Analysis
-
max time kernel
148s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 05:54
Behavioral task
behavioral1
Sample
22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe
Resource
win10v2004-20240426-en
General
-
Target
22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe
-
Size
1.3MB
-
MD5
15d30d21974c1ef7e6585adc2d35a950
-
SHA1
698fe5b5785c9ced56a25d3deccba340eec3448e
-
SHA256
22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35
-
SHA512
aa9c27ff0f7730432d1a104cb8ac2c2e31aa06d77a2a912b6b22aac12f34056c3d09a79fb5d904f11117d5d8cfc012c88b61c01eb074602ab1ecb282357de02e
-
SSDEEP
24576:vvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:vkB9f0VP91v92W805IPSOdKgzEoxrlQ3
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqlefl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medgncoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkdhjknm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbdki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obfhba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agffge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fideeaco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihdcbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkllnbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcccfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laalifad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alfkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocmconhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doqpak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckndeni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oigllh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c000000023371-6.dat family_berbew behavioral2/files/0x000700000002341f-15.dat family_berbew behavioral2/files/0x0007000000023421-22.dat family_berbew behavioral2/files/0x0007000000023424-30.dat family_berbew behavioral2/files/0x0007000000023426-38.dat family_berbew behavioral2/files/0x0007000000023428-47.dat family_berbew behavioral2/files/0x000700000002342a-54.dat family_berbew behavioral2/files/0x000700000002342c-64.dat family_berbew behavioral2/files/0x000700000002342e-71.dat family_berbew behavioral2/files/0x0007000000023430-72.dat family_berbew behavioral2/files/0x0007000000023430-79.dat family_berbew behavioral2/files/0x0007000000023432-88.dat family_berbew behavioral2/files/0x000800000002341c-95.dat family_berbew behavioral2/files/0x0007000000023435-102.dat family_berbew behavioral2/files/0x000a000000023377-111.dat family_berbew behavioral2/files/0x0007000000023439-119.dat family_berbew behavioral2/files/0x000700000002343b-127.dat family_berbew behavioral2/files/0x000700000002343d-135.dat family_berbew behavioral2/files/0x0007000000023440-150.dat family_berbew behavioral2/files/0x000b000000023375-143.dat family_berbew behavioral2/files/0x0003000000021e1b-159.dat family_berbew behavioral2/files/0x001b0000000006d1-167.dat family_berbew behavioral2/files/0x0008000000023397-175.dat family_berbew behavioral2/files/0x000a000000023373-182.dat family_berbew behavioral2/files/0x00030000000229cb-191.dat family_berbew behavioral2/files/0x000b00000002338c-210.dat family_berbew behavioral2/files/0x0008000000023395-231.dat family_berbew behavioral2/files/0x000800000002339d-240.dat family_berbew behavioral2/files/0x0007000000023442-246.dat family_berbew behavioral2/files/0x000800000002339d-233.dat family_berbew behavioral2/files/0x0008000000023391-223.dat family_berbew behavioral2/files/0x0007000000023444-249.dat family_berbew behavioral2/files/0x0007000000023444-254.dat family_berbew behavioral2/files/0x0007000000023450-288.dat family_berbew behavioral2/files/0x0007000000023456-305.dat family_berbew behavioral2/files/0x0007000000023462-341.dat family_berbew behavioral2/files/0x000700000002347e-424.dat family_berbew behavioral2/files/0x000700000002348a-462.dat family_berbew behavioral2/files/0x0007000000023494-491.dat family_berbew behavioral2/files/0x0007000000023484-443.dat family_berbew behavioral2/files/0x00070000000234a1-527.dat family_berbew behavioral2/files/0x00070000000234b7-602.dat family_berbew behavioral2/files/0x00070000000234bf-628.dat family_berbew behavioral2/files/0x00070000000234d1-689.dat family_berbew behavioral2/files/0x00070000000234cb-670.dat family_berbew behavioral2/files/0x00070000000234d5-704.dat family_berbew behavioral2/files/0x00070000000234a9-551.dat family_berbew behavioral2/files/0x00070000000234dd-730.dat family_berbew behavioral2/files/0x00070000000234e1-745.dat family_berbew behavioral2/files/0x000700000002349d-515.dat family_berbew behavioral2/files/0x00070000000234e5-759.dat family_berbew behavioral2/files/0x0007000000023480-432.dat family_berbew behavioral2/files/0x00070000000234eb-779.dat family_berbew behavioral2/files/0x0007000000023478-407.dat family_berbew behavioral2/files/0x00070000000234f7-819.dat family_berbew behavioral2/files/0x000700000002345e-329.dat family_berbew behavioral2/files/0x00070000000234fd-839.dat family_berbew behavioral2/files/0x000700000002344e-281.dat family_berbew behavioral2/files/0x0007000000023501-851.dat family_berbew behavioral2/files/0x0007000000023505-865.dat family_berbew behavioral2/files/0x000900000002337c-207.dat family_berbew behavioral2/files/0x000900000002337c-200.dat family_berbew behavioral2/files/0x0009000000023376-199.dat family_berbew behavioral2/files/0x000700000002350f-901.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2340 Fjqgff32.exe 5200 Fcikolnh.exe 5836 Ffggkgmk.exe 6112 Fihqmb32.exe 4968 Fobiilai.exe 796 Gqdbiofi.exe 2012 Gbenqg32.exe 5852 Giofnacd.exe 4972 Giacca32.exe 2772 Gqikdn32.exe 1472 Gbldaffp.exe 508 Gifmnpnl.exe 3452 Hfjmgdlf.exe 2584 Hjhfnccl.exe 5776 Habnjm32.exe 4040 Hjjbcbqj.exe 5764 Haggelfd.exe 2872 Impepm32.exe 3172 Icjmmg32.exe 4620 Ijhodq32.exe 3644 Iabgaklg.exe 6056 Idacmfkj.exe 3732 Iinlemia.exe 4324 Jbhmdbnp.exe 3404 Jaimbj32.exe 5064 Jidbflcj.exe 5376 Jpojcf32.exe 1608 Jfhbppbc.exe 4296 Jigollag.exe 2044 Jmbklj32.exe 2344 Kdopod32.exe 1816 Kgbefoji.exe 4952 Kagichjo.exe 1064 Kdffocib.exe 4804 Kpmfddnf.exe 5812 Kgfoan32.exe 5152 Lmqgnhmp.exe 1116 Lcmofolg.exe 1448 Ldmlpbbj.exe 5700 Lijdhiaa.exe 1656 Laalifad.exe 6024 Ldohebqh.exe 5372 Lkiqbl32.exe 116 Lnhmng32.exe 4856 Lcdegnep.exe 1912 Lklnhlfb.exe 5440 Lcgblncm.exe 4468 Mjqjih32.exe 5340 Mpkbebbf.exe 1868 Mnocof32.exe 5092 Mpmokb32.exe 3184 Mcklgm32.exe 4212 Mjeddggd.exe 5072 Mamleegg.exe 2064 Mdkhapfj.exe 4672 Mgidml32.exe 400 Mncmjfmk.exe 5640 Mpaifalo.exe 5328 Mglack32.exe 2068 Mkgmcjld.exe 5044 Mnfipekh.exe 5480 Nkjjij32.exe 4796 Njljefql.exe 3908 Nqfbaq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe Knooej32.exe File opened for modification C:\Windows\SysWOW64\Mmhgmmbf.exe Process not Found File created C:\Windows\SysWOW64\Hicpgc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hejjanpm.exe Process not Found File created C:\Windows\SysWOW64\Aminee32.exe Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Bchomn32.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Jhkjmn32.dll Dapkni32.exe File created C:\Windows\SysWOW64\Ncliqp32.dll Ecgcfm32.exe File created C:\Windows\SysWOW64\Leifdf32.dll Aolblopj.exe File opened for modification C:\Windows\SysWOW64\Bhkfkmmg.exe Process not Found File created C:\Windows\SysWOW64\Fkofga32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gihpkd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmojkj32.exe Gfeaopqo.exe File created C:\Windows\SysWOW64\Leoejh32.exe Process not Found File created C:\Windows\SysWOW64\Mjqjih32.exe Lcgblncm.exe File created C:\Windows\SysWOW64\Chbnia32.exe Cojjqlpk.exe File created C:\Windows\SysWOW64\Cajolcjk.dll Edpnfo32.exe File created C:\Windows\SysWOW64\Fjebhadm.dll Qohpkf32.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Ajhddjfn.exe Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Hjlkge32.exe Hdpbon32.exe File created C:\Windows\SysWOW64\Gejlkojm.dll Bhldpj32.exe File created C:\Windows\SysWOW64\Jjkdlall.exe Process not Found File created C:\Windows\SysWOW64\Pcccfh32.exe Pnfkma32.exe File created C:\Windows\SysWOW64\Ldcadhpd.dll Jpdhkf32.exe File opened for modification C:\Windows\SysWOW64\Lnmkfh32.exe Lgqfdnah.exe File created C:\Windows\SysWOW64\Mpiedk32.dll Process not Found File created C:\Windows\SysWOW64\Jfniqp32.dll Olfghg32.exe File created C:\Windows\SysWOW64\Mjeddggd.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Qecppkdm.exe Pbddcoei.exe File opened for modification C:\Windows\SysWOW64\Deagdn32.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Kfqgab32.exe Kpgodhkd.exe File created C:\Windows\SysWOW64\Jjjfeo32.dll Process not Found File created C:\Windows\SysWOW64\Ilhkigcd.exe Process not Found File created C:\Windows\SysWOW64\Cpnfbohh.dll Pkfblfab.exe File opened for modification C:\Windows\SysWOW64\Gmdjapgb.exe Gjfnedho.exe File opened for modification C:\Windows\SysWOW64\Jidinqpb.exe Process not Found File created C:\Windows\SysWOW64\Lhnhajba.exe Process not Found File created C:\Windows\SysWOW64\Acddcaom.dll Lejgch32.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Dbbffdlq.exe File created C:\Windows\SysWOW64\Nclbpf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mkepineo.exe Process not Found File created C:\Windows\SysWOW64\Ginahd32.dll Fobiilai.exe File created C:\Windows\SysWOW64\Bnnjen32.exe Blpnib32.exe File created C:\Windows\SysWOW64\Dqbcbkab.exe Process not Found File created C:\Windows\SysWOW64\Blcnqjjo.dll Process not Found File created C:\Windows\SysWOW64\Neqhhf32.dll Dlieda32.exe File opened for modification C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Mngegmbc.exe Llhikacp.exe File opened for modification C:\Windows\SysWOW64\Oadfkdgd.exe Okjnnj32.exe File created C:\Windows\SysWOW64\Hpfiln32.dll Process not Found File created C:\Windows\SysWOW64\Oehldcbk.dll Bdkcmdhp.exe File created C:\Windows\SysWOW64\Kkbllbmg.dll Pjgebf32.exe File created C:\Windows\SysWOW64\Ldgccb32.exe Lnmkfh32.exe File created C:\Windows\SysWOW64\Ohlqcagj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Onmfimga.exe Process not Found File created C:\Windows\SysWOW64\Hpkknmgd.exe Process not Found File created C:\Windows\SysWOW64\Pbjddh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjocbhbo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fqikob32.exe Process not Found File created C:\Windows\SysWOW64\Kjejmalo.dll Process not Found File created C:\Windows\SysWOW64\Ofbdncaj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Ghlcnk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll" Ifllil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bidqko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fihqmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knefeffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikejgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gingkqkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihaej32.dll" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajdjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhjghdk.dll" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effama32.dll" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcobhnfc.dll" Pnpemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhagfo32.dll" Fhdfbfdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidipe32.dll" Ogogoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odednmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fechok32.dll" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll" Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckoph32.dll" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblnengb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdggmekl.dll" Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Fnlmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbjkkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hildmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngknngal.dll" Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqfngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmgkhgl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqkpeopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iogkekkb.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljejh32.dll" Kjjiej32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5168 wrote to memory of 2340 5168 22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe 83 PID 5168 wrote to memory of 2340 5168 22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe 83 PID 5168 wrote to memory of 2340 5168 22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe 83 PID 2340 wrote to memory of 5200 2340 Fjqgff32.exe 84 PID 2340 wrote to memory of 5200 2340 Fjqgff32.exe 84 PID 2340 wrote to memory of 5200 2340 Fjqgff32.exe 84 PID 5200 wrote to memory of 5836 5200 Fcikolnh.exe 85 PID 5200 wrote to memory of 5836 5200 Fcikolnh.exe 85 PID 5200 wrote to memory of 5836 5200 Fcikolnh.exe 85 PID 5836 wrote to memory of 6112 5836 Ffggkgmk.exe 86 PID 5836 wrote to memory of 6112 5836 Ffggkgmk.exe 86 PID 5836 wrote to memory of 6112 5836 Ffggkgmk.exe 86 PID 6112 wrote to memory of 4968 6112 Fihqmb32.exe 87 PID 6112 wrote to memory of 4968 6112 Fihqmb32.exe 87 PID 6112 wrote to memory of 4968 6112 Fihqmb32.exe 87 PID 4968 wrote to memory of 796 4968 Fobiilai.exe 88 PID 4968 wrote to memory of 796 4968 Fobiilai.exe 88 PID 4968 wrote to memory of 796 4968 Fobiilai.exe 88 PID 796 wrote to memory of 2012 796 Gqdbiofi.exe 90 PID 796 wrote to memory of 2012 796 Gqdbiofi.exe 90 PID 796 wrote to memory of 2012 796 Gqdbiofi.exe 90 PID 2012 wrote to memory of 5852 2012 Gbenqg32.exe 93 PID 2012 wrote to memory of 5852 2012 Gbenqg32.exe 93 PID 2012 wrote to memory of 5852 2012 Gbenqg32.exe 93 PID 5852 wrote to memory of 4972 5852 Giofnacd.exe 94 PID 5852 wrote to memory of 4972 5852 Giofnacd.exe 94 PID 5852 wrote to memory of 4972 5852 Giofnacd.exe 94 PID 4972 wrote to memory of 2772 4972 Giacca32.exe 95 PID 4972 wrote to memory of 2772 4972 Giacca32.exe 95 PID 4972 wrote to memory of 2772 4972 Giacca32.exe 95 PID 2772 wrote to memory of 1472 2772 Gqikdn32.exe 96 PID 2772 wrote to memory of 1472 2772 Gqikdn32.exe 96 PID 2772 wrote to memory of 1472 2772 Gqikdn32.exe 96 PID 1472 wrote to memory of 508 1472 Gbldaffp.exe 97 PID 1472 wrote to memory of 508 1472 Gbldaffp.exe 97 PID 1472 wrote to memory of 508 1472 Gbldaffp.exe 97 PID 508 wrote to memory of 3452 508 Gifmnpnl.exe 98 PID 508 wrote to memory of 3452 508 Gifmnpnl.exe 98 PID 508 wrote to memory of 3452 508 Gifmnpnl.exe 98 PID 3452 wrote to memory of 2584 3452 Hfjmgdlf.exe 99 PID 3452 wrote to memory of 2584 3452 Hfjmgdlf.exe 99 PID 3452 wrote to memory of 2584 3452 Hfjmgdlf.exe 99 PID 2584 wrote to memory of 5776 2584 Hjhfnccl.exe 100 PID 2584 wrote to memory of 5776 2584 Hjhfnccl.exe 100 PID 2584 wrote to memory of 5776 2584 Hjhfnccl.exe 100 PID 5776 wrote to memory of 4040 5776 Habnjm32.exe 101 PID 5776 wrote to memory of 4040 5776 Habnjm32.exe 101 PID 5776 wrote to memory of 4040 5776 Habnjm32.exe 101 PID 4040 wrote to memory of 5764 4040 Hjjbcbqj.exe 102 PID 4040 wrote to memory of 5764 4040 Hjjbcbqj.exe 102 PID 4040 wrote to memory of 5764 4040 Hjjbcbqj.exe 102 PID 5764 wrote to memory of 2872 5764 Haggelfd.exe 104 PID 5764 wrote to memory of 2872 5764 Haggelfd.exe 104 PID 5764 wrote to memory of 2872 5764 Haggelfd.exe 104 PID 2872 wrote to memory of 3172 2872 Impepm32.exe 105 PID 2872 wrote to memory of 3172 2872 Impepm32.exe 105 PID 2872 wrote to memory of 3172 2872 Impepm32.exe 105 PID 3172 wrote to memory of 4620 3172 Icjmmg32.exe 106 PID 3172 wrote to memory of 4620 3172 Icjmmg32.exe 106 PID 3172 wrote to memory of 4620 3172 Icjmmg32.exe 106 PID 4620 wrote to memory of 3644 4620 Ijhodq32.exe 107 PID 4620 wrote to memory of 3644 4620 Ijhodq32.exe 107 PID 4620 wrote to memory of 3644 4620 Ijhodq32.exe 107 PID 3644 wrote to memory of 6056 3644 Iabgaklg.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe"C:\Users\Admin\AppData\Local\Temp\22ec4eeb2695bbfc5798cf572737bfaf327ec9e532d97ae32187fb93d4571e35.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5168 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5836 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5852 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5776 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5764 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe23⤵
- Executes dropped EXE
PID:6056 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe24⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe25⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe26⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe27⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe28⤵
- Executes dropped EXE
PID:5376 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe29⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe32⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe33⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe34⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe35⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe36⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe37⤵
- Executes dropped EXE
PID:5812 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe38⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe39⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe40⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe41⤵
- Executes dropped EXE
PID:5700 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe43⤵
- Executes dropped EXE
PID:6024 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe44⤵
- Executes dropped EXE
PID:5372 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe45⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe46⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe47⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe49⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe50⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe51⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe52⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe54⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe55⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe56⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe57⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe58⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe59⤵
- Executes dropped EXE
PID:5640 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe60⤵
- Executes dropped EXE
PID:5328 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe61⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe62⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe63⤵
- Executes dropped EXE
PID:5480 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe64⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe65⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe66⤵PID:5128
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe69⤵PID:1684
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe70⤵PID:1772
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe71⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe72⤵PID:4364
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe73⤵PID:4704
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe74⤵PID:2444
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe75⤵PID:3400
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe76⤵PID:872
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe77⤵PID:3244
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe78⤵PID:2004
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe79⤵PID:2312
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe80⤵PID:1528
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe81⤵PID:3608
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe83⤵
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe84⤵PID:3748
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe85⤵PID:2352
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1372 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe87⤵PID:5896
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe89⤵
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe90⤵PID:2592
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe91⤵PID:5724
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe92⤵PID:5172
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe93⤵PID:5556
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe94⤵PID:1500
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe95⤵PID:1412
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe96⤵
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe97⤵PID:3216
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe98⤵PID:5520
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe99⤵PID:2440
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe100⤵PID:3696
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe101⤵PID:3416
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe102⤵PID:944
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe103⤵PID:3148
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe104⤵
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe105⤵PID:3212
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe106⤵
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3868 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe108⤵PID:3220
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe109⤵
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe110⤵PID:3716
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe111⤵PID:3188
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe112⤵PID:5544
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe113⤵PID:860
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe114⤵PID:4328
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe115⤵PID:5612
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe118⤵PID:5860
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe119⤵PID:5792
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe120⤵PID:544
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe121⤵PID:3284
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe122⤵PID:5720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-