Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 10:19
Behavioral task
behavioral1
Sample
267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe
Resource
win10v2004-20240508-en
General
-
Target
267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe
-
Size
1.3MB
-
MD5
05d8b967bb46006f19ca9cb2b0828e60
-
SHA1
fd3e9c38a755ce418be3c1ae8bb80c98c11f9dea
-
SHA256
267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f
-
SHA512
4902ca1f98405663def2b9313287f9992ed43b39a1beef92e47875da46092b9e74bf1c38fdd42018268d0b99ddd56cc9728504b140d0b5595b166dfb0f09188d
-
SSDEEP
24576:owvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:owkB9f0VP91v92W805IPSOdKgzEoxrl0
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqbamo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckjacjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodgkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcmom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clkndpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eleiam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gododflk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpablkhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoiqll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kefkme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfifmnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogpmjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcagkdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qloebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajdbcano.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamhodmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifefimom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Melnob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpjkojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alhhhcal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elppfmoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcioiood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfkbhpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adapgfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ickchq32.exe -
Malware Dropper & Backdoor - Berbew 61 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00070000000232a4-6.dat family_berbew behavioral2/files/0x0007000000023440-15.dat family_berbew behavioral2/files/0x0007000000023442-22.dat family_berbew behavioral2/files/0x0007000000023445-25.dat family_berbew behavioral2/files/0x0007000000023445-31.dat family_berbew behavioral2/files/0x0007000000023447-38.dat family_berbew behavioral2/files/0x0007000000023449-46.dat family_berbew behavioral2/files/0x000700000002344c-49.dat family_berbew behavioral2/files/0x000700000002344e-63.dat family_berbew behavioral2/files/0x000a000000023438-70.dat family_berbew behavioral2/files/0x0007000000023451-79.dat family_berbew behavioral2/files/0x0007000000023453-86.dat family_berbew behavioral2/files/0x0007000000023455-95.dat family_berbew behavioral2/files/0x0007000000023457-102.dat family_berbew behavioral2/files/0x0007000000023459-109.dat family_berbew behavioral2/files/0x000700000002345b-116.dat family_berbew behavioral2/files/0x000700000002345d-123.dat family_berbew behavioral2/files/0x000700000002345f-130.dat family_berbew behavioral2/files/0x0007000000023471-193.dat family_berbew behavioral2/files/0x000700000002347d-235.dat family_berbew behavioral2/files/0x000700000002347b-228.dat family_berbew behavioral2/files/0x0007000000023479-221.dat family_berbew behavioral2/files/0x0007000000023477-214.dat family_berbew behavioral2/files/0x0007000000023475-207.dat family_berbew behavioral2/files/0x0007000000023473-200.dat family_berbew behavioral2/files/0x000700000002346f-186.dat family_berbew behavioral2/files/0x000700000002346d-179.dat family_berbew behavioral2/files/0x000700000002346b-172.dat family_berbew behavioral2/files/0x0007000000023469-165.dat family_berbew behavioral2/files/0x0007000000023467-158.dat family_berbew behavioral2/files/0x0007000000023465-151.dat family_berbew behavioral2/files/0x0007000000023463-144.dat family_berbew behavioral2/files/0x0007000000023461-137.dat family_berbew behavioral2/files/0x000700000002354b-868.dat family_berbew behavioral2/files/0x0007000000023555-899.dat family_berbew behavioral2/files/0x000700000002355d-922.dat family_berbew behavioral2/files/0x000700000002357b-1013.dat family_berbew behavioral2/files/0x0007000000023585-1042.dat family_berbew behavioral2/files/0x000700000002358b-1061.dat family_berbew behavioral2/files/0x000700000002359d-1115.dat family_berbew behavioral2/files/0x00070000000235a9-1151.dat family_berbew behavioral2/files/0x00070000000235c2-1243.dat family_berbew behavioral2/files/0x00070000000235d0-1289.dat family_berbew behavioral2/files/0x00070000000235ef-1387.dat family_berbew behavioral2/files/0x00070000000235f9-1421.dat family_berbew behavioral2/files/0x0007000000023603-1459.dat family_berbew behavioral2/files/0x0007000000023607-1473.dat family_berbew behavioral2/files/0x0007000000023624-1598.dat family_berbew behavioral2/files/0x00090000000233c5-1620.dat family_berbew behavioral2/files/0x000500000001e368-1649.dat family_berbew behavioral2/files/0x000a0000000233c1-1664.dat family_berbew behavioral2/files/0x0007000000023633-1687.dat family_berbew behavioral2/files/0x000700000002364d-1787.dat family_berbew behavioral2/files/0x000700000002365c-1832.dat family_berbew behavioral2/files/0x0007000000023673-1905.dat family_berbew behavioral2/files/0x0007000000023683-1956.dat family_berbew behavioral2/files/0x0007000000023697-2025.dat family_berbew behavioral2/files/0x000700000002369a-2039.dat family_berbew behavioral2/files/0x000700000002369c-2047.dat family_berbew behavioral2/files/0x00070000000236a4-2070.dat family_berbew behavioral2/files/0x00070000000236a8-2084.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3516 Ndkahnhh.exe 2432 Okeieh32.exe 4080 Ondeac32.exe 3824 Oqbamo32.exe 3676 Onmhgb32.exe 316 Oqkdcn32.exe 916 Pcojkhap.exe 4424 Pbpjhp32.exe 1408 Pnfkma32.exe 4952 Pjmlbbdg.exe 1892 Pbddcoei.exe 3972 Qchmagie.exe 4520 Qloebdig.exe 3088 Qnnanphk.exe 2068 Qalnjkgo.exe 3096 Agffge32.exe 3936 Ajdbcano.exe 1452 Abkjdnoa.exe 1640 Aejfpjne.exe 3944 Ahhblemi.exe 3544 Ajfoiqll.exe 4908 Abngjnmo.exe 2152 Aelcfilb.exe 3480 Ahkobekf.exe 1692 Ajiknpjj.exe 1572 Aacckjaf.exe 4020 Adapgfqj.exe 4128 Alhhhcal.exe 1200 Angddopp.exe 2952 Aaepqjpd.exe 3136 Adcmmeog.exe 2412 Alkdnboj.exe 4560 Aniajnnn.exe 4420 Bahmfj32.exe 3404 Bdfibe32.exe 880 Blmacb32.exe 3492 Bnlnon32.exe 5012 Bajjli32.exe 956 Bhdbhcck.exe 984 Bjbndobo.exe 1048 Bbifelba.exe 2172 Behbag32.exe 1400 Bhfonc32.exe 3260 Bjdkjo32.exe 4396 Bblckl32.exe 2516 Bejogg32.exe 3472 Bldgdago.exe 4872 Bobcpmfc.exe 1016 Baaplhef.exe 1404 Bdolhc32.exe 3048 Blfdia32.exe 2836 Boepel32.exe 5044 Cacmah32.exe 3632 Chmeobkq.exe 232 Cklaknjd.exe 2600 Cbcilkjg.exe 4796 Cddecc32.exe 4428 Clkndpag.exe 3604 Cbefaj32.exe 1780 Cecbmf32.exe 4628 Chbnia32.exe 4740 Colffknh.exe 3836 Cajcbgml.exe 4632 Chdkoa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Fmjkjk32.dll Cfbkeh32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Ajfoiqll.exe Ahhblemi.exe File opened for modification C:\Windows\SysWOW64\Lbdolh32.exe Lpebpm32.exe File created C:\Windows\SysWOW64\Gbgdlq32.exe Gkmlofol.exe File opened for modification C:\Windows\SysWOW64\Icifbang.exe Iicbehnq.exe File created C:\Windows\SysWOW64\Akmfnc32.dll Aepefb32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Iejcji32.exe Icifbang.exe File opened for modification C:\Windows\SysWOW64\Kdnidn32.exe Kfjhkjle.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File opened for modification C:\Windows\SysWOW64\Megdccmb.exe Mchhggno.exe File opened for modification C:\Windows\SysWOW64\Ocpgod32.exe Olfobjbg.exe File created C:\Windows\SysWOW64\Ncbknfed.exe Mlhbal32.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Eiecmmbf.dll Lbmhlihl.exe File opened for modification C:\Windows\SysWOW64\Mlhbal32.exe Miifeq32.exe File created C:\Windows\SysWOW64\Chncif32.dll Ehljfnpn.exe File opened for modification C:\Windows\SysWOW64\Fdegandp.exe Fafkecel.exe File opened for modification C:\Windows\SysWOW64\Jpppnp32.exe Jmbdbd32.exe File opened for modification C:\Windows\SysWOW64\Dkjmlk32.exe Dhkapp32.exe File created C:\Windows\SysWOW64\Jbglkbhg.dll Fhcpgmjf.exe File created C:\Windows\SysWOW64\Dlkhie32.dll Ipdqba32.exe File opened for modification C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe File created C:\Windows\SysWOW64\Cbcilkjg.exe Cklaknjd.exe File created C:\Windows\SysWOW64\Enfioebm.dll Pjmlbbdg.exe File opened for modification C:\Windows\SysWOW64\Qceiaa32.exe Qqfmde32.exe File created C:\Windows\SysWOW64\Aminee32.exe Ajkaii32.exe File opened for modification C:\Windows\SysWOW64\Hcbpab32.exe Hkkhqd32.exe File created C:\Windows\SysWOW64\Lqnjfo32.dll Qnhahj32.exe File opened for modification C:\Windows\SysWOW64\Cklaknjd.exe Chmeobkq.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Cajcbgml.exe Colffknh.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Anadoi32.exe File created C:\Windows\SysWOW64\Oehldcbk.dll Bblckl32.exe File created C:\Windows\SysWOW64\Dhpjkojk.exe Deanodkh.exe File created C:\Windows\SysWOW64\Pfhfan32.exe Pdfjifjo.exe File created C:\Windows\SysWOW64\Aahamf32.dll Aelcfilb.exe File created C:\Windows\SysWOW64\Aniajnnn.exe Alkdnboj.exe File created C:\Windows\SysWOW64\Pnfeqknj.dll Gbgdlq32.exe File created C:\Windows\SysWOW64\Odqjbebh.dll Hmcojh32.exe File created C:\Windows\SysWOW64\Kmmfbg32.dll Ldoaklml.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lebkhc32.exe File created C:\Windows\SysWOW64\Ihidlk32.dll Bmngqdpj.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll Cajlhqjp.exe File created C:\Windows\SysWOW64\Jihdea32.dll Eefhjc32.exe File created C:\Windows\SysWOW64\Lbkdpj32.dll Gkmlofol.exe File created C:\Windows\SysWOW64\Cajolcjk.dll Ecandfpd.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Aoglcqao.dll Cndikf32.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Chokikeb.exe File opened for modification C:\Windows\SysWOW64\Iicbehnq.exe Ifefimom.exe File created C:\Windows\SysWOW64\Iledokkp.dll Ildkgc32.exe File opened for modification C:\Windows\SysWOW64\Iikhfg32.exe Ifllil32.exe File created C:\Windows\SysWOW64\Lekehdgp.exe Lbmhlihl.exe File opened for modification C:\Windows\SysWOW64\Bobcpmfc.exe Bldgdago.exe File opened for modification C:\Windows\SysWOW64\Gdhmnlcj.exe Gokdeeec.exe File created C:\Windows\SysWOW64\Hecmijim.exe Hcbpab32.exe File opened for modification C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Epbahkcp.dll Fllpbldb.exe File created C:\Windows\SysWOW64\Jmnoof32.dll Gomakdcp.exe File created C:\Windows\SysWOW64\Ahkobekf.exe Aelcfilb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8488 9012 WerFault.exe 413 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll" Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll" Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alhhhcal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkdbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll" Ogpmjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bahmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfmpnfb.dll" Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngknngal.dll" Gododflk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfjhkjle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afhohlbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipbdmaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphkfg32.dll" Blmacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenkiei.dll" Ddbbeade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifllil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohppck.dll" Chmeobkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll" Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeijge32.dll" Angddopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aelcfilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfana32.dll" Adcmmeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clbceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcbihpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipaiqmd.dll" Qloebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Eapedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqbamo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfbfnl.dll" Bldgdago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll" Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll" Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dojcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll" Kfjhkjle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 3516 1772 267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe 83 PID 1772 wrote to memory of 3516 1772 267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe 83 PID 1772 wrote to memory of 3516 1772 267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe 83 PID 3516 wrote to memory of 2432 3516 Ndkahnhh.exe 84 PID 3516 wrote to memory of 2432 3516 Ndkahnhh.exe 84 PID 3516 wrote to memory of 2432 3516 Ndkahnhh.exe 84 PID 2432 wrote to memory of 4080 2432 Okeieh32.exe 85 PID 2432 wrote to memory of 4080 2432 Okeieh32.exe 85 PID 2432 wrote to memory of 4080 2432 Okeieh32.exe 85 PID 4080 wrote to memory of 3824 4080 Ondeac32.exe 86 PID 4080 wrote to memory of 3824 4080 Ondeac32.exe 86 PID 4080 wrote to memory of 3824 4080 Ondeac32.exe 86 PID 3824 wrote to memory of 3676 3824 Oqbamo32.exe 87 PID 3824 wrote to memory of 3676 3824 Oqbamo32.exe 87 PID 3824 wrote to memory of 3676 3824 Oqbamo32.exe 87 PID 3676 wrote to memory of 316 3676 Onmhgb32.exe 88 PID 3676 wrote to memory of 316 3676 Onmhgb32.exe 88 PID 3676 wrote to memory of 316 3676 Onmhgb32.exe 88 PID 316 wrote to memory of 916 316 Oqkdcn32.exe 90 PID 316 wrote to memory of 916 316 Oqkdcn32.exe 90 PID 316 wrote to memory of 916 316 Oqkdcn32.exe 90 PID 916 wrote to memory of 4424 916 Pcojkhap.exe 91 PID 916 wrote to memory of 4424 916 Pcojkhap.exe 91 PID 916 wrote to memory of 4424 916 Pcojkhap.exe 91 PID 4424 wrote to memory of 1408 4424 Pbpjhp32.exe 93 PID 4424 wrote to memory of 1408 4424 Pbpjhp32.exe 93 PID 4424 wrote to memory of 1408 4424 Pbpjhp32.exe 93 PID 1408 wrote to memory of 4952 1408 Pnfkma32.exe 94 PID 1408 wrote to memory of 4952 1408 Pnfkma32.exe 94 PID 1408 wrote to memory of 4952 1408 Pnfkma32.exe 94 PID 4952 wrote to memory of 1892 4952 Pjmlbbdg.exe 95 PID 4952 wrote to memory of 1892 4952 Pjmlbbdg.exe 95 PID 4952 wrote to memory of 1892 4952 Pjmlbbdg.exe 95 PID 1892 wrote to memory of 3972 1892 Pbddcoei.exe 96 PID 1892 wrote to memory of 3972 1892 Pbddcoei.exe 96 PID 1892 wrote to memory of 3972 1892 Pbddcoei.exe 96 PID 3972 wrote to memory of 4520 3972 Qchmagie.exe 97 PID 3972 wrote to memory of 4520 3972 Qchmagie.exe 97 PID 3972 wrote to memory of 4520 3972 Qchmagie.exe 97 PID 4520 wrote to memory of 3088 4520 Qloebdig.exe 98 PID 4520 wrote to memory of 3088 4520 Qloebdig.exe 98 PID 4520 wrote to memory of 3088 4520 Qloebdig.exe 98 PID 3088 wrote to memory of 2068 3088 Qnnanphk.exe 99 PID 3088 wrote to memory of 2068 3088 Qnnanphk.exe 99 PID 3088 wrote to memory of 2068 3088 Qnnanphk.exe 99 PID 2068 wrote to memory of 3096 2068 Qalnjkgo.exe 100 PID 2068 wrote to memory of 3096 2068 Qalnjkgo.exe 100 PID 2068 wrote to memory of 3096 2068 Qalnjkgo.exe 100 PID 3096 wrote to memory of 3936 3096 Agffge32.exe 101 PID 3096 wrote to memory of 3936 3096 Agffge32.exe 101 PID 3096 wrote to memory of 3936 3096 Agffge32.exe 101 PID 3936 wrote to memory of 1452 3936 Ajdbcano.exe 102 PID 3936 wrote to memory of 1452 3936 Ajdbcano.exe 102 PID 3936 wrote to memory of 1452 3936 Ajdbcano.exe 102 PID 1452 wrote to memory of 1640 1452 Abkjdnoa.exe 103 PID 1452 wrote to memory of 1640 1452 Abkjdnoa.exe 103 PID 1452 wrote to memory of 1640 1452 Abkjdnoa.exe 103 PID 1640 wrote to memory of 3944 1640 Aejfpjne.exe 104 PID 1640 wrote to memory of 3944 1640 Aejfpjne.exe 104 PID 1640 wrote to memory of 3944 1640 Aejfpjne.exe 104 PID 3944 wrote to memory of 3544 3944 Ahhblemi.exe 105 PID 3944 wrote to memory of 3544 3944 Ahhblemi.exe 105 PID 3944 wrote to memory of 3544 3944 Ahhblemi.exe 105 PID 3544 wrote to memory of 4908 3544 Ajfoiqll.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe"C:\Users\Admin\AppData\Local\Temp\267659b09c80e1e3ffe5ae18171b75c7f63d5bb1d0bea649b2b285a09acbf30f.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe23⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe25⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe26⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe27⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe31⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe34⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe36⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe39⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe40⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe41⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe42⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe43⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe44⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe45⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe47⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe49⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe50⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe51⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe52⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe53⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe54⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe57⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe60⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe61⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4740 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe64⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe65⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4792 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe67⤵PID:2576
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe68⤵PID:3148
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe69⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe70⤵PID:3056
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe71⤵PID:748
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3928 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe73⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe74⤵PID:2908
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe75⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe76⤵PID:2592
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe77⤵PID:5004
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe78⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe79⤵PID:3512
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe80⤵PID:4188
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe83⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe84⤵PID:5264
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe86⤵PID:5336
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe87⤵PID:5372
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe88⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe90⤵PID:5480
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe92⤵PID:5552
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe93⤵PID:5588
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe94⤵PID:5624
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe96⤵PID:5696
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe98⤵PID:5768
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe99⤵PID:5804
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe100⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe101⤵PID:5876
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe102⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe103⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe104⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe105⤵PID:6020
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe107⤵PID:6092
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe108⤵
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe109⤵PID:3868
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe110⤵PID:3964
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe111⤵
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe112⤵PID:1916
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe114⤵PID:5612
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe115⤵PID:5668
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe116⤵PID:5716
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5824 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe119⤵PID:4576
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe120⤵PID:5936
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe121⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe122⤵
- Drops file in System32 directory
PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-