Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 05:54
Behavioral task
behavioral1
Sample
22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe
Resource
win10v2004-20240426-en
General
-
Target
22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe
-
Size
233KB
-
MD5
24c2fc078770466d241362ea91b4a7f0
-
SHA1
c64c90598d82554dde475a703230adc262f01920
-
SHA256
22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223
-
SHA512
0304f7496d17a7acfa3185c2578b30f630bbde68d34afb253eceba0492f3c6dd31bdcb51fca75f32d9b40d376bee7dd4a101cfd29909830dfc81c202c3351e8b
-
SSDEEP
6144:ramCzIJKvaHEDpfRKB3A4U2dga1mcyw7I6BjtCYYs2:bCzIYvakF5WHR1mK7fVtXP2
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecphimfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaedgjjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgnbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Booaodnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbofkbbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digkijmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceibclgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqaeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbefoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbnhfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnlkcfni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckhdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaloa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgomgee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldlqlgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecdbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkdggmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibccic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddbqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blbaihmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbioei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhibni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccfmla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnplghhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epopgbia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apndbici.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phbcfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogkoedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebeejijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plifll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haggelfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giofnacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dadlclim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpajh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqefhpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hippdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pejddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecgja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnlkcfni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdbojmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Commqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmocpjk.exe -
Malware Dropper & Backdoor - Berbew 55 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000600000002327d-6.dat family_berbew behavioral2/files/0x00070000000233d8-15.dat family_berbew behavioral2/files/0x00070000000233da-22.dat family_berbew behavioral2/files/0x00070000000233dc-30.dat family_berbew behavioral2/files/0x00070000000233de-38.dat family_berbew behavioral2/files/0x00070000000233e0-46.dat family_berbew behavioral2/files/0x00070000000233e2-54.dat family_berbew behavioral2/files/0x00070000000233e4-62.dat family_berbew behavioral2/files/0x00070000000233e6-70.dat family_berbew behavioral2/files/0x00070000000233e8-78.dat family_berbew behavioral2/files/0x00070000000233ea-86.dat family_berbew behavioral2/files/0x00070000000233ec-94.dat family_berbew behavioral2/files/0x00070000000233ee-102.dat family_berbew behavioral2/files/0x00070000000233f0-111.dat family_berbew behavioral2/files/0x00070000000233f2-118.dat family_berbew behavioral2/files/0x00070000000233f4-126.dat family_berbew behavioral2/files/0x00070000000233f6-134.dat family_berbew behavioral2/files/0x00070000000233f8-142.dat family_berbew behavioral2/files/0x00070000000233fb-150.dat family_berbew behavioral2/files/0x00080000000233d4-159.dat family_berbew behavioral2/files/0x00070000000233fe-166.dat family_berbew behavioral2/files/0x0007000000023400-175.dat family_berbew behavioral2/files/0x0007000000023402-182.dat family_berbew behavioral2/files/0x0007000000023404-190.dat family_berbew behavioral2/files/0x0007000000023406-199.dat family_berbew behavioral2/files/0x0007000000023408-206.dat family_berbew behavioral2/files/0x000700000002340a-214.dat family_berbew behavioral2/files/0x000700000002340c-222.dat family_berbew behavioral2/files/0x000700000002340e-230.dat family_berbew behavioral2/files/0x0007000000023410-238.dat family_berbew behavioral2/files/0x0007000000023412-246.dat family_berbew behavioral2/files/0x0007000000023414-254.dat family_berbew behavioral2/files/0x000700000002341a-269.dat family_berbew behavioral2/files/0x000700000002345c-467.dat family_berbew behavioral2/files/0x000700000002347a-566.dat family_berbew behavioral2/files/0x0007000000023497-669.dat family_berbew behavioral2/files/0x00070000000234be-799.dat family_berbew behavioral2/files/0x00070000000234f6-988.dat family_berbew behavioral2/files/0x0007000000023500-1022.dat family_berbew behavioral2/files/0x0007000000023507-1047.dat family_berbew behavioral2/files/0x000700000002350d-1066.dat family_berbew behavioral2/files/0x0007000000023519-1106.dat family_berbew behavioral2/files/0x0007000000023553-1300.dat family_berbew behavioral2/files/0x000700000002356a-1371.dat family_berbew behavioral2/files/0x000700000002356c-1378.dat family_berbew behavioral2/files/0x0007000000023570-1390.dat family_berbew behavioral2/files/0x0007000000023576-1410.dat family_berbew behavioral2/files/0x0007000000023590-1495.dat family_berbew behavioral2/files/0x0007000000023594-1509.dat family_berbew behavioral2/files/0x00070000000235ac-1590.dat family_berbew behavioral2/files/0x00070000000235b0-1604.dat family_berbew behavioral2/files/0x00070000000235b4-1616.dat family_berbew behavioral2/files/0x00070000000235b8-1629.dat family_berbew behavioral2/files/0x00070000000235bc-1642.dat family_berbew behavioral2/files/0x00070000000235c4-1668.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4972 Oniffino.exe 3484 Oecncc32.exe 1160 Obgomgee.exe 1164 Oeekicdi.exe 112 Olocem32.exe 5004 Obikbgbb.exe 3696 Oehgnbbf.exe 3776 Pnplghhf.exe 4500 Pejddb32.exe 2764 Pldlqlgp.exe 4680 Pelaib32.exe 2368 Plfiflen.exe 4472 Peonoaln.exe 1224 Plifll32.exe 4220 Pbbnhfjh.exe 4128 Pimfep32.exe 1136 Pniomgpl.exe 2512 Pecgja32.exe 1500 Phbcfl32.exe 3196 Qnlkcfni.exe 4116 Qiappono.exe 3164 Qpkhmi32.exe 3524 Qbjdiedp.exe 712 Apndbici.exe 424 Ablaodbm.exe 3780 Aifiko32.exe 3244 Aldegj32.exe 3936 Aaanpa32.exe 2344 Ahkflk32.exe 1384 Abqjjd32.exe 4088 Aeoffo32.exe 756 Aogkoedl.exe 2280 Aimoln32.exe 2180 Alkkhi32.exe 4588 Aojhdd32.exe 3360 Aedpaoif.exe 3924 Ahblmjhj.exe 2300 Bpidngil.exe 2920 Bbhqjchp.exe 2040 Befmfngc.exe 3604 Bibigmpl.exe 3056 Blpechop.exe 1544 Booaodnd.exe 2980 Bammlomg.exe 2088 Bidemmnj.exe 4668 Blbaihmn.exe 3276 Boanecla.exe 4884 Baojaoke.exe 3124 Bhibni32.exe 1008 Bpqjofcd.exe 2872 Bbofkbbh.exe 692 Biiohl32.exe 3252 Bhlocipo.exe 3408 Boegpc32.exe 1548 Badcln32.exe 4592 Bikkml32.exe 2768 Clihig32.exe 4140 Cohdebfi.exe 1028 Cafpanem.exe 4164 Ceblbm32.exe 2804 Chphoh32.exe 4788 Cpgqpe32.exe 4508 Ccfmla32.exe 1128 Chbedh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aaanpa32.exe Aldegj32.exe File created C:\Windows\SysWOW64\Cohdebfi.exe Clihig32.exe File opened for modification C:\Windows\SysWOW64\Cohdebfi.exe Clihig32.exe File created C:\Windows\SysWOW64\Cpgqpe32.exe Chphoh32.exe File opened for modification C:\Windows\SysWOW64\Clqnjf32.exe Cakjmm32.exe File created C:\Windows\SysWOW64\Ebaqkk32.dll Ljnnch32.exe File created C:\Windows\SysWOW64\Eofinnkf.exe Eqciba32.exe File created C:\Windows\SysWOW64\Giacca32.exe Gfcgge32.exe File created C:\Windows\SysWOW64\Ceaklo32.dll Hippdo32.exe File created C:\Windows\SysWOW64\Hfkkgo32.dll Ibccic32.exe File created C:\Windows\SysWOW64\Apcngo32.dll Pecgja32.exe File created C:\Windows\SysWOW64\Pgdnljqe.dll Qpkhmi32.exe File created C:\Windows\SysWOW64\Eqciba32.exe Ehlaaddj.exe File opened for modification C:\Windows\SysWOW64\Jfkoeppq.exe Jbocea32.exe File created C:\Windows\SysWOW64\Mglack32.exe Mpaifalo.exe File created C:\Windows\SysWOW64\Lbdfmi32.dll Fckhdk32.exe File created C:\Windows\SysWOW64\Jaedgjjd.exe Iinlemia.exe File opened for modification C:\Windows\SysWOW64\Aeoffo32.exe Abqjjd32.exe File created C:\Windows\SysWOW64\Bgkkkd32.dll Doccaall.exe File created C:\Windows\SysWOW64\Gqpmkibm.dll Dhlhjf32.exe File created C:\Windows\SysWOW64\Elccfc32.exe Ejegjh32.exe File created C:\Windows\SysWOW64\Ebploj32.exe Ecmlcmhe.exe File opened for modification C:\Windows\SysWOW64\Fbqefhpm.exe Fobiilai.exe File created C:\Windows\SysWOW64\Kbmebabl.dll Iiffen32.exe File created C:\Windows\SysWOW64\Jigollag.exe Jbmfoa32.exe File opened for modification C:\Windows\SysWOW64\Ljnnch32.exe Lcdegnep.exe File created C:\Windows\SysWOW64\Mpmokb32.exe Mjcgohig.exe File created C:\Windows\SysWOW64\Agbnmibj.dll Mpmokb32.exe File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Oehgnbbf.exe Obikbgbb.exe File opened for modification C:\Windows\SysWOW64\Bidemmnj.exe Bammlomg.exe File opened for modification C:\Windows\SysWOW64\Digkijmd.exe Clckpf32.exe File opened for modification C:\Windows\SysWOW64\Dpcpkc32.exe Dhlhjf32.exe File created C:\Windows\SysWOW64\Ehbccoaj.dll Habnjm32.exe File created C:\Windows\SysWOW64\Jfaloa32.exe Jdcpcf32.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mpmokb32.exe File opened for modification C:\Windows\SysWOW64\Pnplghhf.exe Oehgnbbf.exe File created C:\Windows\SysWOW64\Cdmjcikn.dll Qbjdiedp.exe File opened for modification C:\Windows\SysWOW64\Clihig32.exe Bikkml32.exe File created C:\Windows\SysWOW64\Clqnjf32.exe Cakjmm32.exe File opened for modification C:\Windows\SysWOW64\Fmapha32.exe Fjcclf32.exe File created C:\Windows\SysWOW64\Mfogkh32.dll Haggelfd.exe File opened for modification C:\Windows\SysWOW64\Ijfboafl.exe Ibojncfj.exe File created C:\Windows\SysWOW64\Jpaghf32.exe Jigollag.exe File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe Lnepih32.exe File created C:\Windows\SysWOW64\Bikkml32.exe Badcln32.exe File created C:\Windows\SysWOW64\Dcopbp32.exe Doccaall.exe File created C:\Windows\SysWOW64\Fjcclf32.exe Fbllkh32.exe File opened for modification C:\Windows\SysWOW64\Hadkpm32.exe Himcoo32.exe File created C:\Windows\SysWOW64\Dempmq32.dll Icjmmg32.exe File opened for modification C:\Windows\SysWOW64\Iannfk32.exe Iiffen32.exe File opened for modification C:\Windows\SysWOW64\Ffbnph32.exe Ecdbdl32.exe File opened for modification C:\Windows\SysWOW64\Gmmocpjk.exe Giacca32.exe File created C:\Windows\SysWOW64\Mlmpolji.dll Hbhdmd32.exe File created C:\Windows\SysWOW64\Oibbkcok.dll Oehgnbbf.exe File opened for modification C:\Windows\SysWOW64\Aojhdd32.exe Alkkhi32.exe File created C:\Windows\SysWOW64\Hjolnb32.exe Hfcpncdk.exe File opened for modification C:\Windows\SysWOW64\Kgphpo32.exe Kdaldd32.exe File opened for modification C:\Windows\SysWOW64\Phbcfl32.exe Pecgja32.exe File opened for modification C:\Windows\SysWOW64\Aogkoedl.exe Aeoffo32.exe File opened for modification C:\Windows\SysWOW64\Ejlmkgkl.exe Efpajh32.exe File created C:\Windows\SysWOW64\Gddfpk32.dll Fomonm32.exe File opened for modification C:\Windows\SysWOW64\Fobiilai.exe Fmclmabe.exe File created C:\Windows\SysWOW64\Gbajhpfb.dll Gidphq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2844 7804 WerFault.exe 343 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll" Fmclmabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqfooodg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfghpbcp.dll" Olocem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll" Doccaall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll" Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll" Kilhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clqnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Digkijmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Molpnchg.dll" Abqjjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbocea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bibigmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecphimfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll" Hfljmdjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pldlqlgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbhqjchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll" Fijmbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giofnacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpdfeeb.dll" Bhibni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll" Jaimbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhibni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elccfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqdbiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aifiko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biiohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fodeolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnnkfbe.dll" Aeoffo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffbnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclakimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll" Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejegjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebploj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqaeco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giacca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll" Iannfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijhodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bammlomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chphoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll" Kgfoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdpalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll" Eqalmafo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll" Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceblbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebnoikqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll" Gidphq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 4972 2484 22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe 82 PID 2484 wrote to memory of 4972 2484 22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe 82 PID 2484 wrote to memory of 4972 2484 22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe 82 PID 4972 wrote to memory of 3484 4972 Oniffino.exe 83 PID 4972 wrote to memory of 3484 4972 Oniffino.exe 83 PID 4972 wrote to memory of 3484 4972 Oniffino.exe 83 PID 3484 wrote to memory of 1160 3484 Oecncc32.exe 84 PID 3484 wrote to memory of 1160 3484 Oecncc32.exe 84 PID 3484 wrote to memory of 1160 3484 Oecncc32.exe 84 PID 1160 wrote to memory of 1164 1160 Obgomgee.exe 85 PID 1160 wrote to memory of 1164 1160 Obgomgee.exe 85 PID 1160 wrote to memory of 1164 1160 Obgomgee.exe 85 PID 1164 wrote to memory of 112 1164 Oeekicdi.exe 86 PID 1164 wrote to memory of 112 1164 Oeekicdi.exe 86 PID 1164 wrote to memory of 112 1164 Oeekicdi.exe 86 PID 112 wrote to memory of 5004 112 Olocem32.exe 87 PID 112 wrote to memory of 5004 112 Olocem32.exe 87 PID 112 wrote to memory of 5004 112 Olocem32.exe 87 PID 5004 wrote to memory of 3696 5004 Obikbgbb.exe 88 PID 5004 wrote to memory of 3696 5004 Obikbgbb.exe 88 PID 5004 wrote to memory of 3696 5004 Obikbgbb.exe 88 PID 3696 wrote to memory of 3776 3696 Oehgnbbf.exe 89 PID 3696 wrote to memory of 3776 3696 Oehgnbbf.exe 89 PID 3696 wrote to memory of 3776 3696 Oehgnbbf.exe 89 PID 3776 wrote to memory of 4500 3776 Pnplghhf.exe 90 PID 3776 wrote to memory of 4500 3776 Pnplghhf.exe 90 PID 3776 wrote to memory of 4500 3776 Pnplghhf.exe 90 PID 4500 wrote to memory of 2764 4500 Pejddb32.exe 91 PID 4500 wrote to memory of 2764 4500 Pejddb32.exe 91 PID 4500 wrote to memory of 2764 4500 Pejddb32.exe 91 PID 2764 wrote to memory of 4680 2764 Pldlqlgp.exe 92 PID 2764 wrote to memory of 4680 2764 Pldlqlgp.exe 92 PID 2764 wrote to memory of 4680 2764 Pldlqlgp.exe 92 PID 4680 wrote to memory of 2368 4680 Pelaib32.exe 93 PID 4680 wrote to memory of 2368 4680 Pelaib32.exe 93 PID 4680 wrote to memory of 2368 4680 Pelaib32.exe 93 PID 2368 wrote to memory of 4472 2368 Plfiflen.exe 94 PID 2368 wrote to memory of 4472 2368 Plfiflen.exe 94 PID 2368 wrote to memory of 4472 2368 Plfiflen.exe 94 PID 4472 wrote to memory of 1224 4472 Peonoaln.exe 95 PID 4472 wrote to memory of 1224 4472 Peonoaln.exe 95 PID 4472 wrote to memory of 1224 4472 Peonoaln.exe 95 PID 1224 wrote to memory of 4220 1224 Plifll32.exe 97 PID 1224 wrote to memory of 4220 1224 Plifll32.exe 97 PID 1224 wrote to memory of 4220 1224 Plifll32.exe 97 PID 4220 wrote to memory of 4128 4220 Pbbnhfjh.exe 98 PID 4220 wrote to memory of 4128 4220 Pbbnhfjh.exe 98 PID 4220 wrote to memory of 4128 4220 Pbbnhfjh.exe 98 PID 4128 wrote to memory of 1136 4128 Pimfep32.exe 99 PID 4128 wrote to memory of 1136 4128 Pimfep32.exe 99 PID 4128 wrote to memory of 1136 4128 Pimfep32.exe 99 PID 1136 wrote to memory of 2512 1136 Pniomgpl.exe 100 PID 1136 wrote to memory of 2512 1136 Pniomgpl.exe 100 PID 1136 wrote to memory of 2512 1136 Pniomgpl.exe 100 PID 2512 wrote to memory of 1500 2512 Pecgja32.exe 101 PID 2512 wrote to memory of 1500 2512 Pecgja32.exe 101 PID 2512 wrote to memory of 1500 2512 Pecgja32.exe 101 PID 1500 wrote to memory of 3196 1500 Phbcfl32.exe 102 PID 1500 wrote to memory of 3196 1500 Phbcfl32.exe 102 PID 1500 wrote to memory of 3196 1500 Phbcfl32.exe 102 PID 3196 wrote to memory of 4116 3196 Qnlkcfni.exe 103 PID 3196 wrote to memory of 4116 3196 Qnlkcfni.exe 103 PID 3196 wrote to memory of 4116 3196 Qnlkcfni.exe 103 PID 4116 wrote to memory of 3164 4116 Qiappono.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe"C:\Users\Admin\AppData\Local\Temp\22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Oniffino.exeC:\Windows\system32\Oniffino.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Oecncc32.exeC:\Windows\system32\Oecncc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Obgomgee.exeC:\Windows\system32\Obgomgee.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Oeekicdi.exeC:\Windows\system32\Oeekicdi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Olocem32.exeC:\Windows\system32\Olocem32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Oehgnbbf.exeC:\Windows\system32\Oehgnbbf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Pnplghhf.exeC:\Windows\system32\Pnplghhf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Pejddb32.exeC:\Windows\system32\Pejddb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Pldlqlgp.exeC:\Windows\system32\Pldlqlgp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Pelaib32.exeC:\Windows\system32\Pelaib32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Pniomgpl.exeC:\Windows\system32\Pniomgpl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Phbcfl32.exeC:\Windows\system32\Phbcfl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe26⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Aifiko32.exeC:\Windows\system32\Aifiko32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe29⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe30⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Abqjjd32.exeC:\Windows\system32\Abqjjd32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Aeoffo32.exeC:\Windows\system32\Aeoffo32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4088 -
C:\Windows\SysWOW64\Aogkoedl.exeC:\Windows\system32\Aogkoedl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe34⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe36⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Aedpaoif.exeC:\Windows\system32\Aedpaoif.exe37⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe38⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe41⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe43⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe46⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe48⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe49⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe51⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe54⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe55⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Badcln32.exeC:\Windows\system32\Badcln32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe59⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe60⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe63⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe65⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3536 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe67⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe68⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe69⤵PID:2848
-
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3156 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe71⤵
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe74⤵PID:1056
-
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe75⤵
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe76⤵PID:4204
-
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe77⤵PID:3752
-
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe79⤵PID:2388
-
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe80⤵PID:4516
-
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe81⤵PID:4004
-
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe82⤵PID:2808
-
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe85⤵PID:436
-
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1060 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe87⤵PID:4256
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe88⤵PID:1252
-
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe89⤵
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe91⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3900 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe94⤵
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe95⤵PID:5144
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe96⤵PID:5192
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe97⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe99⤵PID:5324
-
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe100⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe101⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe102⤵PID:5452
-
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe105⤵PID:5604
-
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe106⤵PID:5660
-
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe110⤵PID:5884
-
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe111⤵PID:5956
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6008 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe113⤵PID:6076
-
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe114⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe115⤵PID:5184
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe116⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe117⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe118⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe119⤵PID:5436
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe121⤵PID:5632
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:5720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-