Analysis
-
max time kernel
90s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 13:13
Behavioral task
behavioral1
Sample
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe
Resource
win10v2004-20240508-en
General
-
Target
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe
-
Size
386KB
-
MD5
2006bc44df811c0eb75576461934f000
-
SHA1
2cf2bf314a2bffba6a0d95f356872456d03c9170
-
SHA256
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206
-
SHA512
5990d9de0315bffc34d3cc4f2231b647c242b14a482e2e9ce89b1d0d84436520a6932c6e87ca9a4810e8116a9b371f9b68efaa6ccfb531121cc73124df13340b
-
SSDEEP
12288:z0s+a4rCZYE6YYBHpd0uD319ZvSntnhp352SCdL:z0sX4rCyE6YYBHpd0uD319ZvSntnhp3c
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bboahbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clinfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbfpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffpjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiemmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nafiej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clinfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmmpcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhelghol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglfndaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffmpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magdam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglnajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmphhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enbnkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepbmhpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjeejep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcenmcea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdehpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqfkln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakhkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffjagko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbengc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbmll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbpahan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnambeed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmehdpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkjap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bleilh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailboh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akeijlfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iacjjacb.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d0000000122d1-12.dat family_berbew behavioral1/files/0x00230000000122f8-26.dat family_berbew behavioral1/files/0x000800000001269e-34.dat family_berbew behavioral1/files/0x00080000000126f7-55.dat family_berbew behavioral1/files/0x0006000000014fe1-77.dat family_berbew behavioral1/files/0x0006000000015364-99.dat family_berbew behavioral1/files/0x00060000000155d9-114.dat family_berbew behavioral1/files/0x001a000000012300-119.dat family_berbew behavioral1/files/0x0006000000015a2d-133.dat family_berbew behavioral1/files/0x0006000000015c0d-154.dat family_berbew behavioral1/files/0x0006000000015c2f-164.dat family_berbew behavioral1/files/0x0006000000015c52-181.dat family_berbew behavioral1/files/0x0006000000015c69-192.dat family_berbew behavioral1/files/0x0006000000015c87-201.dat family_berbew behavioral1/files/0x0006000000015d88-216.dat family_berbew behavioral1/files/0x0006000000015e02-229.dat family_berbew behavioral1/files/0x0006000000015e5b-240.dat family_berbew behavioral1/files/0x0006000000015e7c-249.dat family_berbew behavioral1/files/0x000600000001604b-270.dat family_berbew behavioral1/memory/1184-273-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x00060000000165ae-291.dat family_berbew behavioral1/files/0x00060000000167db-301.dat family_berbew behavioral1/files/0x0006000000016c1a-325.dat family_berbew behavioral1/files/0x0006000000016c90-334.dat family_berbew behavioral1/files/0x0006000000016ccf-345.dat family_berbew behavioral1/memory/2820-330-0x00000000002D0000-0x0000000000306000-memory.dmp family_berbew behavioral1/files/0x0006000000016b96-314.dat family_berbew behavioral1/memory/1844-283-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/files/0x0006000000016332-282.dat family_berbew behavioral1/files/0x0006000000015ec0-261.dat family_berbew behavioral1/memory/2576-140-0x00000000002D0000-0x0000000000306000-memory.dmp family_berbew behavioral1/files/0x0006000000016cf0-357.dat family_berbew behavioral1/files/0x0006000000014e3d-72.dat family_berbew behavioral1/memory/2416-380-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x0006000000016d36-379.dat family_berbew behavioral1/files/0x0006000000016d89-409.dat family_berbew behavioral1/files/0x000500000001868c-432.dat family_berbew behavioral1/files/0x00050000000186a0-443.dat family_berbew behavioral1/files/0x0006000000018ae8-452.dat family_berbew behavioral1/memory/1628-479-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x0006000000018b6a-488.dat family_berbew behavioral1/files/0x0006000000018b96-501.dat family_berbew behavioral1/files/0x00050000000192f4-520.dat family_berbew behavioral1/files/0x0005000000019377-541.dat family_berbew behavioral1/files/0x00050000000193b0-554.dat family_berbew behavioral1/files/0x000500000001946b-564.dat family_berbew behavioral1/files/0x0005000000019473-575.dat family_berbew behavioral1/files/0x00050000000194a4-587.dat family_berbew behavioral1/files/0x00040000000194d8-597.dat family_berbew behavioral1/files/0x00050000000194e8-607.dat family_berbew behavioral1/files/0x000500000001950c-638.dat family_berbew behavioral1/files/0x00050000000194f2-626.dat family_berbew behavioral1/files/0x0005000000019547-652.dat family_berbew behavioral1/files/0x000500000001959c-661.dat family_berbew behavioral1/files/0x00050000000195a2-675.dat family_berbew behavioral1/files/0x00050000000195a6-683.dat family_berbew behavioral1/files/0x00050000000195a8-695.dat family_berbew behavioral1/files/0x00050000000195aa-707.dat family_berbew behavioral1/files/0x0005000000019bd6-746.dat family_berbew behavioral1/files/0x00050000000196d8-734.dat family_berbew behavioral1/files/0x0005000000019bd8-761.dat family_berbew behavioral1/files/0x00050000000195ff-719.dat family_berbew behavioral1/files/0x0005000000019cba-774.dat family_berbew behavioral1/files/0x0005000000019d4d-787.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1072 Anahqh32.exe 2896 Akeijlfq.exe 2676 Acqnnndl.exe 2456 Bnfblgca.exe 2244 Bfagpiam.exe 2856 Bmphhc32.exe 1056 Bcjqdmla.exe 864 Bbonei32.exe 2576 Cadjgf32.exe 1800 Chcloo32.exe 1948 Cmpdgf32.exe 2104 Ckcepj32.exe 948 Dgjfek32.exe 1592 Dgoopkgh.exe 2728 Dcfpel32.exe 2956 Enbnkigh.exe 2984 Ekfndmfb.exe 1152 Egmojnlf.exe 1060 Eolmip32.exe 1184 Foojop32.exe 1844 Fkejcq32.exe 900 Fkhgip32.exe 2076 Fdpkbf32.exe 576 Fdbhge32.exe 2820 Gnmifk32.exe 3056 Gcmoda32.exe 1584 Gjfgqk32.exe 2996 Gcokiaji.exe 2148 Hllmcc32.exe 2416 Khcomhbi.exe 2648 Nbpeoc32.exe 1300 Nmejllia.exe 1840 Opfbngfb.exe 2580 Oeckfndj.exe 908 Obgkpb32.exe 1164 Ohcdhi32.exe 1252 Omcifpnp.exe 752 Ohhmcinf.exe 1628 Omefkplm.exe 1976 Pgnjde32.exe 1692 Pgpgjepk.exe 2784 Pphkbj32.exe 2936 Peedka32.exe 2768 Ppkhhjei.exe 2044 Phfmllbd.exe 1544 Pckajebj.exe 2816 Pldebkhj.exe 2904 Qdojgmfe.exe 2968 Qgmfchei.exe 2752 Qqfkln32.exe 884 Agpcihcf.exe 1720 Aqhhanig.exe 2060 Agbpnh32.exe 1448 Aciqcifh.exe 1608 Anneqafn.exe 2532 Ajeeeblb.exe 2844 Aobnniji.exe 2560 Aflfjc32.exe 1756 Akiobk32.exe 2016 Beackp32.exe 2356 Boidnh32.exe 2720 Bbgqjdce.exe 472 Bkpeci32.exe 1664 Bbjmpcab.exe -
Loads dropped DLL 64 IoCs
pid Process 2292 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 2292 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 1072 Anahqh32.exe 1072 Anahqh32.exe 2896 Akeijlfq.exe 2896 Akeijlfq.exe 2676 Acqnnndl.exe 2676 Acqnnndl.exe 2456 Bnfblgca.exe 2456 Bnfblgca.exe 2244 Bfagpiam.exe 2244 Bfagpiam.exe 2856 Bmphhc32.exe 2856 Bmphhc32.exe 1056 Bcjqdmla.exe 1056 Bcjqdmla.exe 864 Bbonei32.exe 864 Bbonei32.exe 2576 Cadjgf32.exe 2576 Cadjgf32.exe 1800 Chcloo32.exe 1800 Chcloo32.exe 1948 Cmpdgf32.exe 1948 Cmpdgf32.exe 2104 Ckcepj32.exe 2104 Ckcepj32.exe 948 Dgjfek32.exe 948 Dgjfek32.exe 1592 Dgoopkgh.exe 1592 Dgoopkgh.exe 2728 Dcfpel32.exe 2728 Dcfpel32.exe 2956 Enbnkigh.exe 2956 Enbnkigh.exe 2984 Ekfndmfb.exe 2984 Ekfndmfb.exe 1152 Egmojnlf.exe 1152 Egmojnlf.exe 1060 Eolmip32.exe 1060 Eolmip32.exe 1184 Foojop32.exe 1184 Foojop32.exe 1844 Fkejcq32.exe 1844 Fkejcq32.exe 900 Fkhgip32.exe 900 Fkhgip32.exe 2076 Fdpkbf32.exe 2076 Fdpkbf32.exe 576 Fdbhge32.exe 576 Fdbhge32.exe 2820 Gnmifk32.exe 2820 Gnmifk32.exe 3056 Gcmoda32.exe 3056 Gcmoda32.exe 1584 Gjfgqk32.exe 1584 Gjfgqk32.exe 2996 Gcokiaji.exe 2996 Gcokiaji.exe 2148 Hllmcc32.exe 2148 Hllmcc32.exe 2416 Khcomhbi.exe 2416 Khcomhbi.exe 2648 Nbpeoc32.exe 2648 Nbpeoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qgmfchei.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Qqfkln32.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Olemefec.dll Ogohdeam.exe File created C:\Windows\SysWOW64\Fklkbele.dll Clbnhmjo.exe File created C:\Windows\SysWOW64\Dchdgl32.dll Mobomnoq.exe File created C:\Windows\SysWOW64\Bpkphm32.dll Gbdlnf32.exe File opened for modification C:\Windows\SysWOW64\Claake32.exe Bfeibo32.exe File created C:\Windows\SysWOW64\Mplfpn32.dll Fdpkbf32.exe File opened for modification C:\Windows\SysWOW64\Lfkfkopk.exe Llebnfpe.exe File created C:\Windows\SysWOW64\Lilfnc32.dll Ohcdhi32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Iocgfhhc.exe File created C:\Windows\SysWOW64\Phobjp32.exe Ppcmfn32.exe File created C:\Windows\SysWOW64\Dnnnlokd.dll Bchhqo32.exe File created C:\Windows\SysWOW64\Jbcjpbbk.dll Bemmenhb.exe File created C:\Windows\SysWOW64\Fqfipj32.exe Caepdk32.exe File created C:\Windows\SysWOW64\Mlaoip32.dll Nljcflbd.exe File created C:\Windows\SysWOW64\Fdpkbf32.exe Fkhgip32.exe File created C:\Windows\SysWOW64\Bedoacoi.dll Bkqiek32.exe File opened for modification C:\Windows\SysWOW64\Ghekhd32.exe Gbhcpmkm.exe File created C:\Windows\SysWOW64\Qjeihl32.exe Ocdnloph.exe File created C:\Windows\SysWOW64\Adpiba32.dll Fadndbci.exe File created C:\Windows\SysWOW64\Qkelme32.exe Qnalcqpm.exe File created C:\Windows\SysWOW64\Foojop32.exe Eolmip32.exe File created C:\Windows\SysWOW64\Cjjpag32.exe Cjhckg32.exe File created C:\Windows\SysWOW64\Fbglkj32.dll Ddnfql32.exe File opened for modification C:\Windows\SysWOW64\Fikgda32.exe Fcoolj32.exe File created C:\Windows\SysWOW64\Denlga32.dll Aoihaa32.exe File created C:\Windows\SysWOW64\Ohcdhi32.exe Obgkpb32.exe File created C:\Windows\SysWOW64\Kiemmh32.exe Kffqqm32.exe File created C:\Windows\SysWOW64\Mafalppn.dll Ogaeieoj.exe File created C:\Windows\SysWOW64\Cojeomee.exe Cjjpag32.exe File created C:\Windows\SysWOW64\Hjdjbd32.dll Habili32.exe File created C:\Windows\SysWOW64\Knikfnih.exe Kgocid32.exe File created C:\Windows\SysWOW64\Piaoqi32.dll Fpdkpiik.exe File created C:\Windows\SysWOW64\Ffbmfo32.exe Eaednh32.exe File created C:\Windows\SysWOW64\Amjiln32.exe Acadchoo.exe File opened for modification C:\Windows\SysWOW64\Gbdlnf32.exe Gpeoakhc.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qgmfchei.exe File created C:\Windows\SysWOW64\Dlkmjn32.dll Aciqcifh.exe File created C:\Windows\SysWOW64\Nkjjnk32.dll Dbifnj32.exe File opened for modification C:\Windows\SysWOW64\Laleof32.exe Lkbmbl32.exe File opened for modification C:\Windows\SysWOW64\Feiaknmg.exe Fmbjjp32.exe File created C:\Windows\SysWOW64\Kbdjhe32.dll Bcjqdmla.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kmegjdad.exe File created C:\Windows\SysWOW64\Mnglnj32.exe Mdogedmh.exe File opened for modification C:\Windows\SysWOW64\Fooembgb.exe Fefqdl32.exe File created C:\Windows\SysWOW64\Mdlfngcc.exe Migbpocm.exe File created C:\Windows\SysWOW64\Lelljepm.exe Lmqgec32.exe File created C:\Windows\SysWOW64\Bnbnnm32.exe Bghfacem.exe File created C:\Windows\SysWOW64\Maabcc32.exe Mpqekkob.exe File created C:\Windows\SysWOW64\Bhlgkakb.dll Olioeoeo.exe File created C:\Windows\SysWOW64\Fhbqnb32.dll Bmphhc32.exe File created C:\Windows\SysWOW64\Ogohdeam.exe Ongckp32.exe File created C:\Windows\SysWOW64\Faonom32.exe Fooembgb.exe File created C:\Windows\SysWOW64\Plkkkh32.dll Chocodch.exe File opened for modification C:\Windows\SysWOW64\Iladfn32.exe Ifdlng32.exe File created C:\Windows\SysWOW64\Aiffeloi.dll Pegnglnm.exe File opened for modification C:\Windows\SysWOW64\Kbmfgk32.exe Kalipcmb.exe File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Cgogealf.exe Cfnkmi32.exe File opened for modification C:\Windows\SysWOW64\Pecelm32.exe Peqhgmdd.exe File opened for modification C:\Windows\SysWOW64\Njopgh32.exe Ndehjnpo.exe File created C:\Windows\SysWOW64\Pbkngk32.dll Dkjkcfjc.exe File opened for modification C:\Windows\SysWOW64\Kindeddf.exe Koipglep.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2628 2960 WerFault.exe 865 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcpdkff.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahfgbkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhljpmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaeqmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpjhnfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdodo32.dll" Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnjobjf.dll" Dkeahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkndgbj.dll" Onipqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bboahbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjfgqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nedhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feiaknmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfjcgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnfbmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknbpmpk.dll" Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihcbj32.dll" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfiabjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfkclf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egmojnlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlalaoic.dll" Gbhcpmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iafofkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lljkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anahqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmnfa32.dll" Knaeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oolbcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjcogfe.dll" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbclpfop.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihoo32.dll" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcmcebkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blobmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojieb32.dll" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Johoic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfimoh32.dll" Clinfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Felkabah.dll" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkloj32.dll" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdigkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clinfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhoklnkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhelghol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgnkfjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgffhkoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folfoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccdlddl.dll" Lhlbbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohpnag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aafnpkii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olioeoeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabfljee.dll" Dgjfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll" Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnlndkp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1072 2292 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 28 PID 2292 wrote to memory of 1072 2292 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 28 PID 2292 wrote to memory of 1072 2292 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 28 PID 2292 wrote to memory of 1072 2292 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 28 PID 1072 wrote to memory of 2896 1072 Anahqh32.exe 29 PID 1072 wrote to memory of 2896 1072 Anahqh32.exe 29 PID 1072 wrote to memory of 2896 1072 Anahqh32.exe 29 PID 1072 wrote to memory of 2896 1072 Anahqh32.exe 29 PID 2896 wrote to memory of 2676 2896 Akeijlfq.exe 30 PID 2896 wrote to memory of 2676 2896 Akeijlfq.exe 30 PID 2896 wrote to memory of 2676 2896 Akeijlfq.exe 30 PID 2896 wrote to memory of 2676 2896 Akeijlfq.exe 30 PID 2676 wrote to memory of 2456 2676 Acqnnndl.exe 31 PID 2676 wrote to memory of 2456 2676 Acqnnndl.exe 31 PID 2676 wrote to memory of 2456 2676 Acqnnndl.exe 31 PID 2676 wrote to memory of 2456 2676 Acqnnndl.exe 31 PID 2456 wrote to memory of 2244 2456 Bnfblgca.exe 32 PID 2456 wrote to memory of 2244 2456 Bnfblgca.exe 32 PID 2456 wrote to memory of 2244 2456 Bnfblgca.exe 32 PID 2456 wrote to memory of 2244 2456 Bnfblgca.exe 32 PID 2244 wrote to memory of 2856 2244 Bfagpiam.exe 33 PID 2244 wrote to memory of 2856 2244 Bfagpiam.exe 33 PID 2244 wrote to memory of 2856 2244 Bfagpiam.exe 33 PID 2244 wrote to memory of 2856 2244 Bfagpiam.exe 33 PID 2856 wrote to memory of 1056 2856 Bmphhc32.exe 34 PID 2856 wrote to memory of 1056 2856 Bmphhc32.exe 34 PID 2856 wrote to memory of 1056 2856 Bmphhc32.exe 34 PID 2856 wrote to memory of 1056 2856 Bmphhc32.exe 34 PID 1056 wrote to memory of 864 1056 Bcjqdmla.exe 35 PID 1056 wrote to memory of 864 1056 Bcjqdmla.exe 35 PID 1056 wrote to memory of 864 1056 Bcjqdmla.exe 35 PID 1056 wrote to memory of 864 1056 Bcjqdmla.exe 35 PID 864 wrote to memory of 2576 864 Bbonei32.exe 36 PID 864 wrote to memory of 2576 864 Bbonei32.exe 36 PID 864 wrote to memory of 2576 864 Bbonei32.exe 36 PID 864 wrote to memory of 2576 864 Bbonei32.exe 36 PID 2576 wrote to memory of 1800 2576 Cadjgf32.exe 37 PID 2576 wrote to memory of 1800 2576 Cadjgf32.exe 37 PID 2576 wrote to memory of 1800 2576 Cadjgf32.exe 37 PID 2576 wrote to memory of 1800 2576 Cadjgf32.exe 37 PID 1800 wrote to memory of 1948 1800 Chcloo32.exe 38 PID 1800 wrote to memory of 1948 1800 Chcloo32.exe 38 PID 1800 wrote to memory of 1948 1800 Chcloo32.exe 38 PID 1800 wrote to memory of 1948 1800 Chcloo32.exe 38 PID 1948 wrote to memory of 2104 1948 Cmpdgf32.exe 39 PID 1948 wrote to memory of 2104 1948 Cmpdgf32.exe 39 PID 1948 wrote to memory of 2104 1948 Cmpdgf32.exe 39 PID 1948 wrote to memory of 2104 1948 Cmpdgf32.exe 39 PID 2104 wrote to memory of 948 2104 Ckcepj32.exe 40 PID 2104 wrote to memory of 948 2104 Ckcepj32.exe 40 PID 2104 wrote to memory of 948 2104 Ckcepj32.exe 40 PID 2104 wrote to memory of 948 2104 Ckcepj32.exe 40 PID 948 wrote to memory of 1592 948 Dgjfek32.exe 41 PID 948 wrote to memory of 1592 948 Dgjfek32.exe 41 PID 948 wrote to memory of 1592 948 Dgjfek32.exe 41 PID 948 wrote to memory of 1592 948 Dgjfek32.exe 41 PID 1592 wrote to memory of 2728 1592 Dgoopkgh.exe 42 PID 1592 wrote to memory of 2728 1592 Dgoopkgh.exe 42 PID 1592 wrote to memory of 2728 1592 Dgoopkgh.exe 42 PID 1592 wrote to memory of 2728 1592 Dgoopkgh.exe 42 PID 2728 wrote to memory of 2956 2728 Dcfpel32.exe 43 PID 2728 wrote to memory of 2956 2728 Dcfpel32.exe 43 PID 2728 wrote to memory of 2956 2728 Dcfpel32.exe 43 PID 2728 wrote to memory of 2956 2728 Dcfpel32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe"C:\Users\Admin\AppData\Local\Temp\2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe34⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe35⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe38⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe39⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe40⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe42⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe43⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe44⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe45⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe48⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe52⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe54⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe56⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe57⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe59⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe60⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe61⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe62⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe63⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe64⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe65⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe66⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe67⤵PID:2712
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe68⤵PID:1632
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe70⤵PID:608
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe71⤵PID:1652
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe73⤵PID:2540
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe74⤵PID:2892
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe75⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe77⤵PID:2484
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe78⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe80⤵PID:2340
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe81⤵PID:556
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe82⤵PID:2000
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe83⤵PID:1472
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe84⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe86⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe87⤵PID:2584
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe88⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe89⤵PID:1120
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe90⤵PID:856
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe91⤵PID:2792
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe92⤵PID:2664
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe93⤵PID:2656
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe94⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe95⤵PID:836
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe96⤵PID:2724
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe97⤵PID:1104
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe98⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe99⤵PID:1504
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe100⤵PID:2620
-
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe101⤵PID:3016
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe102⤵PID:940
-
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe103⤵PID:2808
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe104⤵PID:956
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe105⤵PID:2872
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe106⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe107⤵PID:1100
-
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe108⤵PID:2744
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe109⤵PID:768
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe110⤵PID:2992
-
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe111⤵PID:2180
-
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe114⤵PID:2876
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe115⤵PID:2036
-
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe116⤵PID:2068
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe117⤵PID:2668
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe118⤵PID:2412
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe119⤵PID:1832
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe120⤵PID:564
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe121⤵PID:1888
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe122⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-