Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 19:09
Behavioral task
behavioral1
Sample
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe
Resource
win10v2004-20240426-en
General
-
Target
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe
-
Size
161KB
-
MD5
02e17b62fa7a209bc552c1be63044160
-
SHA1
99804695f0a820ca6985ca9407fe6222bfe85000
-
SHA256
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd
-
SHA512
be4515538640765d119fb35c33d66528fe4d46ba5c43186d9db0a54157d933153e321aa8cecceaafae98b289a9009ace7a90c8c570104a25a1e5eb721ec962f5
-
SSDEEP
3072:deSYf7UdBzIaNNrMVk4VwtCJXeex7rrIRZK8K8/kvV:DuUzhNNYk4VwtmeetrIyRV
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdcpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdejaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kedaeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maedhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhpnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncoamb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdilgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiqpop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bloqah32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00090000000141c0-5.dat family_berbew behavioral1/files/0x0008000000014539-28.dat family_berbew behavioral1/files/0x000b0000000146a2-39.dat family_berbew behavioral1/files/0x000b0000000146c0-49.dat family_berbew behavioral1/files/0x0007000000014825-66.dat family_berbew behavioral1/files/0x0007000000014abe-72.dat family_berbew behavioral1/files/0x0006000000014de9-100.dat family_berbew behavioral1/files/0x0006000000015018-119.dat family_berbew behavioral1/files/0x00060000000155f3-138.dat family_berbew behavioral1/files/0x0006000000015605-152.dat family_berbew behavioral1/files/0x0006000000015626-166.dat family_berbew behavioral1/files/0x0006000000015c3d-178.dat family_berbew behavioral1/files/0x0006000000015c83-211.dat family_berbew behavioral1/files/0x0006000000015f01-285.dat family_berbew behavioral1/files/0x00060000000167d5-323.dat family_berbew behavioral1/files/0x0006000000016c04-345.dat family_berbew behavioral1/files/0x0006000000016c7c-358.dat family_berbew behavioral1/files/0x0006000000016cb6-369.dat family_berbew behavioral1/files/0x0006000000016d16-388.dat family_berbew behavioral1/files/0x0006000000016e4a-420.dat family_berbew behavioral1/files/0x000600000001735a-428.dat family_berbew behavioral1/files/0x0006000000018ba1-494.dat family_berbew behavioral1/files/0x0006000000018ed8-503.dat family_berbew behavioral1/files/0x00050000000192d8-575.dat family_berbew behavioral1/files/0x00050000000195be-691.dat family_berbew behavioral1/files/0x0005000000019bdf-720.dat family_berbew behavioral1/files/0x0005000000019ee2-754.dat family_berbew behavioral1/files/0x000500000001a3b5-796.dat family_berbew behavioral1/files/0x000500000001a42a-835.dat family_berbew behavioral1/files/0x000500000001a44b-885.dat family_berbew behavioral1/files/0x000500000001a464-938.dat family_berbew behavioral1/files/0x000500000001a481-1010.dat family_berbew behavioral1/files/0x000500000001a508-1019.dat family_berbew behavioral1/files/0x000500000001ad53-1040.dat family_berbew behavioral1/files/0x000500000001c713-1070.dat family_berbew behavioral1/files/0x000500000001c7ec-1111.dat family_berbew behavioral1/files/0x000500000001c7f3-1125.dat family_berbew behavioral1/files/0x000500000001c7ff-1157.dat family_berbew behavioral1/files/0x000500000001c810-1192.dat family_berbew behavioral1/files/0x000500000001c84a-1246.dat family_berbew behavioral1/files/0x000500000001c863-1304.dat family_berbew behavioral1/files/0x000400000001cae0-1391.dat family_berbew behavioral1/files/0x000400000001caf9-1409.dat family_berbew behavioral1/files/0x000400000001cb14-1425.dat family_berbew behavioral1/files/0x000400000001cb72-1473.dat family_berbew behavioral1/files/0x000400000001cb92-1507.dat family_berbew behavioral1/files/0x000400000001cc2b-1581.dat family_berbew behavioral1/files/0x000400000001ceea-1678.dat family_berbew behavioral1/files/0x000400000001d1b5-1751.dat family_berbew behavioral1/files/0x000400000001d2d4-1775.dat family_berbew behavioral1/files/0x000400000001d328-1823.dat family_berbew behavioral1/files/0x000400000001d333-1831.dat family_berbew behavioral1/files/0x000400000001d34c-1863.dat family_berbew behavioral1/files/0x000400000001d364-1887.dat family_berbew behavioral1/files/0x000400000001d684-1960.dat family_berbew behavioral1/files/0x000400000001d69e-1983.dat family_berbew behavioral1/files/0x000400000001d73c-2001.dat family_berbew behavioral1/files/0x000400000001d765-2008.dat family_berbew behavioral1/files/0x000400000001d80e-2034.dat family_berbew behavioral1/files/0x000400000001d90c-2105.dat family_berbew behavioral1/files/0x000400000001d961-2156.dat family_berbew behavioral1/files/0x000400000001d976-2197.dat family_berbew behavioral1/files/0x000400000001d98a-2238.dat family_berbew behavioral1/files/0x000400000001d9a0-2286.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2996 Hkhkcm32.exe 2180 Hqddldcp.exe 2608 Hgolhn32.exe 2584 Hkjhimcf.exe 2760 Inhdehbj.exe 1852 Imkdqe32.exe 2580 Idblbb32.exe 2956 Igainn32.exe 2520 Ifdiijpe.exe 2560 Iqimgc32.exe 2800 Iolmbpfe.exe 2636 Iffeoj32.exe 1684 Iidbke32.exe 1732 Ioojhpdb.exe 2088 Ibmfdkcf.exe 452 Ijdnehci.exe 1728 Ikekmq32.exe 2456 Ioagno32.exe 1476 Ienoff32.exe 840 Imeggc32.exe 1056 Ikggbpgd.exe 1624 Ioccco32.exe 1064 Infdolgh.exe 1724 Ifmlpigj.exe 688 Jilhldfn.exe 2568 Jkjdhpea.exe 2736 Joepio32.exe 1168 Jbdlejmn.exe 2472 Jinead32.exe 1080 Jgqemakf.exe 2292 Jbfijjkl.exe 2660 Jedefejo.exe 2744 Jcgfbb32.exe 2452 Jkonco32.exe 1740 Jmpjkggj.exe 1844 Jakfkfpc.exe 2828 Jcjbgaog.exe 2936 Jgenhp32.exe 788 Jjdkdl32.exe 1268 Jmbgpg32.exe 2316 Jpqclb32.exe 1568 Jclomamd.exe 676 Jfkkimlh.exe 936 Jjfgjk32.exe 3020 Jmdcfg32.exe 2064 Jmdcfg32.exe 3024 Kappfeln.exe 2652 Kpcpbb32.exe 1988 Kcolba32.exe 2532 Kfmhol32.exe 968 Kjhdokbo.exe 2668 Kmgpkfab.exe 2812 Kljqgc32.exe 1644 Kpemgbqf.exe 320 Kcahhq32.exe 2692 Kfoedl32.exe 2380 Kfoedl32.exe 1008 Kebepion.exe 2740 Kmimafop.exe 2684 Kllmmc32.exe 2976 Kphimanc.exe 2156 Kbfeimng.exe 2184 Kfaajlfp.exe 1416 Kedaeh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2136 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 2136 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 2996 Hkhkcm32.exe 2996 Hkhkcm32.exe 2180 Hqddldcp.exe 2180 Hqddldcp.exe 2608 Hgolhn32.exe 2608 Hgolhn32.exe 2584 Hkjhimcf.exe 2584 Hkjhimcf.exe 2760 Inhdehbj.exe 2760 Inhdehbj.exe 1852 Imkdqe32.exe 1852 Imkdqe32.exe 2580 Idblbb32.exe 2580 Idblbb32.exe 2956 Igainn32.exe 2956 Igainn32.exe 2520 Ifdiijpe.exe 2520 Ifdiijpe.exe 2560 Iqimgc32.exe 2560 Iqimgc32.exe 2800 Iolmbpfe.exe 2800 Iolmbpfe.exe 2636 Iffeoj32.exe 2636 Iffeoj32.exe 1684 Iidbke32.exe 1684 Iidbke32.exe 1732 Ioojhpdb.exe 1732 Ioojhpdb.exe 2088 Ibmfdkcf.exe 2088 Ibmfdkcf.exe 452 Ijdnehci.exe 452 Ijdnehci.exe 1728 Ikekmq32.exe 1728 Ikekmq32.exe 2456 Ioagno32.exe 2456 Ioagno32.exe 1476 Ienoff32.exe 1476 Ienoff32.exe 840 Imeggc32.exe 840 Imeggc32.exe 1056 Ikggbpgd.exe 1056 Ikggbpgd.exe 1624 Ioccco32.exe 1624 Ioccco32.exe 1064 Infdolgh.exe 1064 Infdolgh.exe 1724 Ifmlpigj.exe 1724 Ifmlpigj.exe 688 Jilhldfn.exe 688 Jilhldfn.exe 2568 Jkjdhpea.exe 2568 Jkjdhpea.exe 2736 Joepio32.exe 2736 Joepio32.exe 1168 Jbdlejmn.exe 1168 Jbdlejmn.exe 2472 Jinead32.exe 2472 Jinead32.exe 1080 Jgqemakf.exe 1080 Jgqemakf.exe 2292 Jbfijjkl.exe 2292 Jbfijjkl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Njbcim32.exe Mkobnqan.exe File opened for modification C:\Windows\SysWOW64\Nfpjomgd.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe Banepo32.exe File created C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Nkeelohh.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Pnlqnl32.exe Pgbhabjp.exe File created C:\Windows\SysWOW64\Nnjcpefo.dll Imkdqe32.exe File created C:\Windows\SysWOW64\Bhjogple.dll Lhggmchi.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Kiqpop32.exe Kfbcbd32.exe File created C:\Windows\SysWOW64\Leimip32.exe Kbkameaf.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe File opened for modification C:\Windows\SysWOW64\Nejiih32.exe Naoniipe.exe File opened for modification C:\Windows\SysWOW64\Igihbknb.exe Ikbgmj32.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Dchali32.exe File created C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Anafhopc.exe Aidnohbk.exe File opened for modification C:\Windows\SysWOW64\Mhjpaf32.exe Migpeiag.exe File created C:\Windows\SysWOW64\Nleiqhcg.exe Nnbhek32.exe File created C:\Windows\SysWOW64\Affhncfc.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Lilchoah.dll Bkaqmeah.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Hqalfl32.dll Kincipnk.exe File opened for modification C:\Windows\SysWOW64\Lkhpnnej.exe Lfmdnp32.exe File created C:\Windows\SysWOW64\Bmhljm32.dll Adeplhib.exe File created C:\Windows\SysWOW64\Iegecigk.dll Bhfagipa.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Coklgg32.exe Cphlljge.exe File created C:\Windows\SysWOW64\Fpngfgle.exe Fidoim32.exe File opened for modification C:\Windows\SysWOW64\Lbfahp32.exe Ldcamcih.exe File created C:\Windows\SysWOW64\Damgbk32.dll Nleiqhcg.exe File created C:\Windows\SysWOW64\Piccpc32.dll Hpgfki32.exe File created C:\Windows\SysWOW64\Dmgdhd32.dll Khcnad32.exe File created C:\Windows\SysWOW64\Lopekk32.dll Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Hogmmjfo.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Nkeelohh.exe File created C:\Windows\SysWOW64\Fileil32.dll Dglpbbbg.exe File created C:\Windows\SysWOW64\Llinacgg.dll Ifdiijpe.exe File opened for modification C:\Windows\SysWOW64\Bhhnli32.exe Bdlblj32.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Peiljl32.exe File created C:\Windows\SysWOW64\Afiecb32.exe Afiecb32.exe File created C:\Windows\SysWOW64\Ckblig32.dll Chcqpmep.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Enkece32.exe File created C:\Windows\SysWOW64\Aafminbq.dll Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Eccmffjf.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Kjhdokbo.exe Kfmhol32.exe File opened for modification C:\Windows\SysWOW64\Lhggmchi.exe Keikqhhe.exe File created C:\Windows\SysWOW64\Kaaldl32.dll Fpcqaf32.exe File opened for modification C:\Windows\SysWOW64\Fiihdlpc.exe Ffklhqao.exe File created C:\Windows\SysWOW64\Fpcqaf32.exe Fiihdlpc.exe File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Iecimppi.dll Epfhbign.exe File created C:\Windows\SysWOW64\Jbfijjkl.exe Jgqemakf.exe File created C:\Windows\SysWOW64\Egdgmmje.dll Oqqapjnk.exe File opened for modification C:\Windows\SysWOW64\Ebbgid32.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Ibcidp32.dll Kocbkk32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Npojdpef.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8336 8324 WerFault.exe 922 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfpgj32.dll" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nookinfk.dll" Icmegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkjofpc.dll" Lodlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocdp32.dll" Mkmfhacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcgfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpqclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklefg32.dll" Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojchmpcd.dll" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdpjlajk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gheabp32.dll" Hlljjjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlcple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naikkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcinege.dll" Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcgfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keledb32.dll" Cdlnkmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplhdp32.dll" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pphjgfqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfbccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgolhn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2996 2136 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 28 PID 2136 wrote to memory of 2996 2136 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 28 PID 2136 wrote to memory of 2996 2136 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 28 PID 2136 wrote to memory of 2996 2136 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 28 PID 2996 wrote to memory of 2180 2996 Hkhkcm32.exe 29 PID 2996 wrote to memory of 2180 2996 Hkhkcm32.exe 29 PID 2996 wrote to memory of 2180 2996 Hkhkcm32.exe 29 PID 2996 wrote to memory of 2180 2996 Hkhkcm32.exe 29 PID 2180 wrote to memory of 2608 2180 Hqddldcp.exe 30 PID 2180 wrote to memory of 2608 2180 Hqddldcp.exe 30 PID 2180 wrote to memory of 2608 2180 Hqddldcp.exe 30 PID 2180 wrote to memory of 2608 2180 Hqddldcp.exe 30 PID 2608 wrote to memory of 2584 2608 Hgolhn32.exe 31 PID 2608 wrote to memory of 2584 2608 Hgolhn32.exe 31 PID 2608 wrote to memory of 2584 2608 Hgolhn32.exe 31 PID 2608 wrote to memory of 2584 2608 Hgolhn32.exe 31 PID 2584 wrote to memory of 2760 2584 Hkjhimcf.exe 32 PID 2584 wrote to memory of 2760 2584 Hkjhimcf.exe 32 PID 2584 wrote to memory of 2760 2584 Hkjhimcf.exe 32 PID 2584 wrote to memory of 2760 2584 Hkjhimcf.exe 32 PID 2760 wrote to memory of 1852 2760 Inhdehbj.exe 33 PID 2760 wrote to memory of 1852 2760 Inhdehbj.exe 33 PID 2760 wrote to memory of 1852 2760 Inhdehbj.exe 33 PID 2760 wrote to memory of 1852 2760 Inhdehbj.exe 33 PID 1852 wrote to memory of 2580 1852 Imkdqe32.exe 34 PID 1852 wrote to memory of 2580 1852 Imkdqe32.exe 34 PID 1852 wrote to memory of 2580 1852 Imkdqe32.exe 34 PID 1852 wrote to memory of 2580 1852 Imkdqe32.exe 34 PID 2580 wrote to memory of 2956 2580 Idblbb32.exe 35 PID 2580 wrote to memory of 2956 2580 Idblbb32.exe 35 PID 2580 wrote to memory of 2956 2580 Idblbb32.exe 35 PID 2580 wrote to memory of 2956 2580 Idblbb32.exe 35 PID 2956 wrote to memory of 2520 2956 Igainn32.exe 36 PID 2956 wrote to memory of 2520 2956 Igainn32.exe 36 PID 2956 wrote to memory of 2520 2956 Igainn32.exe 36 PID 2956 wrote to memory of 2520 2956 Igainn32.exe 36 PID 2520 wrote to memory of 2560 2520 Ifdiijpe.exe 37 PID 2520 wrote to memory of 2560 2520 Ifdiijpe.exe 37 PID 2520 wrote to memory of 2560 2520 Ifdiijpe.exe 37 PID 2520 wrote to memory of 2560 2520 Ifdiijpe.exe 37 PID 2560 wrote to memory of 2800 2560 Iqimgc32.exe 38 PID 2560 wrote to memory of 2800 2560 Iqimgc32.exe 38 PID 2560 wrote to memory of 2800 2560 Iqimgc32.exe 38 PID 2560 wrote to memory of 2800 2560 Iqimgc32.exe 38 PID 2800 wrote to memory of 2636 2800 Iolmbpfe.exe 39 PID 2800 wrote to memory of 2636 2800 Iolmbpfe.exe 39 PID 2800 wrote to memory of 2636 2800 Iolmbpfe.exe 39 PID 2800 wrote to memory of 2636 2800 Iolmbpfe.exe 39 PID 2636 wrote to memory of 1684 2636 Iffeoj32.exe 40 PID 2636 wrote to memory of 1684 2636 Iffeoj32.exe 40 PID 2636 wrote to memory of 1684 2636 Iffeoj32.exe 40 PID 2636 wrote to memory of 1684 2636 Iffeoj32.exe 40 PID 1684 wrote to memory of 1732 1684 Iidbke32.exe 41 PID 1684 wrote to memory of 1732 1684 Iidbke32.exe 41 PID 1684 wrote to memory of 1732 1684 Iidbke32.exe 41 PID 1684 wrote to memory of 1732 1684 Iidbke32.exe 41 PID 1732 wrote to memory of 2088 1732 Ioojhpdb.exe 42 PID 1732 wrote to memory of 2088 1732 Ioojhpdb.exe 42 PID 1732 wrote to memory of 2088 1732 Ioojhpdb.exe 42 PID 1732 wrote to memory of 2088 1732 Ioojhpdb.exe 42 PID 2088 wrote to memory of 452 2088 Ibmfdkcf.exe 43 PID 2088 wrote to memory of 452 2088 Ibmfdkcf.exe 43 PID 2088 wrote to memory of 452 2088 Ibmfdkcf.exe 43 PID 2088 wrote to memory of 452 2088 Ibmfdkcf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe"C:\Users\Admin\AppData\Local\Temp\02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe33⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe35⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe36⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe37⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe38⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe39⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe40⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe41⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe43⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe44⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe45⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe46⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe47⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe48⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe49⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe50⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe52⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe54⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe55⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe56⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe57⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe58⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe59⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe60⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe61⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe62⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe63⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe64⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe66⤵PID:336
-
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe67⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe68⤵PID:628
-
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe69⤵PID:2840
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe70⤵PID:1192
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe71⤵PID:1312
-
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe72⤵PID:1060
-
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe73⤵PID:2972
-
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe74⤵PID:2344
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe75⤵PID:2332
-
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe76⤵PID:1232
-
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe77⤵PID:652
-
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe78⤵PID:1584
-
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe79⤵PID:1936
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe80⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe81⤵PID:952
-
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe82⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe83⤵PID:1452
-
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe84⤵PID:2276
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe85⤵PID:2572
-
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe86⤵PID:1432
-
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe87⤵PID:1308
-
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe88⤵PID:2364
-
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe89⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe91⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe92⤵PID:544
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe93⤵PID:448
-
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe94⤵PID:768
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe95⤵PID:1160
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe96⤵PID:472
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe97⤵PID:800
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe98⤵PID:2392
-
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe99⤵PID:2312
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe100⤵PID:1544
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe101⤵PID:2596
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe102⤵PID:2836
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe103⤵PID:2980
-
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe104⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe105⤵PID:1108
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe106⤵PID:2528
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe107⤵PID:1512
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe108⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe109⤵PID:1900
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe110⤵PID:1440
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe111⤵PID:2756
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe112⤵
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe113⤵PID:1456
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe114⤵PID:1904
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe115⤵PID:1748
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe116⤵PID:1828
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe117⤵PID:1824
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe118⤵PID:2720
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe119⤵PID:2296
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe120⤵PID:2992
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe121⤵PID:2476
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe122⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-