Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:09
Behavioral task
behavioral1
Sample
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe
Resource
win10v2004-20240426-en
General
-
Target
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe
-
Size
161KB
-
MD5
02e17b62fa7a209bc552c1be63044160
-
SHA1
99804695f0a820ca6985ca9407fe6222bfe85000
-
SHA256
02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd
-
SHA512
be4515538640765d119fb35c33d66528fe4d46ba5c43186d9db0a54157d933153e321aa8cecceaafae98b289a9009ace7a90c8c570104a25a1e5eb721ec962f5
-
SSDEEP
3072:deSYf7UdBzIaNNrMVk4VwtCJXeex7rrIRZK8K8/kvV:DuUzhNNYk4VwtmeetrIyRV
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcifkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbhmdbnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpmokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogogoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfiep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpgck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqpqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckonn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbckbepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaloa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffekegon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Occkojkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkdcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjhlfhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbkjjblm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnnanphk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfankifm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efneehef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eleplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgblncm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peimil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbkehcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmgdgjek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbgnpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melnob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giacca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbbdholl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbceejpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpoefk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncofm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opdghh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpgod32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000600000002327c-6.dat family_berbew behavioral2/files/0x0007000000023416-14.dat family_berbew behavioral2/files/0x0007000000023419-22.dat family_berbew behavioral2/files/0x000700000002341b-31.dat family_berbew behavioral2/files/0x000700000002341d-38.dat family_berbew behavioral2/files/0x000700000002341f-46.dat family_berbew behavioral2/files/0x0007000000023421-54.dat family_berbew behavioral2/files/0x0007000000023423-62.dat family_berbew behavioral2/files/0x0007000000023425-70.dat family_berbew behavioral2/files/0x0007000000023427-78.dat family_berbew behavioral2/files/0x0007000000023429-87.dat family_berbew behavioral2/files/0x000700000002342b-96.dat family_berbew behavioral2/files/0x000700000002342d-105.dat family_berbew behavioral2/files/0x000700000002342f-114.dat family_berbew behavioral2/files/0x0007000000023431-123.dat family_berbew behavioral2/files/0x0007000000023433-132.dat family_berbew behavioral2/files/0x0007000000023435-141.dat family_berbew behavioral2/files/0x0007000000023437-150.dat family_berbew behavioral2/files/0x0007000000023439-160.dat family_berbew behavioral2/files/0x000700000002343b-168.dat family_berbew behavioral2/files/0x0008000000023413-177.dat family_berbew behavioral2/files/0x000700000002343e-186.dat family_berbew behavioral2/files/0x0007000000023440-195.dat family_berbew behavioral2/files/0x0007000000023442-204.dat family_berbew behavioral2/files/0x0007000000023444-213.dat family_berbew behavioral2/files/0x0007000000023446-221.dat family_berbew behavioral2/files/0x0007000000023448-230.dat family_berbew behavioral2/files/0x000700000002344a-239.dat family_berbew behavioral2/files/0x000700000002344c-249.dat family_berbew behavioral2/files/0x000700000002344e-257.dat family_berbew behavioral2/files/0x0007000000023450-266.dat family_berbew behavioral2/files/0x0007000000023453-275.dat family_berbew behavioral2/files/0x0007000000023467-348.dat family_berbew behavioral2/files/0x0007000000023483-442.dat family_berbew behavioral2/files/0x0007000000023487-455.dat family_berbew behavioral2/files/0x00070000000234ac-581.dat family_berbew behavioral2/files/0x00070000000234b0-596.dat family_berbew behavioral2/files/0x00070000000234b4-609.dat family_berbew behavioral2/files/0x00070000000234b8-623.dat family_berbew behavioral2/files/0x00070000000234c0-649.dat family_berbew behavioral2/files/0x00070000000234c4-663.dat family_berbew behavioral2/files/0x00070000000234fc-854.dat family_berbew behavioral2/files/0x000700000002358d-1387.dat family_berbew behavioral2/files/0x00070000000235ae-1495.dat family_berbew behavioral2/files/0x00070000000235b2-1508.dat family_berbew behavioral2/files/0x00070000000235b4-1515.dat family_berbew behavioral2/files/0x00070000000235d5-1624.dat family_berbew behavioral2/files/0x00070000000235f1-1714.dat family_berbew behavioral2/files/0x00070000000235f5-1728.dat family_berbew behavioral2/files/0x0007000000023613-1850.dat family_berbew behavioral2/files/0x0007000000023621-1900.dat family_berbew behavioral2/files/0x0007000000023627-1918.dat family_berbew behavioral2/files/0x0007000000023633-1959.dat family_berbew behavioral2/files/0x0007000000023646-2021.dat family_berbew behavioral2/files/0x0007000000023654-2070.dat family_berbew behavioral2/files/0x000700000002365a-2092.dat family_berbew behavioral2/files/0x000700000002365e-2106.dat family_berbew behavioral2/files/0x0007000000023666-2133.dat family_berbew behavioral2/files/0x000700000002366c-2154.dat family_berbew behavioral2/files/0x0007000000023678-2196.dat family_berbew behavioral2/files/0x0007000000023682-2230.dat family_berbew behavioral2/files/0x0007000000023686-2244.dat family_berbew behavioral2/files/0x0007000000023690-2279.dat family_berbew behavioral2/files/0x0007000000023696-2299.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4400 Cchiaqjm.exe 5096 Cibank32.exe 3904 Cpljkdig.exe 1436 Ccjfgphj.exe 3768 Chgoogfa.exe 940 Cpofpdgd.exe 4832 Capchmmb.exe 1152 Digkijmd.exe 4768 Dlegeemh.exe 708 Doccaall.exe 2400 Dhlhjf32.exe 2100 Dpcpkc32.exe 4316 Dephckaf.exe 856 Dhnepfpj.exe 3048 Dpemacql.exe 928 Dcdimopp.exe 4980 Dokjbp32.exe 2656 Daifnk32.exe 3612 Dhcnke32.exe 3696 Ejbkehcg.exe 4732 Eckonn32.exe 1808 Efikji32.exe 3708 Epopgbia.exe 728 Ecmlcmhe.exe 4000 Ejgdpg32.exe 2752 Eleplc32.exe 4040 Eodlho32.exe 1656 Efneehef.exe 2264 Ehlaaddj.exe 3456 Eofinnkf.exe 2020 Efpajh32.exe 4392 Ehonfc32.exe 2496 Eoifcnid.exe 2492 Ecdbdl32.exe 4656 Ffbnph32.exe 2056 Fhajlc32.exe 544 Fcgoilpj.exe 4808 Ffekegon.exe 3876 Fqkocpod.exe 1360 Fcikolnh.exe 3448 Ffggkgmk.exe 2540 Fjcclf32.exe 1960 Fqmlhpla.exe 1512 Fckhdk32.exe 1692 Ffjdqg32.exe 3716 Fihqmb32.exe 5116 Fqohnp32.exe 4252 Fcnejk32.exe 4684 Fflaff32.exe 2812 Fijmbb32.exe 3692 Fmficqpc.exe 3284 Gcpapkgp.exe 2652 Gbcakg32.exe 4692 Gmhfhp32.exe 1504 Gogbdl32.exe 4380 Gbenqg32.exe 756 Gjlfbd32.exe 4220 Giofnacd.exe 4604 Gqfooodg.exe 2672 Gcekkjcj.exe 3596 Giacca32.exe 2296 Gqikdn32.exe 4512 Gcggpj32.exe 4852 Gbjhlfhb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fkokhc32.dll Dokjbp32.exe File created C:\Windows\SysWOW64\Djnkap32.dll Qqfmde32.exe File opened for modification C:\Windows\SysWOW64\Balfaiil.exe Beeflhdh.exe File created C:\Windows\SysWOW64\Ijnlbk32.dll Cbefaj32.exe File created C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Bebboiqi.dll Mjjmog32.exe File created C:\Windows\SysWOW64\Mghpbg32.dll Kbdmpqcb.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hbnjmp32.exe File opened for modification C:\Windows\SysWOW64\Ecmlcmhe.exe Epopgbia.exe File created C:\Windows\SysWOW64\Hadkpm32.exe Hjjbcbqj.exe File created C:\Windows\SysWOW64\Hbocda32.dll Lcbiao32.exe File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Lpnlpnih.exe Lmppcbjd.exe File opened for modification C:\Windows\SysWOW64\Lgokmgjm.exe Ldanqkki.exe File created C:\Windows\SysWOW64\Ocpgod32.exe Opakbi32.exe File created C:\Windows\SysWOW64\Inccjgbc.dll Hmdedo32.exe File opened for modification C:\Windows\SysWOW64\Jagqlj32.exe Jiphkm32.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe Ibagcc32.exe File created C:\Windows\SysWOW64\Imllie32.dll Kdcbom32.exe File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Ckpjfm32.exe Cdfbibnb.exe File opened for modification C:\Windows\SysWOW64\Pkceffcd.exe Pclneicb.exe File created C:\Windows\SysWOW64\Gmbkmemo.dll Icjmmg32.exe File created C:\Windows\SysWOW64\Odbgim32.exe Oqgkhnjf.exe File created C:\Windows\SysWOW64\Nckndeni.exe Npmagine.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Jkdnpo32.exe Jfhbppbc.exe File created C:\Windows\SysWOW64\Mjeddggd.exe Mgghhlhq.exe File opened for modification C:\Windows\SysWOW64\Ldanqkki.exe Lljfpnjg.exe File created C:\Windows\SysWOW64\Hleecc32.dll Mchhggno.exe File created C:\Windows\SysWOW64\Gmdkpdef.dll Olmeci32.exe File created C:\Windows\SysWOW64\Gjgfjhqm.dll Pfjcgn32.exe File created C:\Windows\SysWOW64\Dofqcl32.dll Fhajlc32.exe File opened for modification C:\Windows\SysWOW64\Pjdilcla.exe Pgemphmn.exe File created C:\Windows\SysWOW64\Mkpgck32.exe Mciobn32.exe File created C:\Windows\SysWOW64\Pndohaqe.exe Pcojkhap.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Andqdh32.exe File created C:\Windows\SysWOW64\Ockmjg32.dll Daifnk32.exe File created C:\Windows\SysWOW64\Jdkhlo32.dll Gifmnpnl.exe File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe Lllcen32.exe File opened for modification C:\Windows\SysWOW64\Ajkhdp32.exe Aeopki32.exe File created C:\Windows\SysWOW64\Lpqiemge.exe Lmbmibhb.exe File created C:\Windows\SysWOW64\Jiphkm32.exe Jfaloa32.exe File created C:\Windows\SysWOW64\Hbnjmp32.exe Gfgjgo32.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Ehonfc32.exe Efpajh32.exe File created C:\Windows\SysWOW64\Jdencjac.dll Bdmpcdfm.exe File opened for modification C:\Windows\SysWOW64\Iblfnn32.exe Ikbnacmd.exe File opened for modification C:\Windows\SysWOW64\Jpgdbg32.exe Jaedgjjd.exe File created C:\Windows\SysWOW64\Cliaoq32.exe Cdainc32.exe File created C:\Windows\SysWOW64\Gdhmnlcj.exe Gcfqfc32.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Aeklkchg.exe File created C:\Windows\SysWOW64\Hmklen32.exe Hjmoibog.exe File created C:\Windows\SysWOW64\Lgikfn32.exe Lcmofolg.exe File opened for modification C:\Windows\SysWOW64\Gjlfbd32.exe Gbenqg32.exe File opened for modification C:\Windows\SysWOW64\Fkffog32.exe Ffimfqgm.exe File opened for modification C:\Windows\SysWOW64\Ocpgod32.exe Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Dohfbj32.exe Dlijfneg.exe File created C:\Windows\SysWOW64\Baacma32.dll Ampkof32.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Dalchnkg.dll Onklabip.exe File opened for modification C:\Windows\SysWOW64\Aeopki32.exe Aacckjaf.exe File created C:\Windows\SysWOW64\Jiglalpk.dll Aaepqjpd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14132 13860 WerFault.exe 719 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcikolnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll" Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcifkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gofkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgagbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjffbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidpnp32.dll" Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll" Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll" Dhcnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iannfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll" Ffddka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" Lnjjdgee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll" Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" Lddbqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibagcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" Qgallfcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbgqio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll" Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll" Gogbdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lalcng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlmllkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhajlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elgfgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll" Fqmlhpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll" Kaemnhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmccchkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Andgoobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjlfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll" Hbckbepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmnjhioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmqgnhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lingibiq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3956 wrote to memory of 4400 3956 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 84 PID 3956 wrote to memory of 4400 3956 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 84 PID 3956 wrote to memory of 4400 3956 02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe 84 PID 4400 wrote to memory of 5096 4400 Cchiaqjm.exe 85 PID 4400 wrote to memory of 5096 4400 Cchiaqjm.exe 85 PID 4400 wrote to memory of 5096 4400 Cchiaqjm.exe 85 PID 5096 wrote to memory of 3904 5096 Cibank32.exe 86 PID 5096 wrote to memory of 3904 5096 Cibank32.exe 86 PID 5096 wrote to memory of 3904 5096 Cibank32.exe 86 PID 3904 wrote to memory of 1436 3904 Cpljkdig.exe 87 PID 3904 wrote to memory of 1436 3904 Cpljkdig.exe 87 PID 3904 wrote to memory of 1436 3904 Cpljkdig.exe 87 PID 1436 wrote to memory of 3768 1436 Ccjfgphj.exe 88 PID 1436 wrote to memory of 3768 1436 Ccjfgphj.exe 88 PID 1436 wrote to memory of 3768 1436 Ccjfgphj.exe 88 PID 3768 wrote to memory of 940 3768 Chgoogfa.exe 89 PID 3768 wrote to memory of 940 3768 Chgoogfa.exe 89 PID 3768 wrote to memory of 940 3768 Chgoogfa.exe 89 PID 940 wrote to memory of 4832 940 Cpofpdgd.exe 90 PID 940 wrote to memory of 4832 940 Cpofpdgd.exe 90 PID 940 wrote to memory of 4832 940 Cpofpdgd.exe 90 PID 4832 wrote to memory of 1152 4832 Capchmmb.exe 91 PID 4832 wrote to memory of 1152 4832 Capchmmb.exe 91 PID 4832 wrote to memory of 1152 4832 Capchmmb.exe 91 PID 1152 wrote to memory of 4768 1152 Digkijmd.exe 92 PID 1152 wrote to memory of 4768 1152 Digkijmd.exe 92 PID 1152 wrote to memory of 4768 1152 Digkijmd.exe 92 PID 4768 wrote to memory of 708 4768 Dlegeemh.exe 93 PID 4768 wrote to memory of 708 4768 Dlegeemh.exe 93 PID 4768 wrote to memory of 708 4768 Dlegeemh.exe 93 PID 708 wrote to memory of 2400 708 Doccaall.exe 94 PID 708 wrote to memory of 2400 708 Doccaall.exe 94 PID 708 wrote to memory of 2400 708 Doccaall.exe 94 PID 2400 wrote to memory of 2100 2400 Dhlhjf32.exe 95 PID 2400 wrote to memory of 2100 2400 Dhlhjf32.exe 95 PID 2400 wrote to memory of 2100 2400 Dhlhjf32.exe 95 PID 2100 wrote to memory of 4316 2100 Dpcpkc32.exe 96 PID 2100 wrote to memory of 4316 2100 Dpcpkc32.exe 96 PID 2100 wrote to memory of 4316 2100 Dpcpkc32.exe 96 PID 4316 wrote to memory of 856 4316 Dephckaf.exe 97 PID 4316 wrote to memory of 856 4316 Dephckaf.exe 97 PID 4316 wrote to memory of 856 4316 Dephckaf.exe 97 PID 856 wrote to memory of 3048 856 Dhnepfpj.exe 98 PID 856 wrote to memory of 3048 856 Dhnepfpj.exe 98 PID 856 wrote to memory of 3048 856 Dhnepfpj.exe 98 PID 3048 wrote to memory of 928 3048 Dpemacql.exe 100 PID 3048 wrote to memory of 928 3048 Dpemacql.exe 100 PID 3048 wrote to memory of 928 3048 Dpemacql.exe 100 PID 928 wrote to memory of 4980 928 Dcdimopp.exe 101 PID 928 wrote to memory of 4980 928 Dcdimopp.exe 101 PID 928 wrote to memory of 4980 928 Dcdimopp.exe 101 PID 4980 wrote to memory of 2656 4980 Dokjbp32.exe 102 PID 4980 wrote to memory of 2656 4980 Dokjbp32.exe 102 PID 4980 wrote to memory of 2656 4980 Dokjbp32.exe 102 PID 2656 wrote to memory of 3612 2656 Daifnk32.exe 103 PID 2656 wrote to memory of 3612 2656 Daifnk32.exe 103 PID 2656 wrote to memory of 3612 2656 Daifnk32.exe 103 PID 3612 wrote to memory of 3696 3612 Dhcnke32.exe 104 PID 3612 wrote to memory of 3696 3612 Dhcnke32.exe 104 PID 3612 wrote to memory of 3696 3612 Dhcnke32.exe 104 PID 3696 wrote to memory of 4732 3696 Ejbkehcg.exe 105 PID 3696 wrote to memory of 4732 3696 Ejbkehcg.exe 105 PID 3696 wrote to memory of 4732 3696 Ejbkehcg.exe 105 PID 4732 wrote to memory of 1808 4732 Eckonn32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe"C:\Users\Admin\AppData\Local\Temp\02ca288657903111a08784c01e5897a5803cd6d27c84e3302baae937f0beb8fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe23⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe25⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe26⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe28⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe30⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe31⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe34⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe35⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe36⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe38⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe40⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe42⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe43⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe45⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe46⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe47⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe48⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe49⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe50⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe51⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe52⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe53⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe54⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe55⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe59⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe60⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe63⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe64⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe66⤵PID:2460
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe67⤵PID:460
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe68⤵PID:1524
-
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe69⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe70⤵PID:3548
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe71⤵PID:1252
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe73⤵PID:2352
-
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe74⤵PID:1384
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe75⤵PID:2820
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe76⤵PID:2444
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe77⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe78⤵PID:2004
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe79⤵PID:4076
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe80⤵PID:4460
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe81⤵PID:4864
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe83⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe84⤵PID:4352
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe85⤵PID:2552
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe86⤵
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe87⤵PID:1184
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe88⤵PID:4992
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe89⤵PID:2804
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe90⤵PID:5152
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe91⤵PID:5204
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe92⤵PID:5248
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe93⤵PID:5292
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe94⤵PID:5344
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe95⤵PID:5396
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe96⤵PID:5440
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe97⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe99⤵PID:5572
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe100⤵PID:5616
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe101⤵PID:5660
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe102⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe103⤵PID:5748
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe104⤵PID:5792
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe105⤵PID:5836
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe106⤵PID:5872
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe107⤵PID:5920
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe108⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe110⤵PID:6056
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe111⤵PID:6096
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe112⤵PID:5124
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe113⤵PID:5192
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe114⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe115⤵PID:5332
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe116⤵PID:5428
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe118⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe120⤵PID:5756
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5820 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe122⤵PID:5880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-