Analysis
-
max time kernel
151s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:35
Behavioral task
behavioral1
Sample
NEAS.e21d489d417566f6ea8747ad244dd9f0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e21d489d417566f6ea8747ad244dd9f0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e21d489d417566f6ea8747ad244dd9f0.exe
-
Size
113KB
-
MD5
e21d489d417566f6ea8747ad244dd9f0
-
SHA1
2ee5c08badfababed07ae8402b8f7fcad9aab387
-
SHA256
196233f23d7975eba725931ba7d1dce053cf4a3ab7022a458d186d867336b6f2
-
SHA512
e7c0d2bf7da6736676b32280857a2aa1d5299287faf54d30ce8f1b3fae81c6705425dbd31d67ed7552641101b644a7b65f55241339bfe935726dbc75fd187dca
-
SSDEEP
3072:Vkts6qZziioEEfrq5nKyvtOsAscugCe8uvQa7gRj9/S2Kn:VkbE7cISMRNF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmepbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkecb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljknl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjokijf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdagbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndgfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngckfdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnkobpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knabne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apddce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Focakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ildpbfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehekgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjiehd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahjqicj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhpajlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkomgkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqfnqjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdlangb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folkjnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfckjnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllggbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohggah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabqdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkipncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cejjdlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galcjkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklkmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjphoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoegcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halmaiog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfnej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpankd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnboma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooqqmoac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogccnfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifbll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiefdhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnmccfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknghk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfenmbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoccii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkpdi32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000022cef-7.dat family_berbew behavioral2/files/0x000a000000022cef-9.dat family_berbew behavioral2/files/0x0007000000022cf9-15.dat family_berbew behavioral2/files/0x0007000000022cf9-17.dat family_berbew behavioral2/files/0x0006000000022dde-24.dat family_berbew behavioral2/files/0x0006000000022dde-23.dat family_berbew behavioral2/files/0x0006000000022de0-32.dat family_berbew behavioral2/files/0x0006000000022de0-31.dat family_berbew behavioral2/files/0x0008000000022cf1-39.dat family_berbew behavioral2/files/0x0006000000022de4-47.dat family_berbew behavioral2/files/0x0008000000022cf1-40.dat family_berbew behavioral2/files/0x0006000000022de4-49.dat family_berbew behavioral2/files/0x0006000000022de6-55.dat family_berbew behavioral2/files/0x0006000000022de6-57.dat family_berbew behavioral2/files/0x0006000000022de8-63.dat family_berbew behavioral2/files/0x0006000000022de8-65.dat family_berbew behavioral2/files/0x0006000000022dea-71.dat family_berbew behavioral2/files/0x0006000000022dea-73.dat family_berbew behavioral2/files/0x0006000000022dee-74.dat family_berbew behavioral2/files/0x0006000000022dee-79.dat family_berbew behavioral2/files/0x0006000000022dee-82.dat family_berbew behavioral2/files/0x0006000000022df1-89.dat family_berbew behavioral2/files/0x0006000000022df1-88.dat family_berbew behavioral2/files/0x0006000000022df3-97.dat family_berbew behavioral2/files/0x0006000000022df5-104.dat family_berbew behavioral2/files/0x0006000000022df5-105.dat family_berbew behavioral2/files/0x0006000000022df3-96.dat family_berbew behavioral2/files/0x0006000000022df7-113.dat family_berbew behavioral2/files/0x0006000000022df7-112.dat family_berbew behavioral2/files/0x0006000000022df9-121.dat family_berbew behavioral2/files/0x0006000000022df9-120.dat family_berbew behavioral2/files/0x0006000000022dfb-128.dat family_berbew behavioral2/files/0x0006000000022dfb-129.dat family_berbew behavioral2/files/0x0006000000022dfd-138.dat family_berbew behavioral2/files/0x0006000000022dfd-136.dat family_berbew behavioral2/files/0x0006000000022dff-144.dat family_berbew behavioral2/files/0x0006000000022dff-146.dat family_berbew behavioral2/files/0x0007000000022d03-152.dat family_berbew behavioral2/files/0x0007000000022d03-154.dat family_berbew behavioral2/files/0x0006000000022e05-160.dat family_berbew behavioral2/files/0x0006000000022e05-162.dat family_berbew behavioral2/files/0x0007000000022d01-168.dat family_berbew behavioral2/files/0x0007000000022d01-169.dat family_berbew behavioral2/files/0x0006000000022e09-171.dat family_berbew behavioral2/files/0x0006000000022e09-176.dat family_berbew behavioral2/files/0x0006000000022e09-177.dat family_berbew behavioral2/files/0x0006000000022e11-184.dat family_berbew behavioral2/files/0x0006000000022e11-186.dat family_berbew behavioral2/files/0x0006000000022e14-193.dat family_berbew behavioral2/files/0x0006000000022e14-192.dat family_berbew behavioral2/files/0x0006000000022e18-202.dat family_berbew behavioral2/files/0x0006000000022e1a-208.dat family_berbew behavioral2/files/0x0006000000022e1a-209.dat family_berbew behavioral2/files/0x0006000000022e18-200.dat family_berbew behavioral2/files/0x0007000000022e0d-216.dat family_berbew behavioral2/files/0x0007000000022e0d-218.dat family_berbew behavioral2/files/0x0007000000022e0f-224.dat family_berbew behavioral2/files/0x0007000000022e0f-226.dat family_berbew behavioral2/files/0x0009000000022e17-232.dat family_berbew behavioral2/files/0x0009000000022e17-233.dat family_berbew behavioral2/files/0x0006000000022e1d-240.dat family_berbew behavioral2/files/0x0006000000022e1d-242.dat family_berbew behavioral2/files/0x0006000000022e1f-248.dat family_berbew behavioral2/files/0x0006000000022e1f-250.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5028 Apodoq32.exe 3592 Coqncejg.exe 2888 Chiblk32.exe 4568 Cocjiehd.exe 4736 Cpdgqmnb.exe 816 Ckjknfnh.exe 5112 Chnlgjlb.exe 4600 Dafppp32.exe 4948 Dkndie32.exe 3568 Dggbcf32.exe 3160 Damfao32.exe 3200 Dhgonidg.exe 2384 Doagjc32.exe 1624 Dqbcbkab.exe 4500 Dglkoeio.exe 3832 Enfckp32.exe 3376 Egohdegl.exe 2920 Ebdlangb.exe 332 Fooclapd.exe 4540 Figgdg32.exe 4268 Fbplml32.exe 1656 Llimgb32.exe 4436 Pomncfge.exe 2356 Qifbll32.exe 2872 Qfjcep32.exe 3620 Qkfkng32.exe 4212 Abpcja32.exe 5044 Amfhgj32.exe 1344 Apddce32.exe 868 Iglhob32.exe 1456 Iqdmghnp.exe 3852 Ifaepolg.exe 2868 Jmbdmg32.exe 4092 Jghhjq32.exe 4152 Jjfdfl32.exe 5096 Jmdqbg32.exe 1168 Jgjeppkp.exe 3596 Jndmlj32.exe 1936 Jeneidji.exe 4732 Jfoaam32.exe 1112 Jepbodhg.exe 2464 Kfanflne.exe 2576 Kmlgcf32.exe 4440 Khakqo32.exe 4224 Knkcmild.exe 216 Kjbdbjbi.exe 3964 Lfmnbjcg.exe 2784 Lmgfod32.exe 3252 Lhmjlm32.exe 2668 Lmjcdd32.exe 4776 Ljncnhhk.exe 3792 Lmlpjdgo.exe 4352 Lfddci32.exe 2528 Lmnlpcel.exe 1448 Lfgahikm.exe 3724 Mehafq32.exe 1044 Mopeofjl.exe 1740 Mgkjch32.exe 4464 Mdokmm32.exe 3076 Mmhofbma.exe 3512 Mdagbl32.exe 3900 Nhkpdi32.exe 3980 Hcfcmnce.exe 3716 Igghilhi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hhcajd32.dll Lpghfi32.exe File created C:\Windows\SysWOW64\Qifbll32.exe Pomncfge.exe File opened for modification C:\Windows\SysWOW64\Lmkipncc.exe Lhopgg32.exe File opened for modification C:\Windows\SysWOW64\Kehhjfif.exe Kfehoj32.exe File created C:\Windows\SysWOW64\Dmehffhc.dll Nabpiocm.exe File opened for modification C:\Windows\SysWOW64\Kgqdfi32.exe Kaflio32.exe File created C:\Windows\SysWOW64\Nipffmmg.exe Mhoind32.exe File created C:\Windows\SysWOW64\Jfgnka32.exe Jomeoggk.exe File opened for modification C:\Windows\SysWOW64\Kofheeoq.exe Kbbhka32.exe File created C:\Windows\SysWOW64\Ahbndm32.dll Ijcaaibe.exe File opened for modification C:\Windows\SysWOW64\Jpdbjleo.exe Jikjmbmb.exe File created C:\Windows\SysWOW64\Bgjiokeo.dll Fiaogfai.exe File created C:\Windows\SysWOW64\Jmioon32.dll Dldlbgbb.exe File created C:\Windows\SysWOW64\Mnegkf32.exe Modgnn32.exe File opened for modification C:\Windows\SysWOW64\Doagjc32.exe Dhgonidg.exe File created C:\Windows\SysWOW64\Hjeodp32.dll Qpmmfbfl.exe File opened for modification C:\Windows\SysWOW64\Flodilma.exe Feella32.exe File created C:\Windows\SysWOW64\Fohecgli.dll Hobcgdjm.exe File created C:\Windows\SysWOW64\Hlipfh32.exe Hoepmd32.exe File created C:\Windows\SysWOW64\Hnodkjhq.exe Hdfobe32.exe File opened for modification C:\Windows\SysWOW64\Apodoq32.exe NEAS.e21d489d417566f6ea8747ad244dd9f0.exe File created C:\Windows\SysWOW64\Nmobjokj.dll Feella32.exe File opened for modification C:\Windows\SysWOW64\Kpbfbo32.exe Knpmcl32.exe File created C:\Windows\SysWOW64\Keinepch.exe Kjdjhgdb.exe File created C:\Windows\SysWOW64\Mdlgmgdh.exe Mmbopm32.exe File created C:\Windows\SysWOW64\Eimelg32.exe Ebbmpmnb.exe File created C:\Windows\SysWOW64\Jbieebha.exe Jkomhhae.exe File opened for modification C:\Windows\SysWOW64\Hlfcqh32.exe Hobcgdjm.exe File created C:\Windows\SysWOW64\Lgnpeenp.dll Acilkp32.exe File opened for modification C:\Windows\SysWOW64\Oknnanhj.exe Ohobebig.exe File opened for modification C:\Windows\SysWOW64\Kfpqap32.exe Kofheeoq.exe File created C:\Windows\SysWOW64\Kdkdqinj.exe Kmdlolmg.exe File created C:\Windows\SysWOW64\Knfeoobh.exe Kglmbd32.exe File created C:\Windows\SysWOW64\Eenflbll.exe Emgnje32.exe File created C:\Windows\SysWOW64\Ojqhfb32.dll Fndgfffm.exe File created C:\Windows\SysWOW64\Fimhcbkh.exe Fngcfikb.exe File opened for modification C:\Windows\SysWOW64\Jmamba32.exe Jonlimkg.exe File created C:\Windows\SysWOW64\Lfqjhmhk.exe Lpgalc32.exe File created C:\Windows\SysWOW64\Befenoqg.dll Halmaiog.exe File created C:\Windows\SysWOW64\Qgmnmagm.dll Pllggbje.exe File created C:\Windows\SysWOW64\Chnlgjlb.exe Ckjknfnh.exe File opened for modification C:\Windows\SysWOW64\Amfhgj32.exe Abpcja32.exe File created C:\Windows\SysWOW64\Dcdnce32.exe Dkmebh32.exe File created C:\Windows\SysWOW64\Omooiflc.dll Mobjho32.exe File created C:\Windows\SysWOW64\Mgphjk32.exe Moiphnde.exe File created C:\Windows\SysWOW64\Mfndopfh.dll Mncjffbl.exe File opened for modification C:\Windows\SysWOW64\Bfchcijo.exe Biogieke.exe File opened for modification C:\Windows\SysWOW64\Haoighmd.exe Hjhaeklb.exe File opened for modification C:\Windows\SysWOW64\Egjobl32.exe Phjdggoj.exe File opened for modification C:\Windows\SysWOW64\Jndmlj32.exe Jgjeppkp.exe File opened for modification C:\Windows\SysWOW64\Jonlimkg.exe Jfehpg32.exe File created C:\Windows\SysWOW64\Ggaoeo32.dll Mpnngh32.exe File created C:\Windows\SysWOW64\Dcknnglh.dll Jhcmbm32.exe File created C:\Windows\SysWOW64\Hacflg32.dll Ajcdhj32.exe File opened for modification C:\Windows\SysWOW64\Hhiacb32.exe Haoighmd.exe File created C:\Windows\SysWOW64\Pehekgmp.exe Poomom32.exe File created C:\Windows\SysWOW64\Mdhbpkgj.dll Lklbnb32.exe File opened for modification C:\Windows\SysWOW64\Kfanflne.exe Jepbodhg.exe File opened for modification C:\Windows\SysWOW64\Ciqmjkno.exe Cqiehnml.exe File created C:\Windows\SysWOW64\Faibafll.dll Fnbjpf32.exe File created C:\Windows\SysWOW64\Kkomgkoj.exe Jipqkopf.exe File opened for modification C:\Windows\SysWOW64\Dcdnce32.exe Dkmebh32.exe File opened for modification C:\Windows\SysWOW64\Jlafhkfe.exe Jfgnka32.exe File created C:\Windows\SysWOW64\Eifhac32.dll Nmbhgjoi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7476 8180 WerFault.exe 615 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgnje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklgldgf.dll" Kbinlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmlgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knipeblj.dll" Knkcmild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacmchcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcpqgbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddcofoh.dll" Iefnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpfk32.dll" Fdopkhfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkqhpmkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meimocmb.dll" Lfqjhmhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjhjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcccom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emgnje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpcja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpkok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jipqkopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koodka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galfhpmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbdmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopeofjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecoa32.dll" Poaqocgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iacbbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doljemai.dll" Jndmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelcfql.dll" Mdagbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompfnoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llimgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogiobn32.dll" Jmbdmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncbci32.dll" Kiodha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afplbhim.dll" Hccomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhgefed.dll" Dnnoip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eanqpdgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcccom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcbfmomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egelgoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhokonhb.dll" Hhoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmamii32.dll" Ofhkgeij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbndm32.dll" Ijcaaibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omecechf.dll" Jlocaabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnpeenp.dll" Acilkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgjggkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgonidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbnjh32.dll" Lmkipncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbmpmnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhhkjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqpmeikh.dll" Dfcjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieknccaj.dll" Mcnmccfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohokhje.dll" Jfehpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaaflh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgkbm32.dll" Ehikmohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcaaibe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgneqha.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 924 wrote to memory of 5028 924 NEAS.e21d489d417566f6ea8747ad244dd9f0.exe 87 PID 924 wrote to memory of 5028 924 NEAS.e21d489d417566f6ea8747ad244dd9f0.exe 87 PID 924 wrote to memory of 5028 924 NEAS.e21d489d417566f6ea8747ad244dd9f0.exe 87 PID 5028 wrote to memory of 3592 5028 Apodoq32.exe 88 PID 5028 wrote to memory of 3592 5028 Apodoq32.exe 88 PID 5028 wrote to memory of 3592 5028 Apodoq32.exe 88 PID 3592 wrote to memory of 2888 3592 Coqncejg.exe 89 PID 3592 wrote to memory of 2888 3592 Coqncejg.exe 89 PID 3592 wrote to memory of 2888 3592 Coqncejg.exe 89 PID 2888 wrote to memory of 4568 2888 Chiblk32.exe 90 PID 2888 wrote to memory of 4568 2888 Chiblk32.exe 90 PID 2888 wrote to memory of 4568 2888 Chiblk32.exe 90 PID 4568 wrote to memory of 4736 4568 Cocjiehd.exe 91 PID 4568 wrote to memory of 4736 4568 Cocjiehd.exe 91 PID 4568 wrote to memory of 4736 4568 Cocjiehd.exe 91 PID 4736 wrote to memory of 816 4736 Cpdgqmnb.exe 92 PID 4736 wrote to memory of 816 4736 Cpdgqmnb.exe 92 PID 4736 wrote to memory of 816 4736 Cpdgqmnb.exe 92 PID 816 wrote to memory of 5112 816 Ckjknfnh.exe 93 PID 816 wrote to memory of 5112 816 Ckjknfnh.exe 93 PID 816 wrote to memory of 5112 816 Ckjknfnh.exe 93 PID 5112 wrote to memory of 4600 5112 Chnlgjlb.exe 94 PID 5112 wrote to memory of 4600 5112 Chnlgjlb.exe 94 PID 5112 wrote to memory of 4600 5112 Chnlgjlb.exe 94 PID 4600 wrote to memory of 4948 4600 Dafppp32.exe 95 PID 4600 wrote to memory of 4948 4600 Dafppp32.exe 95 PID 4600 wrote to memory of 4948 4600 Dafppp32.exe 95 PID 4948 wrote to memory of 3568 4948 Dkndie32.exe 96 PID 4948 wrote to memory of 3568 4948 Dkndie32.exe 96 PID 4948 wrote to memory of 3568 4948 Dkndie32.exe 96 PID 3568 wrote to memory of 3160 3568 Dggbcf32.exe 97 PID 3568 wrote to memory of 3160 3568 Dggbcf32.exe 97 PID 3568 wrote to memory of 3160 3568 Dggbcf32.exe 97 PID 3160 wrote to memory of 3200 3160 Damfao32.exe 99 PID 3160 wrote to memory of 3200 3160 Damfao32.exe 99 PID 3160 wrote to memory of 3200 3160 Damfao32.exe 99 PID 3200 wrote to memory of 2384 3200 Dhgonidg.exe 98 PID 3200 wrote to memory of 2384 3200 Dhgonidg.exe 98 PID 3200 wrote to memory of 2384 3200 Dhgonidg.exe 98 PID 2384 wrote to memory of 1624 2384 Doagjc32.exe 100 PID 2384 wrote to memory of 1624 2384 Doagjc32.exe 100 PID 2384 wrote to memory of 1624 2384 Doagjc32.exe 100 PID 1624 wrote to memory of 4500 1624 Dqbcbkab.exe 101 PID 1624 wrote to memory of 4500 1624 Dqbcbkab.exe 101 PID 1624 wrote to memory of 4500 1624 Dqbcbkab.exe 101 PID 4500 wrote to memory of 3832 4500 Dglkoeio.exe 102 PID 4500 wrote to memory of 3832 4500 Dglkoeio.exe 102 PID 4500 wrote to memory of 3832 4500 Dglkoeio.exe 102 PID 3832 wrote to memory of 3376 3832 Enfckp32.exe 103 PID 3832 wrote to memory of 3376 3832 Enfckp32.exe 103 PID 3832 wrote to memory of 3376 3832 Enfckp32.exe 103 PID 3376 wrote to memory of 2920 3376 Egohdegl.exe 105 PID 3376 wrote to memory of 2920 3376 Egohdegl.exe 105 PID 3376 wrote to memory of 2920 3376 Egohdegl.exe 105 PID 2920 wrote to memory of 332 2920 Ebdlangb.exe 106 PID 2920 wrote to memory of 332 2920 Ebdlangb.exe 106 PID 2920 wrote to memory of 332 2920 Ebdlangb.exe 106 PID 332 wrote to memory of 4540 332 Fooclapd.exe 107 PID 332 wrote to memory of 4540 332 Fooclapd.exe 107 PID 332 wrote to memory of 4540 332 Fooclapd.exe 107 PID 4540 wrote to memory of 4268 4540 Figgdg32.exe 108 PID 4540 wrote to memory of 4268 4540 Figgdg32.exe 108 PID 4540 wrote to memory of 4268 4540 Figgdg32.exe 108 PID 4268 wrote to memory of 1656 4268 Fbplml32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e21d489d417566f6ea8747ad244dd9f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e21d489d417566f6ea8747ad244dd9f0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe10⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe13⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe14⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe16⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe18⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe19⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe20⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe21⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe22⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe23⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe24⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe27⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe28⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe30⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe32⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe34⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe35⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe36⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe37⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe38⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe39⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe40⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe41⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe42⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe43⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe44⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe46⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe47⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe48⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Hcfcmnce.exeC:\Windows\system32\Hcfcmnce.exe51⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe52⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe53⤵
- Modifies registry class
PID:5080 -
C:\Windows\SysWOW64\Jqhphq32.exeC:\Windows\system32\Jqhphq32.exe54⤵PID:5024
-
C:\Windows\SysWOW64\Jfehpg32.exeC:\Windows\system32\Jfehpg32.exe55⤵
- Drops file in System32 directory
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe56⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe57⤵PID:4120
-
C:\Windows\SysWOW64\Jggapj32.exeC:\Windows\system32\Jggapj32.exe58⤵PID:4620
-
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe59⤵PID:3680
-
C:\Windows\SysWOW64\Jobfdl32.exeC:\Windows\system32\Jobfdl32.exe60⤵PID:332
-
C:\Windows\SysWOW64\Jikjmbmb.exeC:\Windows\system32\Jikjmbmb.exe61⤵
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Jpdbjleo.exeC:\Windows\system32\Jpdbjleo.exe62⤵PID:2032
-
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe63⤵PID:920
-
C:\Windows\SysWOW64\Kcbkpj32.exeC:\Windows\system32\Kcbkpj32.exe64⤵PID:2908
-
C:\Windows\SysWOW64\Kiodha32.exeC:\Windows\system32\Kiodha32.exe65⤵
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe66⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Kgqdfi32.exeC:\Windows\system32\Kgqdfi32.exe67⤵PID:4496
-
C:\Windows\SysWOW64\Kaihonhl.exeC:\Windows\system32\Kaihonhl.exe68⤵PID:4568
-
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4800 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe70⤵PID:844
-
C:\Windows\SysWOW64\Lfmghdpl.exeC:\Windows\system32\Lfmghdpl.exe71⤵PID:1096
-
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe72⤵PID:4704
-
C:\Windows\SysWOW64\Limpiomm.exeC:\Windows\system32\Limpiomm.exe73⤵PID:1508
-
C:\Windows\SysWOW64\Lpghfi32.exeC:\Windows\system32\Lpghfi32.exe74⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Lhopgg32.exeC:\Windows\system32\Lhopgg32.exe75⤵
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Lmkipncc.exeC:\Windows\system32\Lmkipncc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe77⤵PID:3160
-
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe78⤵PID:3376
-
C:\Windows\SysWOW64\Mffjnc32.exeC:\Windows\system32\Mffjnc32.exe79⤵PID:5112
-
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe80⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe81⤵PID:1056
-
C:\Windows\SysWOW64\Mmbopm32.exeC:\Windows\system32\Mmbopm32.exe82⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Mdlgmgdh.exeC:\Windows\system32\Mdlgmgdh.exe83⤵PID:4564
-
C:\Windows\SysWOW64\Mjfoja32.exeC:\Windows\system32\Mjfoja32.exe84⤵PID:3568
-
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe85⤵PID:4400
-
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe86⤵PID:2496
-
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe87⤵PID:636
-
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe88⤵PID:3772
-
C:\Windows\SysWOW64\Maeaajpl.exeC:\Windows\system32\Maeaajpl.exe89⤵PID:4964
-
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe90⤵
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe91⤵PID:1132
-
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe92⤵PID:4736
-
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe93⤵PID:3968
-
C:\Windows\SysWOW64\Najjmjkg.exeC:\Windows\system32\Najjmjkg.exe94⤵PID:5040
-
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe95⤵PID:3740
-
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe96⤵PID:4864
-
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe97⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe98⤵PID:3748
-
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe99⤵
- Drops file in System32 directory
PID:5160 -
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe100⤵PID:5204
-
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe101⤵PID:5248
-
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe102⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe104⤵PID:5380
-
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe105⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe106⤵PID:5468
-
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe107⤵PID:5512
-
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe108⤵PID:5556
-
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe109⤵PID:5600
-
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe110⤵PID:5644
-
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe111⤵PID:5688
-
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe112⤵PID:5732
-
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe113⤵PID:5772
-
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe114⤵PID:5816
-
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe115⤵PID:5860
-
C:\Windows\SysWOW64\Phmnfp32.exeC:\Windows\system32\Phmnfp32.exe116⤵PID:5904
-
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe117⤵PID:5948
-
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe118⤵PID:5988
-
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe120⤵PID:6080
-
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe121⤵PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-