Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 20:43
Behavioral task
behavioral1
Sample
0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe
Resource
win10v2004-20240226-en
General
-
Target
0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe
-
Size
108KB
-
MD5
0c49c2c2dcff67ca691babc79f68b280
-
SHA1
30f7c93f0c5fa03d2b6d337e8e1e7c075fec7486
-
SHA256
0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e
-
SHA512
821e543ca28750d00b08ebbfa51d167921064d72a93eaf704a6a497ba71ccd87868d4e02396d24afe29d1b69a27cf30045a2f5fc70e54f53e5862db82a5d3681
-
SSDEEP
3072:VkNKM783Ru7NYMOVUjmOiBn3w8BdTj2h3K:6y+i6jVu3w8BdTj2VK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elhnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioqohb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iandjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndphpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmehamp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmebnpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbekgknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikfbeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciokcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkgeao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfkiock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolaqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjiloqjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdlkope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkkop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmioicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdmifip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgggockk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiodha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaidf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljoboloa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfaafej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kccbjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmpddfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkbka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffggdmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjnhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpmfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aofemaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diafqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapbodql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihndgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmdjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdmpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijjnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nicjaino.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipalpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feella32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjmjegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkifmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkliaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnehdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmomgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhkflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgdaokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipalpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njceqili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olqqdo32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3176-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0008000000023250-6.dat family_berbew behavioral2/memory/5008-7-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0008000000023255-14.dat family_berbew behavioral2/memory/4016-15-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023257-22.dat family_berbew behavioral2/memory/4380-23-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002325a-30.dat family_berbew behavioral2/memory/4356-31-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002325c-38.dat family_berbew behavioral2/memory/3404-39-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002325e-41.dat family_berbew behavioral2/memory/1560-48-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023260-54.dat family_berbew behavioral2/memory/1160-55-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023262-62.dat family_berbew behavioral2/memory/2680-63-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023264-70.dat family_berbew behavioral2/memory/2132-71-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023266-78.dat family_berbew behavioral2/memory/1624-79-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023268-81.dat family_berbew behavioral2/memory/2584-87-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002326a-94.dat family_berbew behavioral2/memory/3820-96-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002326c-102.dat family_berbew behavioral2/memory/2404-103-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002326e-105.dat family_berbew behavioral2/memory/1252-111-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023270-118.dat family_berbew behavioral2/memory/1576-120-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023272-126.dat family_berbew behavioral2/memory/5028-127-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023274-134.dat family_berbew behavioral2/memory/792-135-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023276-138.dat family_berbew behavioral2/memory/4460-143-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023278-150.dat family_berbew behavioral2/memory/3344-152-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002327a-158.dat family_berbew behavioral2/memory/4488-159-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002327c-166.dat family_berbew behavioral2/memory/5084-168-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002327e-174.dat family_berbew behavioral2/memory/4692-176-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023280-182.dat family_berbew behavioral2/memory/3544-184-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023282-190.dat family_berbew behavioral2/memory/5016-192-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023284-193.dat family_berbew behavioral2/memory/3932-200-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023286-202.dat family_berbew behavioral2/memory/1320-208-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023288-214.dat family_berbew behavioral2/memory/884-215-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002328a-222.dat family_berbew behavioral2/memory/3616-223-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002328c-230.dat family_berbew behavioral2/memory/3340-232-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002328e-233.dat family_berbew behavioral2/memory/3888-239-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023290-246.dat family_berbew behavioral2/memory/5060-247-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023292-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5008 Gmfplibd.exe 4016 Hfaajnfb.exe 4380 Hlepcdoa.exe 4356 Ibaeen32.exe 3404 Iohejo32.exe 1560 Imkbnf32.exe 1160 Iibccgep.exe 2680 Jmbhoeid.exe 2132 Jlgepanl.exe 1624 Jcdjbk32.exe 2584 Jedccfqg.exe 3820 Knnhjcog.exe 2404 Kgiiiidd.exe 1252 Klhnfo32.exe 1576 Lcdciiec.exe 5028 Ljqhkckn.exe 792 Mokmdh32.exe 4460 Nmbjcljl.exe 3344 Njjdho32.exe 4488 Ppgegd32.exe 5084 Pjbcplpe.exe 4692 Qacameaj.exe 3544 Aknbkjfh.exe 5016 Amnlme32.exe 3932 Bhhiemoj.exe 1320 Bacjdbch.exe 884 Cglbhhga.exe 3616 Caageq32.exe 3340 Cgqlcg32.exe 3888 Dahmfpap.exe 5060 Ddkbmj32.exe 3944 Ekjded32.exe 968 Edeeci32.exe 2112 Eqlfhjig.exe 1708 Fnbcgn32.exe 1628 Fndpmndl.exe 456 Fofilp32.exe 764 Gihpkd32.exe 3624 Gbbajjlp.exe 2348 Hnlodjpa.exe 2864 Hlppno32.exe 2444 Jaonbc32.exe 2016 Jlikkkhn.exe 1228 Kplmliko.exe 3324 Koajmepf.exe 4888 Klggli32.exe 3220 Llnnmhfe.exe 212 Lancko32.exe 1836 Lcmodajm.exe 1656 Mpclce32.exe 1640 Mljmhflh.exe 3604 Mhanngbl.exe 2344 Mlofcf32.exe 4588 Njbgmjgl.exe 4860 Ncmhko32.exe 4708 Ncbafoge.exe 4592 Nmjfodne.exe 4320 Pcpnhl32.exe 2216 Pbekii32.exe 2152 Pfccogfc.exe 464 Pcgdhkem.exe 3732 Qpbnhl32.exe 4872 Amfobp32.exe 1544 Abcgjg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jaonbc32.exe Hlppno32.exe File opened for modification C:\Windows\SysWOW64\Ndjcne32.exe Nmpkakak.exe File opened for modification C:\Windows\SysWOW64\Ppgeff32.exe Peaahmcd.exe File created C:\Windows\SysWOW64\Lqdcio32.exe Lglopjkg.exe File opened for modification C:\Windows\SysWOW64\Mhihkjfj.exe Mbpoop32.exe File created C:\Windows\SysWOW64\Fpopekeb.dll Ecoaijio.exe File opened for modification C:\Windows\SysWOW64\Pmdpok32.exe Pfjgbapo.exe File created C:\Windows\SysWOW64\Kolahq32.dll Gmggac32.exe File created C:\Windows\SysWOW64\Ogljcokf.exe Odnngclb.exe File opened for modification C:\Windows\SysWOW64\Odljjo32.exe Okceaikl.exe File opened for modification C:\Windows\SysWOW64\Dfnbbg32.exe Dlcaca32.exe File created C:\Windows\SysWOW64\Fdpnbald.dll Niihlkdm.exe File created C:\Windows\SysWOW64\Jjlmcilb.dll Dijppjfd.exe File opened for modification C:\Windows\SysWOW64\Jjgcgo32.exe Jcmkjeko.exe File opened for modification C:\Windows\SysWOW64\Kplmliko.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Jomeoggk.exe Jjpmfpid.exe File opened for modification C:\Windows\SysWOW64\Jcmkjeko.exe Jjefao32.exe File created C:\Windows\SysWOW64\Ilpfgg32.exe Ikpjmd32.exe File created C:\Windows\SysWOW64\Jmpnppap.exe Jdhigk32.exe File opened for modification C:\Windows\SysWOW64\Agmehamp.exe Afkipi32.exe File created C:\Windows\SysWOW64\Paaidf32.exe Pgkegn32.exe File opened for modification C:\Windows\SysWOW64\Bkepeaaa.exe Bgggockk.exe File opened for modification C:\Windows\SysWOW64\Ipqnknld.exe Idjmfmgp.exe File opened for modification C:\Windows\SysWOW64\Odnngclb.exe Onceji32.exe File created C:\Windows\SysWOW64\Ldpbaelj.dll Iqgjmg32.exe File created C:\Windows\SysWOW64\Haapme32.dll Aqfolqna.exe File opened for modification C:\Windows\SysWOW64\Celgjlpn.exe Cjfclcpg.exe File created C:\Windows\SysWOW64\Bleoga32.dll Kdeghfhj.exe File created C:\Windows\SysWOW64\Mgjkag32.exe Mqpcdn32.exe File created C:\Windows\SysWOW64\Ggilgn32.exe Geipnl32.exe File created C:\Windows\SysWOW64\Omnpee32.dll Gimjag32.exe File created C:\Windows\SysWOW64\Pqkdmc32.exe Pjalpida.exe File created C:\Windows\SysWOW64\Fgijkgeh.exe Edcgnmml.exe File opened for modification C:\Windows\SysWOW64\Cbiabq32.exe Cgcmeh32.exe File created C:\Windows\SysWOW64\Dbgndoho.exe Dlmegd32.exe File opened for modification C:\Windows\SysWOW64\Kfggbope.exe Kicfijal.exe File created C:\Windows\SysWOW64\Nidlpi32.dll Agfnhf32.exe File created C:\Windows\SysWOW64\Fofilp32.exe Fndpmndl.exe File opened for modification C:\Windows\SysWOW64\Labkempb.exe Lcnkli32.exe File created C:\Windows\SysWOW64\Gjqgfmbl.dll Nibbklke.exe File opened for modification C:\Windows\SysWOW64\Pnbifmla.exe Phhpic32.exe File created C:\Windows\SysWOW64\Gibpcnbo.dll Anfmeldl.exe File created C:\Windows\SysWOW64\Kdaocnnj.dll Hkaqgjme.exe File opened for modification C:\Windows\SysWOW64\Ijfbhflj.exe Ipqnknld.exe File created C:\Windows\SysWOW64\Amikgpcc.exe Abcgjg32.exe File created C:\Windows\SysWOW64\Mjkmck32.dll Fehplggn.exe File created C:\Windows\SysWOW64\Fjoonj32.dll Hikkdc32.exe File created C:\Windows\SysWOW64\Mlghfp32.dll Cqfahh32.exe File opened for modification C:\Windows\SysWOW64\Cfbcfh32.exe Cohkinob.exe File created C:\Windows\SysWOW64\Cljomc32.exe Cfpfqiha.exe File created C:\Windows\SysWOW64\Jaonbc32.exe Hlppno32.exe File created C:\Windows\SysWOW64\Ihaidhgf.exe Hjdedepg.exe File created C:\Windows\SysWOW64\Hcbpme32.exe Hnehdo32.exe File created C:\Windows\SysWOW64\Bmhibi32.exe Bglpjb32.exe File opened for modification C:\Windows\SysWOW64\Ecjpfp32.exe Dnmgni32.exe File opened for modification C:\Windows\SysWOW64\Okkidceh.exe Oilmhhfd.exe File opened for modification C:\Windows\SysWOW64\Hmolbene.exe Gpkliaol.exe File created C:\Windows\SysWOW64\Hgocgjgk.exe Gkalbj32.exe File created C:\Windows\SysWOW64\Higpgk32.dll Kfidgk32.exe File opened for modification C:\Windows\SysWOW64\Fbjjkble.exe Elnehifk.exe File opened for modification C:\Windows\SysWOW64\Ccfcpm32.exe Cllkcbnl.exe File opened for modification C:\Windows\SysWOW64\Iodaikfl.exe Idonlbff.exe File created C:\Windows\SysWOW64\Lfjkngdo.dll Jfjakgpa.exe File created C:\Windows\SysWOW64\Qhddgofo.exe Qnopjfgi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8724 2472 WerFault.exe 840 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odnngclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdilold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll" Okfbgiij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giokid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpnhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblcfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhpheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplcjb32.dll" Ppoijn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmomgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libadidb.dll" Acbhhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgogm32.dll" Haeino32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odljjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonnnh32.dll" Hkgnalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnjan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjpld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifjip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhmhiaka.dll" Njceqili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdclcmba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfhgfaha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apbngn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcgdmeb.dll" Dfcqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjodhbii.dll" Jcnbekok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpbkiog.dll" Bojhnjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnqgek32.dll" Jjmhie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogimj32.dll" Laiafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhgheg.dll" Knmkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlafhkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfafhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadcfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiaahllb.dll" Blabakle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnlbndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doidql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imnoni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhqkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfppe32.dll" Mboqnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obafjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkchf32.dll" Bgkipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pibfhink.dll" Olgnnqpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhmfba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kccbjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjhfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqnknld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaaljg32.dll" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikmbibc.dll" Clohhbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfqgkgc.dll" Hgmebnpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaeccgp.dll" Ejdonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehkefih.dll" Kfcdaehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpahpn32.dll" Mgbnfb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3176 wrote to memory of 5008 3176 0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe 92 PID 3176 wrote to memory of 5008 3176 0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe 92 PID 3176 wrote to memory of 5008 3176 0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe 92 PID 5008 wrote to memory of 4016 5008 Gmfplibd.exe 93 PID 5008 wrote to memory of 4016 5008 Gmfplibd.exe 93 PID 5008 wrote to memory of 4016 5008 Gmfplibd.exe 93 PID 4016 wrote to memory of 4380 4016 Hfaajnfb.exe 94 PID 4016 wrote to memory of 4380 4016 Hfaajnfb.exe 94 PID 4016 wrote to memory of 4380 4016 Hfaajnfb.exe 94 PID 4380 wrote to memory of 4356 4380 Hlepcdoa.exe 95 PID 4380 wrote to memory of 4356 4380 Hlepcdoa.exe 95 PID 4380 wrote to memory of 4356 4380 Hlepcdoa.exe 95 PID 4356 wrote to memory of 3404 4356 Ibaeen32.exe 96 PID 4356 wrote to memory of 3404 4356 Ibaeen32.exe 96 PID 4356 wrote to memory of 3404 4356 Ibaeen32.exe 96 PID 3404 wrote to memory of 1560 3404 Iohejo32.exe 97 PID 3404 wrote to memory of 1560 3404 Iohejo32.exe 97 PID 3404 wrote to memory of 1560 3404 Iohejo32.exe 97 PID 1560 wrote to memory of 1160 1560 Imkbnf32.exe 98 PID 1560 wrote to memory of 1160 1560 Imkbnf32.exe 98 PID 1560 wrote to memory of 1160 1560 Imkbnf32.exe 98 PID 1160 wrote to memory of 2680 1160 Iibccgep.exe 99 PID 1160 wrote to memory of 2680 1160 Iibccgep.exe 99 PID 1160 wrote to memory of 2680 1160 Iibccgep.exe 99 PID 2680 wrote to memory of 2132 2680 Jmbhoeid.exe 100 PID 2680 wrote to memory of 2132 2680 Jmbhoeid.exe 100 PID 2680 wrote to memory of 2132 2680 Jmbhoeid.exe 100 PID 2132 wrote to memory of 1624 2132 Jlgepanl.exe 101 PID 2132 wrote to memory of 1624 2132 Jlgepanl.exe 101 PID 2132 wrote to memory of 1624 2132 Jlgepanl.exe 101 PID 1624 wrote to memory of 2584 1624 Jcdjbk32.exe 102 PID 1624 wrote to memory of 2584 1624 Jcdjbk32.exe 102 PID 1624 wrote to memory of 2584 1624 Jcdjbk32.exe 102 PID 2584 wrote to memory of 3820 2584 Jedccfqg.exe 103 PID 2584 wrote to memory of 3820 2584 Jedccfqg.exe 103 PID 2584 wrote to memory of 3820 2584 Jedccfqg.exe 103 PID 3820 wrote to memory of 2404 3820 Knnhjcog.exe 104 PID 3820 wrote to memory of 2404 3820 Knnhjcog.exe 104 PID 3820 wrote to memory of 2404 3820 Knnhjcog.exe 104 PID 2404 wrote to memory of 1252 2404 Kgiiiidd.exe 105 PID 2404 wrote to memory of 1252 2404 Kgiiiidd.exe 105 PID 2404 wrote to memory of 1252 2404 Kgiiiidd.exe 105 PID 1252 wrote to memory of 1576 1252 Klhnfo32.exe 106 PID 1252 wrote to memory of 1576 1252 Klhnfo32.exe 106 PID 1252 wrote to memory of 1576 1252 Klhnfo32.exe 106 PID 1576 wrote to memory of 5028 1576 Lcdciiec.exe 107 PID 1576 wrote to memory of 5028 1576 Lcdciiec.exe 107 PID 1576 wrote to memory of 5028 1576 Lcdciiec.exe 107 PID 5028 wrote to memory of 792 5028 Ljqhkckn.exe 108 PID 5028 wrote to memory of 792 5028 Ljqhkckn.exe 108 PID 5028 wrote to memory of 792 5028 Ljqhkckn.exe 108 PID 792 wrote to memory of 4460 792 Mokmdh32.exe 109 PID 792 wrote to memory of 4460 792 Mokmdh32.exe 109 PID 792 wrote to memory of 4460 792 Mokmdh32.exe 109 PID 4460 wrote to memory of 3344 4460 Nmbjcljl.exe 110 PID 4460 wrote to memory of 3344 4460 Nmbjcljl.exe 110 PID 4460 wrote to memory of 3344 4460 Nmbjcljl.exe 110 PID 3344 wrote to memory of 4488 3344 Njjdho32.exe 111 PID 3344 wrote to memory of 4488 3344 Njjdho32.exe 111 PID 3344 wrote to memory of 4488 3344 Njjdho32.exe 111 PID 4488 wrote to memory of 5084 4488 Ppgegd32.exe 112 PID 4488 wrote to memory of 5084 4488 Ppgegd32.exe 112 PID 4488 wrote to memory of 5084 4488 Ppgegd32.exe 112 PID 5084 wrote to memory of 4692 5084 Pjbcplpe.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe"C:\Users\Admin\AppData\Local\Temp\0b1a7fc2087d9577f7c35a94ad7fcb641ae77a0f8e9bf9c21be075a012bf955e.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe24⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe25⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe26⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe27⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe28⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe31⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe32⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe33⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe34⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe35⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe36⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe38⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe39⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe40⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe41⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe43⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe45⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe46⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe47⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe48⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe49⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe50⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe51⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe52⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe53⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe55⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe56⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe57⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe58⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe60⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe61⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe62⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe64⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe66⤵PID:4224
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe67⤵PID:2432
-
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe68⤵PID:1536
-
C:\Windows\SysWOW64\Banjnm32.exeC:\Windows\system32\Banjnm32.exe69⤵PID:2128
-
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe70⤵PID:4916
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe71⤵PID:3000
-
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe72⤵PID:3152
-
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe73⤵PID:3508
-
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe74⤵PID:3268
-
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe75⤵PID:4976
-
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe76⤵PID:4856
-
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe77⤵PID:3364
-
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4316 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe79⤵PID:4896
-
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe80⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe81⤵PID:4384
-
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe82⤵
- Drops file in System32 directory
PID:5148 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe83⤵PID:5192
-
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe84⤵PID:5236
-
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe85⤵PID:5288
-
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe86⤵PID:5336
-
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe87⤵PID:5380
-
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe88⤵PID:5424
-
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe89⤵PID:5468
-
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe90⤵PID:5516
-
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe91⤵PID:5560
-
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe92⤵PID:5604
-
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe93⤵
- Drops file in System32 directory
PID:5648 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe94⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe95⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe96⤵PID:5784
-
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe97⤵PID:5824
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe98⤵PID:5872
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe99⤵PID:5916
-
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe100⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe102⤵PID:6048
-
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe103⤵PID:6088
-
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe104⤵PID:6136
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe105⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe106⤵PID:5212
-
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe107⤵PID:5324
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe108⤵PID:5364
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe109⤵PID:5464
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe110⤵PID:5528
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe111⤵PID:5616
-
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe113⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe114⤵
- Drops file in System32 directory
PID:4144 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe115⤵PID:6000
-
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe117⤵PID:4276
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe118⤵PID:5268
-
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe119⤵PID:5552
-
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe120⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe121⤵PID:5700
-
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-