb.exe 94 PID 780 wrote to memory of 4212 780 Blnhni32.exe 95 PID 780 wrote to memory of 4212 780 Blnhni32.exe 95 PID 780 wrote to memory of 4212 780 Blnhni32.exe 95 PID 4212 wrote to memory of 4056 4212 Bibigmpl.exe 96 PID 4212 wrote to memory of 4056 4212 Bibigmpl.exe 96 PID 4212 wrote to memory of 4056 4212 Bibigmpl.exe 96 PID 4056 wrote to memory of 3324 4056 Booaodnd.exe 97 PID 4056 wrote to memory of 3324 4056 Booaodnd.exe 97 PID 4056 wrote to memory of 3324 4056 Booaodnd.exe 97 PID 3324 wrote to memory of 3836 3324 Bidemmnj.exe 98 PID 3324 wrote to memory of 3836 3324 Bidemmnj.exe 98 PID 3324 wrote to memory of 3836 3324 Bidemmnj.exe 98 PID 3836 wrote to memory of 4724 3836 Bpnnig32.exe 99 PID 3836 wrote to memory of 4724 3836 Bpnnig32.exe 99 PID 3836 wrote to memory of 4724 3836 Bpnnig32.exe 99 PID 4724 wrote to memory of 4972 4724 Blennh32.exe 100 PID 4724 wrote to memory of 4972 4724 Blennh32.exe 100 PID 4724 wrote to memory of 4972 4724 Blennh32.exe 100 PID 4972 wrote to memory of 4520 4972 Bemcgmak.exe 101 PID 4972 wrote to memory of 4520 4972 Bemcgmak.exe 101 PID 4972 wrote to memory of 4520 4972 Bemcgmak.exe 101 PID 4520 wrote to memory of 2716 4520 Bhlocipo.exe 102 PID 4520 wrote to memory of 2716 4520 Bhlocipo.exe 102 PID 4520 wrote to memory of 2716 4520 Bhlocipo.exe 102 PID 2716 wrote to memory of 2256 2716 Badcln32.exe 103 PID 2716 wrote to memory of 2256 2716 Badcln32.exe 103 PID 2716 wrote to memory of 2256 2716 Badcln32.exe 103 PID 2256 wrote to memory of 4464 2256 Cpedjf32.exe 104 PID 2256 wrote to memory of 4464 2256 Cpedjf32.exe 104 PID 2256 wrote to memory of 4464 2256 Cpedjf32.exe 104 PID 4464 wrote to memory of 1752 4464 Cafpanem.exe 105 PID 4464 wrote to memory of 1752 4464 Cafpanem.exe 105 PID 4464 wrote to memory of 1752 4464 Cafpanem.exe 105 PID 1752 wrote to memory of 696 1752 Ccfmla32.exe 106 PID 1752 wrote to memory of 696 1752 Ccfmla32.exe 106 PID 1752 wrote to memory of 696 1752 Ccfmla32.exe 106 PID 696 wrote to memory of 4396 696 Chbedh32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\af2d03ceed48b868e96552990002f404.exe"C:\Users\Admin\AppData\Local\Temp\af2d03ceed48b868e96552990002f404.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Aoqenf32.exeC:\Windows\system32\Aoqenf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Aeoffo32.exeC:\Windows\system32\Aeoffo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Aliobieh.exeC:\Windows\system32\Aliobieh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Badcln32.exeC:\Windows\system32\Badcln32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe24⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe25⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe26⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe27⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe28⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe30⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe31⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe32⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe35⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe36⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe37⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe40⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe41⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe42⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe43⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe44⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe45⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe46⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe47⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe48⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe52⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe53⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe54⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe55⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe57⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe58⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe60⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe62⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe63⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe64⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe65⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe66⤵PID:4660
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe67⤵PID:4488
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe68⤵PID:4612
-
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe69⤵PID:4052
-
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe70⤵PID:4328
-
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe71⤵PID:4372
-
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe72⤵PID:2008
-
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe73⤵PID:4696
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe74⤵PID:4220
-
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe75⤵PID:1004
-
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe76⤵PID:3456
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe77⤵PID:1924
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe78⤵PID:3204
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe79⤵PID:3572
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe80⤵PID:4428
-
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe81⤵PID:548
-
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe82⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe83⤵PID:3712
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe84⤵
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe85⤵PID:4300
-
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe86⤵
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe87⤵PID:2148
-
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe88⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe89⤵
- Drops file in System32 directory
PID:4808 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe90⤵PID:4316
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe91⤵PID:4704
-
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe92⤵PID:5164
-
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe93⤵PID:5216
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe94⤵PID:5276
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe95⤵PID:5320
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe96⤵PID:5372
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe97⤵
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe98⤵PID:5464
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe99⤵PID:5508
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe100⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe102⤵PID:5628
-
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe105⤵PID:5744
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe106⤵PID:5792
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe108⤵PID:5876
-
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe109⤵PID:5916
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe110⤵PID:5964
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe111⤵PID:6004
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe112⤵PID:6044
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe113⤵PID:6088
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe115⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe116⤵PID:5236
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe117⤵PID:5296
-
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe118⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe119⤵PID:5524
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe120⤵PID:5604
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe121⤵PID:5700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-