Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 14:26
Behavioral task
behavioral1
Sample
47c8f69fea8621a2be7b2335aa41a703.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
47c8f69fea8621a2be7b2335aa41a703.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
47c8f69fea8621a2be7b2335aa41a703.exe
-
Size
768KB
-
MD5
47c8f69fea8621a2be7b2335aa41a703
-
SHA1
b38308d36a76d30264017fb33e19610aa2ab7867
-
SHA256
234ebd0804598352e2c35326ec452008c56ad729fa8580bce7009292d7fece00
-
SHA512
5e1f136a273687ee3293713c6a180811e32ec2f2b3cd0edd0e0cf94ae8fbe7137000f9acd0ebe927c234f007f0b930ba407876718b91ab8fead8a5448c8ba6ab
-
SSDEEP
12288:rJ9vI6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGJ:rkq5h3q5htaSHFaZRBEYyqmaf2qwiHPX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgbfhmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnjjpod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imoneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdegandp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnldp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhpla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfqjafdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocqnij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdjoane.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knflpoqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacdmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcdlmgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnjab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajndioga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaakpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhmdbnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oponmilc.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000233f9-7.dat family_berbew behavioral2/files/0x0007000000023401-15.dat family_berbew behavioral2/files/0x0007000000023403-23.dat family_berbew behavioral2/files/0x0007000000023405-31.dat family_berbew behavioral2/files/0x0007000000023409-47.dat family_berbew behavioral2/files/0x0007000000023407-40.dat family_berbew behavioral2/files/0x000700000002340d-58.dat family_berbew behavioral2/files/0x000700000002340f-72.dat family_berbew behavioral2/files/0x0007000000023411-79.dat family_berbew behavioral2/files/0x0007000000023413-85.dat family_berbew behavioral2/files/0x0007000000023417-100.dat family_berbew behavioral2/files/0x0007000000023419-107.dat family_berbew behavioral2/files/0x000700000002341b-114.dat family_berbew behavioral2/files/0x000700000002341d-121.dat family_berbew behavioral2/files/0x000700000002342d-177.dat family_berbew behavioral2/files/0x0007000000023435-205.dat family_berbew behavioral2/files/0x00070000000234e3-750.dat family_berbew behavioral2/files/0x00070000000234ef-786.dat family_berbew behavioral2/files/0x00070000000234d8-719.dat family_berbew behavioral2/files/0x0007000000023505-851.dat family_berbew behavioral2/files/0x0007000000023509-863.dat family_berbew behavioral2/files/0x000700000002351b-918.dat family_berbew behavioral2/files/0x000700000002350f-881.dat family_berbew behavioral2/files/0x0007000000023501-839.dat family_berbew behavioral2/files/0x0007000000023529-960.dat family_berbew behavioral2/files/0x000700000002352f-978.dat family_berbew behavioral2/files/0x000700000002343d-233.dat family_berbew behavioral2/files/0x000700000002343b-226.dat family_berbew behavioral2/files/0x0007000000023439-219.dat family_berbew behavioral2/files/0x0007000000023437-212.dat family_berbew behavioral2/files/0x0007000000023433-198.dat family_berbew behavioral2/files/0x0007000000023431-191.dat family_berbew behavioral2/files/0x000700000002342f-184.dat family_berbew behavioral2/files/0x000700000002342b-170.dat family_berbew behavioral2/files/0x0007000000023429-163.dat family_berbew behavioral2/files/0x0007000000023427-156.dat family_berbew behavioral2/files/0x0007000000023425-149.dat family_berbew behavioral2/files/0x0007000000023423-142.dat family_berbew behavioral2/files/0x0007000000023421-135.dat family_berbew behavioral2/files/0x000700000002341f-128.dat family_berbew behavioral2/files/0x0007000000023415-93.dat family_berbew behavioral2/files/0x000700000002340d-64.dat family_berbew behavioral2/files/0x0007000000023557-1098.dat family_berbew behavioral2/files/0x0007000000023577-1203.dat family_berbew behavioral2/files/0x000800000002297b-1328.dat family_berbew behavioral2/files/0x00070000000235cf-1494.dat family_berbew behavioral2/files/0x00070000000235d2-1506.dat family_berbew behavioral2/files/0x00070000000235d4-1515.dat family_berbew behavioral2/files/0x00070000000235de-1544.dat family_berbew behavioral2/files/0x00070000000235ef-1603.dat family_berbew behavioral2/files/0x00070000000235fd-1648.dat family_berbew behavioral2/files/0x0007000000023613-1715.dat family_berbew behavioral2/files/0x000700000002361b-1743.dat family_berbew behavioral2/files/0x000700000002364c-1896.dat family_berbew behavioral2/files/0x0007000000023650-1909.dat family_berbew behavioral2/files/0x000700000002365f-1955.dat family_berbew behavioral2/files/0x0007000000023661-1962.dat family_berbew behavioral2/files/0x000700000002366f-2011.dat family_berbew behavioral2/files/0x0007000000023681-2082.dat family_berbew behavioral2/files/0x00070000000236a7-2226.dat family_berbew behavioral2/files/0x00070000000236b8-2285.dat family_berbew behavioral2/files/0x00070000000236bf-2313.dat family_berbew behavioral2/files/0x00070000000236c5-2333.dat family_berbew behavioral2/files/0x00070000000236ee-2483.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4932 Dhqaefng.exe 2684 Dcfebonm.exe 4784 Dhcnke32.exe 4492 Ejbkehcg.exe 892 Eoocmoao.exe 1284 Ebnoikqb.exe 4964 Elccfc32.exe 5052 Ebploj32.exe 4884 Eleplc32.exe 224 Eodlho32.exe 4220 Ebbidj32.exe 452 Efneehef.exe 3224 Ehlaaddj.exe 2656 Elhmablc.exe 4852 Eofinnkf.exe 208 Ebeejijj.exe 3428 Efpajh32.exe 4540 Ehonfc32.exe 404 Eqfeha32.exe 4480 Ecdbdl32.exe 1220 Fbgbpihg.exe 3300 Ffbnph32.exe 3312 Fmmfmbhn.exe 676 Fqhbmqqg.exe 2488 Fokbim32.exe 2872 Fbioei32.exe 2140 Ffekegon.exe 4176 Ficgacna.exe 4296 Fmocba32.exe 1728 Fomonm32.exe 4348 Fcikolnh.exe 1920 Ffggkgmk.exe 3116 Fjcclf32.exe 4396 Fmapha32.exe 4388 Fopldmcl.exe 812 Fckhdk32.exe 1236 Fbnhphbp.exe 2484 Fjepaecb.exe 396 Fihqmb32.exe 544 Fqohnp32.exe 3788 Fcnejk32.exe 5076 Fijmbb32.exe 3400 Fqaeco32.exe 2356 Fodeolof.exe 1824 Gbcakg32.exe 4288 Gfnnlffc.exe 444 Gimjhafg.exe 4584 Gqdbiofi.exe 4700 Gogbdl32.exe 3068 Gbenqg32.exe 1624 Gfqjafdq.exe 4760 Goiojk32.exe 2324 Gbgkfg32.exe 3160 Gfcgge32.exe 4872 Gjocgdkg.exe 4412 Gmmocpjk.exe 3924 Gpklpkio.exe 4364 Gcggpj32.exe 4044 Gbjhlfhb.exe 2880 Gjapmdid.exe 2884 Gidphq32.exe 232 Gqkhjn32.exe 4536 Gpnhekgl.exe 212 Gbldaffp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebeejijj.exe Eofinnkf.exe File created C:\Windows\SysWOW64\Ohnebd32.exe Oepifi32.exe File opened for modification C:\Windows\SysWOW64\Fibojhim.exe Fgdbnmji.exe File created C:\Windows\SysWOW64\Kjpijpdg.exe Kinmcg32.exe File created C:\Windows\SysWOW64\Bdkcmdhp.exe Balfaiil.exe File opened for modification C:\Windows\SysWOW64\Imdgqfbd.exe Iemppiab.exe File opened for modification C:\Windows\SysWOW64\Mlcifmbl.exe Miemjaci.exe File opened for modification C:\Windows\SysWOW64\Ohnebd32.exe Oepifi32.exe File created C:\Windows\SysWOW64\Aajohjon.exe Process not Found File opened for modification C:\Windows\SysWOW64\Klhnfo32.exe Process not Found File created C:\Windows\SysWOW64\Mnlfigcc.exe Lknjmkdo.exe File created C:\Windows\SysWOW64\Efeichoo.dll Cmhigf32.exe File created C:\Windows\SysWOW64\Eidlnd32.exe Efepbi32.exe File created C:\Windows\SysWOW64\Adnbpqkj.dll Process not Found File created C:\Windows\SysWOW64\Mgblmpji.dll Iffmccbi.exe File created C:\Windows\SysWOW64\Nffbangm.dll Jplfcpin.exe File opened for modification C:\Windows\SysWOW64\Famjkl32.exe Fdijbg32.exe File created C:\Windows\SysWOW64\Ghhhcomg.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Bemqih32.exe Process not Found File created C:\Windows\SysWOW64\Eocqqdjh.dll Dboigi32.exe File opened for modification C:\Windows\SysWOW64\Ecandfpd.exe Eofbch32.exe File created C:\Windows\SysWOW64\Gbbkaako.exe Gododflk.exe File created C:\Windows\SysWOW64\Clbcapmm.dll Ognpebpj.exe File created C:\Windows\SysWOW64\Gpccpg32.dll Pgdokkfg.exe File created C:\Windows\SysWOW64\Eeelnp32.exe Process not Found File created C:\Windows\SysWOW64\Jcleff32.dll Process not Found File created C:\Windows\SysWOW64\Jqhafffk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Process not Found File created C:\Windows\SysWOW64\Ppihoe32.dll Process not Found File created C:\Windows\SysWOW64\Nmbjcljl.exe Process not Found File created C:\Windows\SysWOW64\Knefeffd.exe Kihnmohm.exe File opened for modification C:\Windows\SysWOW64\Ocjoadei.exe Process not Found File created C:\Windows\SysWOW64\Hkfoel32.dll Process not Found File created C:\Windows\SysWOW64\Ohlqcagj.exe Process not Found File created C:\Windows\SysWOW64\Ijfboafl.exe Ibojncfj.exe File created C:\Windows\SysWOW64\Blpnib32.exe Bdhfhe32.exe File created C:\Windows\SysWOW64\Nmenca32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe Kfoafi32.exe File created C:\Windows\SysWOW64\Odkjng32.exe Oponmilc.exe File opened for modification C:\Windows\SysWOW64\Caghhk32.exe Cmklglpn.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Process not Found File created C:\Windows\SysWOW64\Klqcioba.exe Kibgmdcn.exe File created C:\Windows\SysWOW64\Gkbofaoj.dll Efccmidp.exe File opened for modification C:\Windows\SysWOW64\Kpgfooop.exe Kimnbd32.exe File created C:\Windows\SysWOW64\Knknhqjn.dll Dcpmen32.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eodlho32.exe Eleplc32.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mdmegp32.exe File created C:\Windows\SysWOW64\Oboaabga.exe Ojhiqefo.exe File opened for modification C:\Windows\SysWOW64\Ndokbi32.exe Mlhbal32.exe File opened for modification C:\Windows\SysWOW64\Nheble32.exe Neffpj32.exe File created C:\Windows\SysWOW64\Kideagnd.dll Process not Found File created C:\Windows\SysWOW64\Olhldm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ahchda32.exe Afelhf32.exe File opened for modification C:\Windows\SysWOW64\Bfngdn32.exe Akhcfe32.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Process not Found File created C:\Windows\SysWOW64\Bmnogj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fnipbc32.exe Process not Found File created C:\Windows\SysWOW64\Mlkpophj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gafmaj32.exe Gkleeplq.exe File opened for modification C:\Windows\SysWOW64\Igchfiof.exe Ihphkl32.exe File created C:\Windows\SysWOW64\Njinmf32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 13628 12164 Process not Found 1558 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhnegmc.dll" Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqgabec.dll" Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndkahnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpjp32.dll" Fcmnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnigobn.dll" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdejk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkjjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okolkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphkfg32.dll" Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddchh32.dll" Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cacmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inmpcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inomhbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjdachc.dll" Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meickkqm.dll" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcagc32.dll" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeklag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iidipnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dohfbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbmelbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfjeobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll" Gjocgdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmqiee.dll" Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohnjkj.dll" Qchmagie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll" Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfljmdjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll" Ligqhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcfebonm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhiib32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4932 2492 47c8f69fea8621a2be7b2335aa41a703.exe 84 PID 2492 wrote to memory of 4932 2492 47c8f69fea8621a2be7b2335aa41a703.exe 84 PID 2492 wrote to memory of 4932 2492 47c8f69fea8621a2be7b2335aa41a703.exe 84 PID 4932 wrote to memory of 2684 4932 Dhqaefng.exe 85 PID 4932 wrote to memory of 2684 4932 Dhqaefng.exe 85 PID 4932 wrote to memory of 2684 4932 Dhqaefng.exe 85 PID 2684 wrote to memory of 4784 2684 Dcfebonm.exe 86 PID 2684 wrote to memory of 4784 2684 Dcfebonm.exe 86 PID 2684 wrote to memory of 4784 2684 Dcfebonm.exe 86 PID 4784 wrote to memory of 4492 4784 Dhcnke32.exe 87 PID 4784 wrote to memory of 4492 4784 Dhcnke32.exe 87 PID 4784 wrote to memory of 4492 4784 Dhcnke32.exe 87 PID 4492 wrote to memory of 892 4492 Ejbkehcg.exe 88 PID 4492 wrote to memory of 892 4492 Ejbkehcg.exe 88 PID 4492 wrote to memory of 892 4492 Ejbkehcg.exe 88 PID 892 wrote to memory of 1284 892 Eoocmoao.exe 89 PID 892 wrote to memory of 1284 892 Eoocmoao.exe 89 PID 892 wrote to memory of 1284 892 Eoocmoao.exe 89 PID 1284 wrote to memory of 4964 1284 Ebnoikqb.exe 90 PID 1284 wrote to memory of 4964 1284 Ebnoikqb.exe 90 PID 1284 wrote to memory of 4964 1284 Ebnoikqb.exe 90 PID 4964 wrote to memory of 5052 4964 Elccfc32.exe 91 PID 4964 wrote to memory of 5052 4964 Elccfc32.exe 91 PID 4964 wrote to memory of 5052 4964 Elccfc32.exe 91 PID 5052 wrote to memory of 4884 5052 Ebploj32.exe 92 PID 5052 wrote to memory of 4884 5052 Ebploj32.exe 92 PID 5052 wrote to memory of 4884 5052 Ebploj32.exe 92 PID 4884 wrote to memory of 224 4884 Eleplc32.exe 93 PID 4884 wrote to memory of 224 4884 Eleplc32.exe 93 PID 4884 wrote to memory of 224 4884 Eleplc32.exe 93 PID 224 wrote to memory of 4220 224 Eodlho32.exe 94 PID 224 wrote to memory of 4220 224 Eodlho32.exe 94 PID 224 wrote to memory of 4220 224 Eodlho32.exe 94 PID 4220 wrote to memory of 452 4220 Ebbidj32.exe 95 PID 4220 wrote to memory of 452 4220 Ebbidj32.exe 95 PID 4220 wrote to memory of 452 4220 Ebbidj32.exe 95 PID 452 wrote to memory of 3224 452 Efneehef.exe 96 PID 452 wrote to memory of 3224 452 Efneehef.exe 96 PID 452 wrote to memory of 3224 452 Efneehef.exe 96 PID 3224 wrote to memory of 2656 3224 Ehlaaddj.exe 97 PID 3224 wrote to memory of 2656 3224 Ehlaaddj.exe 97 PID 3224 wrote to memory of 2656 3224 Ehlaaddj.exe 97 PID 2656 wrote to memory of 4852 2656 Elhmablc.exe 98 PID 2656 wrote to memory of 4852 2656 Elhmablc.exe 98 PID 2656 wrote to memory of 4852 2656 Elhmablc.exe 98 PID 4852 wrote to memory of 208 4852 Eofinnkf.exe 99 PID 4852 wrote to memory of 208 4852 Eofinnkf.exe 99 PID 4852 wrote to memory of 208 4852 Eofinnkf.exe 99 PID 208 wrote to memory of 3428 208 Ebeejijj.exe 100 PID 208 wrote to memory of 3428 208 Ebeejijj.exe 100 PID 208 wrote to memory of 3428 208 Ebeejijj.exe 100 PID 3428 wrote to memory of 4540 3428 Efpajh32.exe 101 PID 3428 wrote to memory of 4540 3428 Efpajh32.exe 101 PID 3428 wrote to memory of 4540 3428 Efpajh32.exe 101 PID 4540 wrote to memory of 404 4540 Ehonfc32.exe 102 PID 4540 wrote to memory of 404 4540 Ehonfc32.exe 102 PID 4540 wrote to memory of 404 4540 Ehonfc32.exe 102 PID 404 wrote to memory of 4480 404 Eqfeha32.exe 103 PID 404 wrote to memory of 4480 404 Eqfeha32.exe 103 PID 404 wrote to memory of 4480 404 Eqfeha32.exe 103 PID 4480 wrote to memory of 1220 4480 Ecdbdl32.exe 104 PID 4480 wrote to memory of 1220 4480 Ecdbdl32.exe 104 PID 4480 wrote to memory of 1220 4480 Ecdbdl32.exe 104 PID 1220 wrote to memory of 3300 1220 Fbgbpihg.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\47c8f69fea8621a2be7b2335aa41a703.exe"C:\Users\Admin\AppData\Local\Temp\47c8f69fea8621a2be7b2335aa41a703.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe23⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe24⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe25⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe26⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe27⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe28⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe29⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe30⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe31⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe32⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe33⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe34⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe35⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe36⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe37⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe38⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe40⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe41⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe42⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe43⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe45⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe46⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe47⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe48⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe49⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe50⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe51⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe53⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe54⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe55⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe57⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe58⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe59⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe60⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe61⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe62⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe64⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe65⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4752 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe67⤵PID:4000
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe68⤵PID:3472
-
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe69⤵PID:540
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe70⤵PID:4860
-
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe71⤵PID:5092
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe72⤵PID:4840
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe73⤵PID:876
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe74⤵
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe75⤵PID:4500
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe76⤵PID:2116
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe77⤵PID:2408
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe78⤵PID:4464
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe79⤵PID:1640
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe80⤵PID:2780
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe81⤵PID:3684
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe82⤵PID:5012
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4320 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe84⤵PID:3800
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe85⤵PID:400
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe86⤵PID:980
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe87⤵PID:1128
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe88⤵PID:5152
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe89⤵PID:5208
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe90⤵PID:5352
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe91⤵PID:5428
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe92⤵
- Drops file in System32 directory
PID:5656 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe93⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe94⤵PID:5728
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe95⤵PID:5764
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe96⤵PID:5800
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe97⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe98⤵PID:5872
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe100⤵PID:5944
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe101⤵PID:5980
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe102⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe104⤵PID:6088
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe105⤵PID:6124
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe106⤵PID:800
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe107⤵PID:2924
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:100 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe109⤵PID:4940
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe110⤵
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe111⤵PID:4268
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe112⤵PID:5952
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe113⤵PID:5868
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe114⤵PID:5796
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe115⤵PID:5736
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe117⤵PID:6000
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe118⤵PID:6048
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe120⤵PID:5100
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe121⤵PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-