Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 10:22
Behavioral task
behavioral1
Sample
ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe
-
Size
1.2MB
-
MD5
04879804db89ecc17425b8a5a5ce3990
-
SHA1
49803c1c3b994b54b9cd35ebfc1d65d14536695b
-
SHA256
ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b
-
SHA512
118abaed41dab27c729010731ac85adb991e9b7c822719ce96e0eb69ba4c7606b5db633af483002f9f6fa0ecaaa24061d37399b478a87d4ee2af33e24f9af1c1
-
SSDEEP
12288:eTkYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:eQYlFiWZpsKv2EvZHp3oWiQ4ca
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbjggof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foabofnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlolpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jianff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhijqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acocaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioaqfcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebdoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpkchqdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfoiqll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchjdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmpnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmmjbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gadqlkep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idghpmnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmdhdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbndobo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foqkdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpokp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmhlgmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnedlao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgbco32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x000700000002340e-15.dat family_berbew behavioral2/files/0x0007000000023411-24.dat family_berbew behavioral2/files/0x0007000000023413-30.dat family_berbew behavioral2/files/0x0007000000023415-40.dat family_berbew behavioral2/files/0x000700000002341d-68.dat family_berbew behavioral2/files/0x000700000002342b-116.dat family_berbew behavioral2/files/0x000700000002342f-131.dat family_berbew behavioral2/files/0x000700000002343b-173.dat family_berbew behavioral2/files/0x000700000002344b-229.dat family_berbew behavioral2/files/0x0007000000023449-222.dat family_berbew behavioral2/files/0x0007000000023447-215.dat family_berbew behavioral2/files/0x0007000000023445-208.dat family_berbew behavioral2/files/0x0007000000023443-201.dat family_berbew behavioral2/files/0x0007000000023441-194.dat family_berbew behavioral2/files/0x000700000002343f-187.dat family_berbew behavioral2/files/0x000700000002343d-180.dat family_berbew behavioral2/files/0x0007000000023439-166.dat family_berbew behavioral2/files/0x0007000000023437-159.dat family_berbew behavioral2/files/0x0007000000023435-152.dat family_berbew behavioral2/files/0x0007000000023433-145.dat family_berbew behavioral2/files/0x0007000000023431-138.dat family_berbew behavioral2/files/0x000700000002342d-124.dat family_berbew behavioral2/files/0x0007000000023429-110.dat family_berbew behavioral2/files/0x0007000000023427-103.dat family_berbew behavioral2/files/0x0007000000023425-96.dat family_berbew behavioral2/files/0x0007000000023423-89.dat family_berbew behavioral2/files/0x0007000000023421-82.dat family_berbew behavioral2/files/0x000700000002341f-75.dat family_berbew behavioral2/files/0x000700000002341b-61.dat family_berbew behavioral2/files/0x0007000000023419-54.dat family_berbew behavioral2/files/0x0007000000023417-47.dat family_berbew behavioral2/files/0x0007000000023558-1062.dat family_berbew behavioral2/files/0x0007000000023560-1085.dat family_berbew behavioral2/files/0x000700000002356c-1122.dat family_berbew behavioral2/files/0x000700000002357c-1170.dat family_berbew behavioral2/files/0x00070000000235ba-1356.dat family_berbew behavioral2/files/0x00070000000235cb-1415.dat family_berbew behavioral2/files/0x000700000002360a-1623.dat family_berbew behavioral2/files/0x000700000002360e-1638.dat family_berbew behavioral2/files/0x0007000000023618-1669.dat family_berbew behavioral2/files/0x000700000002361c-1684.dat family_berbew behavioral2/files/0x0007000000023622-1700.dat family_berbew behavioral2/files/0x000700000002362a-1727.dat family_berbew behavioral2/files/0x000700000002365d-1880.dat family_berbew behavioral2/files/0x0007000000023663-1899.dat family_berbew behavioral2/files/0x0007000000023669-1917.dat family_berbew behavioral2/files/0x0007000000023671-1942.dat family_berbew behavioral2/files/0x0007000000023677-1959.dat family_berbew behavioral2/files/0x000700000002367f-1985.dat family_berbew behavioral2/files/0x0007000000023683-1997.dat family_berbew behavioral2/files/0x0007000000023689-2015.dat family_berbew behavioral2/files/0x00070000000236a3-2097.dat family_berbew behavioral2/files/0x00070000000236af-2139.dat family_berbew behavioral2/files/0x00070000000236b3-2152.dat family_berbew behavioral2/files/0x00070000000236bf-2194.dat family_berbew behavioral2/files/0x00070000000236c7-2222.dat family_berbew behavioral2/files/0x00070000000236cb-2235.dat family_berbew behavioral2/files/0x00070000000236cf-2249.dat family_berbew behavioral2/files/0x00070000000236ec-2338.dat family_berbew behavioral2/files/0x0004000000022ac3-2365.dat family_berbew behavioral2/files/0x00070000000236f9-2435.dat family_berbew behavioral2/files/0x00070000000236fe-2448.dat family_berbew behavioral2/files/0x0007000000023706-2475.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 756 Lcmofolg.exe 1496 Lmccchkn.exe 4848 Lpappc32.exe 512 Lcpllo32.exe 2308 Lkgdml32.exe 1620 Lijdhiaa.exe 1184 Laalifad.exe 3844 Lpcmec32.exe 3112 Lcbiao32.exe 4792 Lkiqbl32.exe 5076 Lnhmng32.exe 932 Laciofpa.exe 2540 Ldaeka32.exe 2192 Lgpagm32.exe 4876 Ljnnch32.exe 3160 Laefdf32.exe 836 Lphfpbdi.exe 4644 Lcgblncm.exe 3172 Lknjmkdo.exe 3524 Mahbje32.exe 928 Mpkbebbf.exe 1084 Mgekbljc.exe 3012 Mkpgck32.exe 1004 Mnocof32.exe 2224 Majopeii.exe 1924 Mdiklqhm.exe 2580 Mcklgm32.exe 4636 Mkbchk32.exe 2304 Mjeddggd.exe 2680 Mamleegg.exe 4044 Mpolqa32.exe 5072 Mcnhmm32.exe 4400 Mgidml32.exe 3484 Mjhqjg32.exe 3528 Mncmjfmk.exe 1048 Mpaifalo.exe 4540 Mdmegp32.exe 4244 Mglack32.exe 4212 Mkgmcjld.exe 4356 Mnfipekh.exe 4028 Mpdelajl.exe 1512 Mcbahlip.exe 100 Nkjjij32.exe 4216 Njljefql.exe 4692 Nacbfdao.exe 1880 Ndbnboqb.exe 3788 Ngpjnkpf.exe 3964 Nklfoi32.exe 1148 Nnjbke32.exe 968 Nqiogp32.exe 4008 Nddkgonp.exe 2432 Ngcgcjnc.exe 4928 Njacpf32.exe 4956 Nbhkac32.exe 4860 Ndghmo32.exe 4952 Ncihikcg.exe 2108 Nkqpjidj.exe 2660 Nnolfdcn.exe 4756 Nqmhbpba.exe 2736 Ndidbn32.exe 1644 Nggqoj32.exe 3756 Njfmke32.exe 632 Nbmelbid.exe 4484 Ndkahnhh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Keimof32.exe Kckqbj32.exe File created C:\Windows\SysWOW64\Pmpolgoi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oihmedma.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpghkf32.exe Lhncdi32.exe File created C:\Windows\SysWOW64\Kckqbj32.exe Klahfp32.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Process not Found File created C:\Windows\SysWOW64\Ieagmcmq.exe Process not Found File created C:\Windows\SysWOW64\Keojhkpc.dll Gaogak32.exe File opened for modification C:\Windows\SysWOW64\Hbbmmi32.exe Hglipp32.exe File opened for modification C:\Windows\SysWOW64\Hglaej32.exe Hncmmd32.exe File created C:\Windows\SysWOW64\Flngfn32.exe Fjmkoeqi.exe File opened for modification C:\Windows\SysWOW64\Fdepgkgj.exe Flngfn32.exe File opened for modification C:\Windows\SysWOW64\Bdgged32.exe Bnmoijje.exe File created C:\Windows\SysWOW64\Hioiji32.exe Hbeqmoji.exe File created C:\Windows\SysWOW64\Aqkgpedc.exe Anmjcieo.exe File opened for modification C:\Windows\SysWOW64\Mfnhfm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Okeieh32.exe Ncnadk32.exe File created C:\Windows\SysWOW64\Flakmgga.dll Ibcmom32.exe File created C:\Windows\SysWOW64\Oclkgccf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oeoblb32.exe Oadfkdgd.exe File opened for modification C:\Windows\SysWOW64\Lnoaaaad.exe Process not Found File created C:\Windows\SysWOW64\Coegoe32.exe Process not Found File created C:\Windows\SysWOW64\Oalnaifk.dll Fhgjblfq.exe File created C:\Windows\SysWOW64\Mpghkf32.exe Lhncdi32.exe File created C:\Windows\SysWOW64\Nmogab32.dll Ddpeoafg.exe File opened for modification C:\Windows\SysWOW64\Fdijbg32.exe Fefjfked.exe File opened for modification C:\Windows\SysWOW64\Cfcqpa32.exe Cpihcgoa.exe File created C:\Windows\SysWOW64\Acpklg32.dll Ckilmcgb.exe File opened for modification C:\Windows\SysWOW64\Lcdciiec.exe Process not Found File created C:\Windows\SysWOW64\Gelfeh32.dll Process not Found File created C:\Windows\SysWOW64\Jheiojpj.dll Nggqoj32.exe File created C:\Windows\SysWOW64\Onklabip.exe Okloegjl.exe File created C:\Windows\SysWOW64\Hemikcpm.dll Process not Found File created C:\Windows\SysWOW64\Epopbo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Angddopp.exe Ahmlgd32.exe File created C:\Windows\SysWOW64\Hbbhclmi.dll Gkaejf32.exe File opened for modification C:\Windows\SysWOW64\Mmpijp32.exe Meiaib32.exe File created C:\Windows\SysWOW64\Qloebdig.exe Qchmagie.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Himldi32.exe File created C:\Windows\SysWOW64\Hcoejf32.dll Process not Found File created C:\Windows\SysWOW64\Pahpfc32.exe Pkogiikb.exe File opened for modification C:\Windows\SysWOW64\Enkmfolf.exe Process not Found File created C:\Windows\SysWOW64\Dikpbl32.exe Djhpgofm.exe File created C:\Windows\SysWOW64\Ahfdjanb.exe Acilajpk.exe File created C:\Windows\SysWOW64\Khoana32.dll Nccokk32.exe File created C:\Windows\SysWOW64\Omegjomb.exe Ojgjndno.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Jeciaina.dll Dnpdegjp.exe File opened for modification C:\Windows\SysWOW64\Jebfng32.exe Johnamkm.exe File created C:\Windows\SysWOW64\Kpgfooop.exe Kmijbcpl.exe File created C:\Windows\SysWOW64\Gaogak32.exe Foqkdp32.exe File created C:\Windows\SysWOW64\Klbnajqc.exe Process not Found File created C:\Windows\SysWOW64\Amhmnagf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Ingpmmgm.exe Hkicaahi.exe File created C:\Windows\SysWOW64\Ebkibb32.dll Ooqqdi32.exe File created C:\Windows\SysWOW64\Aaeidf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gijekg32.exe Ggkiol32.exe File opened for modification C:\Windows\SysWOW64\Mjellmbp.exe Micoed32.exe File created C:\Windows\SysWOW64\Ojqcnhkl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Immapg32.exe Hfcicmqp.exe File opened for modification C:\Windows\SysWOW64\Cpfcfmlp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ecefqnel.exe Emkndc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3348 12860 Process not Found 1404 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdihjfbe.dll" Fohoigfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdboimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll" Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekiohclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieicjl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjcfabm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmgbckd.dll" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcpem32.dll" Hgkkkcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjdilcla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifbang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjchaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbkpm32.dll" Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikcdlmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Embkoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olijhmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjknojbk.dll" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgbmccpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgflp32.dll" Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfaeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnmepn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajadlja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" Fhjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkaicd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefjfked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejfeng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okogahgo.dll" Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhpmfbl.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpappc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olekop32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajeam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccejahl.dll" Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jioaqfcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmnldp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 756 3480 ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe 83 PID 3480 wrote to memory of 756 3480 ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe 83 PID 3480 wrote to memory of 756 3480 ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe 83 PID 756 wrote to memory of 1496 756 Lcmofolg.exe 84 PID 756 wrote to memory of 1496 756 Lcmofolg.exe 84 PID 756 wrote to memory of 1496 756 Lcmofolg.exe 84 PID 1496 wrote to memory of 4848 1496 Lmccchkn.exe 85 PID 1496 wrote to memory of 4848 1496 Lmccchkn.exe 85 PID 1496 wrote to memory of 4848 1496 Lmccchkn.exe 85 PID 4848 wrote to memory of 512 4848 Lpappc32.exe 86 PID 4848 wrote to memory of 512 4848 Lpappc32.exe 86 PID 4848 wrote to memory of 512 4848 Lpappc32.exe 86 PID 512 wrote to memory of 2308 512 Lcpllo32.exe 87 PID 512 wrote to memory of 2308 512 Lcpllo32.exe 87 PID 512 wrote to memory of 2308 512 Lcpllo32.exe 87 PID 2308 wrote to memory of 1620 2308 Lkgdml32.exe 88 PID 2308 wrote to memory of 1620 2308 Lkgdml32.exe 88 PID 2308 wrote to memory of 1620 2308 Lkgdml32.exe 88 PID 1620 wrote to memory of 1184 1620 Lijdhiaa.exe 89 PID 1620 wrote to memory of 1184 1620 Lijdhiaa.exe 89 PID 1620 wrote to memory of 1184 1620 Lijdhiaa.exe 89 PID 1184 wrote to memory of 3844 1184 Laalifad.exe 90 PID 1184 wrote to memory of 3844 1184 Laalifad.exe 90 PID 1184 wrote to memory of 3844 1184 Laalifad.exe 90 PID 3844 wrote to memory of 3112 3844 Lpcmec32.exe 91 PID 3844 wrote to memory of 3112 3844 Lpcmec32.exe 91 PID 3844 wrote to memory of 3112 3844 Lpcmec32.exe 91 PID 3112 wrote to memory of 4792 3112 Lcbiao32.exe 92 PID 3112 wrote to memory of 4792 3112 Lcbiao32.exe 92 PID 3112 wrote to memory of 4792 3112 Lcbiao32.exe 92 PID 4792 wrote to memory of 5076 4792 Lkiqbl32.exe 93 PID 4792 wrote to memory of 5076 4792 Lkiqbl32.exe 93 PID 4792 wrote to memory of 5076 4792 Lkiqbl32.exe 93 PID 5076 wrote to memory of 932 5076 Lnhmng32.exe 94 PID 5076 wrote to memory of 932 5076 Lnhmng32.exe 94 PID 5076 wrote to memory of 932 5076 Lnhmng32.exe 94 PID 932 wrote to memory of 2540 932 Laciofpa.exe 95 PID 932 wrote to memory of 2540 932 Laciofpa.exe 95 PID 932 wrote to memory of 2540 932 Laciofpa.exe 95 PID 2540 wrote to memory of 2192 2540 Ldaeka32.exe 96 PID 2540 wrote to memory of 2192 2540 Ldaeka32.exe 96 PID 2540 wrote to memory of 2192 2540 Ldaeka32.exe 96 PID 2192 wrote to memory of 4876 2192 Lgpagm32.exe 97 PID 2192 wrote to memory of 4876 2192 Lgpagm32.exe 97 PID 2192 wrote to memory of 4876 2192 Lgpagm32.exe 97 PID 4876 wrote to memory of 3160 4876 Ljnnch32.exe 98 PID 4876 wrote to memory of 3160 4876 Ljnnch32.exe 98 PID 4876 wrote to memory of 3160 4876 Ljnnch32.exe 98 PID 3160 wrote to memory of 836 3160 Laefdf32.exe 99 PID 3160 wrote to memory of 836 3160 Laefdf32.exe 99 PID 3160 wrote to memory of 836 3160 Laefdf32.exe 99 PID 836 wrote to memory of 4644 836 Lphfpbdi.exe 100 PID 836 wrote to memory of 4644 836 Lphfpbdi.exe 100 PID 836 wrote to memory of 4644 836 Lphfpbdi.exe 100 PID 4644 wrote to memory of 3172 4644 Lcgblncm.exe 101 PID 4644 wrote to memory of 3172 4644 Lcgblncm.exe 101 PID 4644 wrote to memory of 3172 4644 Lcgblncm.exe 101 PID 3172 wrote to memory of 3524 3172 Lknjmkdo.exe 102 PID 3172 wrote to memory of 3524 3172 Lknjmkdo.exe 102 PID 3172 wrote to memory of 3524 3172 Lknjmkdo.exe 102 PID 3524 wrote to memory of 928 3524 Mahbje32.exe 103 PID 3524 wrote to memory of 928 3524 Mahbje32.exe 103 PID 3524 wrote to memory of 928 3524 Mahbje32.exe 103 PID 928 wrote to memory of 1084 928 Mpkbebbf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe"C:\Users\Admin\AppData\Local\Temp\ade4daff0409e8c163503bb10156ddf3d5f20fb30aa44d8a6ad7e3d82ea1a54b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe23⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe24⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe25⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe26⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe27⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe28⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe29⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe30⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe31⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe32⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe33⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe34⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe35⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe37⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe38⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe39⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4212 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe41⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe42⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe43⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe44⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe45⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe46⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe47⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe48⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe49⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe50⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe51⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe52⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe53⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe54⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe55⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe56⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe58⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe59⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe60⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe61⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe63⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe64⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe65⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe66⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe67⤵PID:1524
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe68⤵
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe69⤵PID:4468
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe70⤵PID:4048
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe71⤵PID:1840
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe72⤵PID:2768
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe73⤵PID:4856
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe74⤵PID:4576
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe75⤵PID:4988
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe76⤵PID:4760
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe77⤵PID:5156
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe78⤵PID:5192
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe79⤵PID:5228
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe80⤵PID:5264
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe81⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe82⤵PID:5336
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe83⤵PID:5372
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe84⤵PID:5408
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe85⤵PID:5444
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe86⤵PID:5480
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe87⤵PID:5516
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe88⤵PID:5552
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe89⤵PID:5588
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe90⤵PID:5624
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe91⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe92⤵PID:5696
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe93⤵PID:5732
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe94⤵PID:5768
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe95⤵PID:5804
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe96⤵PID:5840
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe97⤵PID:5876
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe98⤵PID:5912
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe99⤵PID:5948
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe100⤵PID:5984
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe101⤵PID:6020
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe102⤵PID:6056
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe103⤵PID:6092
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe104⤵PID:6128
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe105⤵PID:972
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe106⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe107⤵PID:2384
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe108⤵PID:4732
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe109⤵PID:5116
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe110⤵PID:4912
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe111⤵PID:4116
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe112⤵PID:4572
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe113⤵PID:5128
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe114⤵PID:5188
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe115⤵
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe117⤵PID:5392
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe118⤵PID:5452
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe119⤵PID:5512
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe120⤵PID:5580
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe121⤵PID:5652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-