Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 07:28
Behavioral task
behavioral1
Sample
NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe
-
Size
153KB
-
MD5
191dba3e226b4ebbeffc726c7ee02ec0
-
SHA1
379892733fde964f0ca10c542db159c76ab429c5
-
SHA256
62232b5210820a4c072f47beba4198816704238d0a0a39b1097084861e6383ee
-
SHA512
f345b53c8bb705b14a1db6da612b2dfefc5740bffcc55fa121325cf9f1cc367bbbe2ac64184c41e527d533697763e81d004d980335cf2a665aef2c7a115749a8
-
SSDEEP
3072:TqDiuyWAB3q8kMyiMR+UAEQGBcHN0OlaxP3DZyN/+oeRpxPdZFibDyxn:eDiuybAnR9AHj05xP3DZyN1eRppzcexn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cponen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lancko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfennic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glipgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mablfnne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edplhjhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjqaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghojbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqnkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkkhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmimai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khgbqkhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiikpnmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgdcipq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqcgnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcpoedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgdai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpaqmgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijbno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npiiffqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicgpelg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022cc3-6.dat family_berbew behavioral2/files/0x0006000000022cc3-7.dat family_berbew behavioral2/files/0x0006000000022cc5-14.dat family_berbew behavioral2/files/0x0006000000022cc5-16.dat family_berbew behavioral2/files/0x0006000000022cc7-23.dat family_berbew behavioral2/files/0x0006000000022cc7-22.dat family_berbew behavioral2/files/0x0006000000022cc9-30.dat family_berbew behavioral2/files/0x0006000000022cc9-32.dat family_berbew behavioral2/files/0x0006000000022ccd-38.dat family_berbew behavioral2/files/0x0006000000022ccd-40.dat family_berbew behavioral2/files/0x0006000000022cd0-48.dat family_berbew behavioral2/files/0x0006000000022cd0-46.dat family_berbew behavioral2/files/0x0006000000022cd2-54.dat family_berbew behavioral2/files/0x0006000000022cd2-56.dat family_berbew behavioral2/files/0x0006000000022cd4-62.dat family_berbew behavioral2/files/0x0006000000022cd4-64.dat family_berbew behavioral2/files/0x0006000000022cd6-70.dat family_berbew behavioral2/files/0x0006000000022cd6-72.dat family_berbew behavioral2/files/0x0006000000022cda-80.dat family_berbew behavioral2/files/0x0006000000022cdc-86.dat family_berbew behavioral2/files/0x0006000000022cdc-88.dat family_berbew behavioral2/files/0x0006000000022cda-78.dat family_berbew behavioral2/files/0x0006000000022cde-94.dat family_berbew behavioral2/files/0x0006000000022cde-95.dat family_berbew behavioral2/files/0x0006000000022ce0-102.dat family_berbew behavioral2/files/0x0006000000022ce0-104.dat family_berbew behavioral2/files/0x0006000000022ce3-110.dat family_berbew behavioral2/files/0x0006000000022ce3-111.dat family_berbew behavioral2/files/0x0006000000022ce5-118.dat family_berbew behavioral2/files/0x0006000000022ce5-120.dat family_berbew behavioral2/files/0x0006000000022ce7-127.dat family_berbew behavioral2/files/0x0006000000022ce7-126.dat family_berbew behavioral2/files/0x0006000000022cea-134.dat family_berbew behavioral2/files/0x0006000000022cea-135.dat family_berbew behavioral2/files/0x0006000000022cef-142.dat family_berbew behavioral2/files/0x0006000000022cef-144.dat family_berbew behavioral2/files/0x0006000000022cf2-150.dat family_berbew behavioral2/files/0x0006000000022cf2-152.dat family_berbew behavioral2/files/0x0006000000022cf9-166.dat family_berbew behavioral2/files/0x0006000000022cf9-167.dat family_berbew behavioral2/files/0x0006000000022cf5-158.dat family_berbew behavioral2/files/0x0006000000022cfb-176.dat family_berbew behavioral2/files/0x0006000000022cfb-174.dat family_berbew behavioral2/files/0x0006000000022cf5-159.dat family_berbew behavioral2/files/0x0007000000022ce9-182.dat family_berbew behavioral2/files/0x0007000000022ce9-184.dat family_berbew behavioral2/files/0x0007000000022cec-190.dat family_berbew behavioral2/files/0x0007000000022cec-191.dat family_berbew behavioral2/files/0x0008000000022cf1-198.dat family_berbew behavioral2/files/0x0008000000022cf1-200.dat family_berbew behavioral2/files/0x0008000000022cfd-206.dat family_berbew behavioral2/files/0x0008000000022cfd-208.dat family_berbew behavioral2/files/0x0006000000022cff-214.dat family_berbew behavioral2/files/0x0006000000022cff-216.dat family_berbew behavioral2/files/0x0006000000022d01-222.dat family_berbew behavioral2/files/0x0006000000022d01-224.dat family_berbew behavioral2/files/0x0006000000022d03-230.dat family_berbew behavioral2/files/0x0006000000022d03-232.dat family_berbew behavioral2/files/0x0006000000022d05-238.dat family_berbew behavioral2/files/0x0006000000022d05-240.dat family_berbew behavioral2/files/0x0006000000022d07-247.dat family_berbew behavioral2/files/0x0006000000022d0e-254.dat family_berbew behavioral2/files/0x0006000000022d0e-256.dat family_berbew behavioral2/files/0x0006000000022d07-246.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3808 Dbnmke32.exe 3664 Dijbno32.exe 4388 Eiloco32.exe 4856 Ebdcld32.exe 4580 Eiahnnph.exe 3796 Emoadlfo.exe 4676 Emanjldl.exe 1356 Flfkkhid.exe 4136 Feoodn32.exe 328 Fngcmcfe.exe 3844 Flkdfh32.exe 4528 Ffqhcq32.exe 5024 Fpimlfke.exe 1392 Fmmmfj32.exe 3332 Gidnkkpc.exe 676 Gejopl32.exe 4008 Gfjkjo32.exe 1288 Gnepna32.exe 2448 Glipgf32.exe 3012 Gmimai32.exe 3484 Hfaajnfb.exe 1084 Holfoqcm.exe 2392 Hbjoeojc.exe 2444 Hifcgion.exe 2324 Hoclopne.exe 3740 Iepaaico.exe 3952 Illfdc32.exe 832 Iipfmggc.exe 3912 Ilqoobdd.exe 4908 Impliekg.exe 2532 Jiglnf32.exe 4408 Jpcapp32.exe 1696 Johnamkm.exe 1924 Jniood32.exe 3212 Jjpode32.exe 4656 Kcidmkpq.exe 1440 Knnhjcog.exe 1572 Knqepc32.exe 3632 Kcmmhj32.exe 2296 Kodnmkap.exe 3680 Klhnfo32.exe 1660 Kjlopc32.exe 1092 Lgbloglj.exe 4952 Lqkqhm32.exe 4792 Lgdidgjg.exe 4308 Lmaamn32.exe 3672 Lnangaoa.exe 556 Lobjni32.exe 4804 Ljhnlb32.exe 2104 Mmfkhmdi.exe 3452 Mnegbp32.exe 1100 Mcbpjg32.exe 4064 Mfhbga32.exe 4516 Nggnadib.exe 5040 Npbceggm.exe 3272 Nncccnol.exe 472 Ncqlkemc.exe 5104 Nmipdk32.exe 4692 Nnhmnn32.exe 3024 Npiiffqe.exe 2840 Onkidm32.exe 4020 Ogcnmc32.exe 3260 Oclkgccf.exe 1324 Omdppiif.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqlfhjig.exe Ehpadhll.exe File opened for modification C:\Windows\SysWOW64\Ekcgkb32.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Lancko32.exe Llqjbhdc.exe File opened for modification C:\Windows\SysWOW64\Lancko32.exe Llqjbhdc.exe File opened for modification C:\Windows\SysWOW64\Ieccbbkn.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Nfenigce.dll Mfpell32.exe File opened for modification C:\Windows\SysWOW64\Pcpnhl32.exe Oikjkc32.exe File opened for modification C:\Windows\SysWOW64\Nncccnol.exe Npbceggm.exe File opened for modification C:\Windows\SysWOW64\Omgmeigd.exe Ocohmc32.exe File created C:\Windows\SysWOW64\Bdojjo32.exe Bobabg32.exe File opened for modification C:\Windows\SysWOW64\Hecjke32.exe Hnibokbd.exe File created C:\Windows\SysWOW64\Inmdohhp.dll Khgbqkhj.exe File created C:\Windows\SysWOW64\Mlofcf32.exe Mbibfm32.exe File created C:\Windows\SysWOW64\Hknkchkd.dll Gfjkjo32.exe File created C:\Windows\SysWOW64\Haclqq32.dll Geldkfpi.exe File created C:\Windows\SysWOW64\Jikoopij.exe Jlgoek32.exe File opened for modification C:\Windows\SysWOW64\Klndfj32.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Dggbcf32.exe Dolmodpi.exe File created C:\Windows\SysWOW64\Baampdgc.dll Fofilp32.exe File opened for modification C:\Windows\SysWOW64\Ljpaqmgb.exe Lcfidb32.exe File created C:\Windows\SysWOW64\Fegbnohh.dll Lancko32.exe File created C:\Windows\SysWOW64\Npbceggm.exe Nggnadib.exe File created C:\Windows\SysWOW64\Qedegh32.dll Oclkgccf.exe File created C:\Windows\SysWOW64\Ahdpjn32.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Coegoe32.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Mlhqcgnk.exe Mablfnne.exe File opened for modification C:\Windows\SysWOW64\Foclgq32.exe Fbplml32.exe File created C:\Windows\SysWOW64\Fjoiip32.dll Mlljnf32.exe File opened for modification C:\Windows\SysWOW64\Impliekg.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jiglnf32.exe File opened for modification C:\Windows\SysWOW64\Oclkgccf.exe Ogcnmc32.exe File created C:\Windows\SysWOW64\Hiebgmkm.dll Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Ekajec32.exe Eqlfhjig.exe File created C:\Windows\SysWOW64\Hiplgm32.dll Hpioin32.exe File opened for modification C:\Windows\SysWOW64\Pbhgoh32.exe Pjlcjf32.exe File created C:\Windows\SysWOW64\Nqfbpb32.exe Nbebbk32.exe File opened for modification C:\Windows\SysWOW64\Jjpode32.exe Jniood32.exe File created C:\Windows\SysWOW64\Kcmmhj32.exe Knqepc32.exe File created C:\Windows\SysWOW64\Ldjcfk32.dll Knqepc32.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Pimfpc32.exe File opened for modification C:\Windows\SysWOW64\Gpmomo32.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Fpbdco32.dll Hhfpbpdo.exe File opened for modification C:\Windows\SysWOW64\Haaaaeim.exe Hldiinke.exe File created C:\Windows\SysWOW64\Agolng32.dll Ofgdcipq.exe File opened for modification C:\Windows\SysWOW64\Fngcmcfe.exe Feoodn32.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gejopl32.exe File opened for modification C:\Windows\SysWOW64\Fkmjaa32.exe Fofilp32.exe File created C:\Windows\SysWOW64\Cgpfqchb.dll Jlgoek32.exe File created C:\Windows\SysWOW64\Minqeaad.dll Kjlopc32.exe File created C:\Windows\SysWOW64\Gpmomo32.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Ieccbbkn.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Bpemfc32.dll Lcfidb32.exe File created C:\Windows\SysWOW64\Fnadil32.dll Ebdcld32.exe File created C:\Windows\SysWOW64\Ggpcfd32.dll Eiahnnph.exe File opened for modification C:\Windows\SysWOW64\Kodnmkap.exe Kcmmhj32.exe File created C:\Windows\SysWOW64\Jbhfhgch.dll Kodnmkap.exe File created C:\Windows\SysWOW64\Oqoefand.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Pimfpc32.exe Pcpnhl32.exe File created C:\Windows\SysWOW64\Gaebef32.exe Gijmad32.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Hnibokbd.exe File opened for modification C:\Windows\SysWOW64\Jlgoek32.exe Jaajhb32.exe File created C:\Windows\SysWOW64\Lphdhn32.dll Jikoopij.exe File created C:\Windows\SysWOW64\Hohahelb.dll Hbjoeojc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1796 8124 WerFault.exe 310 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll" Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll" Nblolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbolagk.dll" Gaebef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghojbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll" Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcgcqab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfpbpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgbqkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll" Ncmhko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqoll32.dll" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geldkfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkphhgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll" Knnhjcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll" Pbhgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipihpkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmmmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll" Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnepna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjccmbf.dll" Edplhjhi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3860 wrote to memory of 3808 3860 NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe 88 PID 3860 wrote to memory of 3808 3860 NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe 88 PID 3860 wrote to memory of 3808 3860 NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe 88 PID 3808 wrote to memory of 3664 3808 Dbnmke32.exe 89 PID 3808 wrote to memory of 3664 3808 Dbnmke32.exe 89 PID 3808 wrote to memory of 3664 3808 Dbnmke32.exe 89 PID 3664 wrote to memory of 4388 3664 Dijbno32.exe 90 PID 3664 wrote to memory of 4388 3664 Dijbno32.exe 90 PID 3664 wrote to memory of 4388 3664 Dijbno32.exe 90 PID 4388 wrote to memory of 4856 4388 Eiloco32.exe 91 PID 4388 wrote to memory of 4856 4388 Eiloco32.exe 91 PID 4388 wrote to memory of 4856 4388 Eiloco32.exe 91 PID 4856 wrote to memory of 4580 4856 Ebdcld32.exe 93 PID 4856 wrote to memory of 4580 4856 Ebdcld32.exe 93 PID 4856 wrote to memory of 4580 4856 Ebdcld32.exe 93 PID 4580 wrote to memory of 3796 4580 Eiahnnph.exe 94 PID 4580 wrote to memory of 3796 4580 Eiahnnph.exe 94 PID 4580 wrote to memory of 3796 4580 Eiahnnph.exe 94 PID 3796 wrote to memory of 4676 3796 Emoadlfo.exe 95 PID 3796 wrote to memory of 4676 3796 Emoadlfo.exe 95 PID 3796 wrote to memory of 4676 3796 Emoadlfo.exe 95 PID 4676 wrote to memory of 1356 4676 Emanjldl.exe 97 PID 4676 wrote to memory of 1356 4676 Emanjldl.exe 97 PID 4676 wrote to memory of 1356 4676 Emanjldl.exe 97 PID 1356 wrote to memory of 4136 1356 Flfkkhid.exe 98 PID 1356 wrote to memory of 4136 1356 Flfkkhid.exe 98 PID 1356 wrote to memory of 4136 1356 Flfkkhid.exe 98 PID 4136 wrote to memory of 328 4136 Feoodn32.exe 99 PID 4136 wrote to memory of 328 4136 Feoodn32.exe 99 PID 4136 wrote to memory of 328 4136 Feoodn32.exe 99 PID 328 wrote to memory of 3844 328 Fngcmcfe.exe 100 PID 328 wrote to memory of 3844 328 Fngcmcfe.exe 100 PID 328 wrote to memory of 3844 328 Fngcmcfe.exe 100 PID 3844 wrote to memory of 4528 3844 Flkdfh32.exe 101 PID 3844 wrote to memory of 4528 3844 Flkdfh32.exe 101 PID 3844 wrote to memory of 4528 3844 Flkdfh32.exe 101 PID 4528 wrote to memory of 5024 4528 Ffqhcq32.exe 102 PID 4528 wrote to memory of 5024 4528 Ffqhcq32.exe 102 PID 4528 wrote to memory of 5024 4528 Ffqhcq32.exe 102 PID 5024 wrote to memory of 1392 5024 Fpimlfke.exe 103 PID 5024 wrote to memory of 1392 5024 Fpimlfke.exe 103 PID 5024 wrote to memory of 1392 5024 Fpimlfke.exe 103 PID 1392 wrote to memory of 3332 1392 Fmmmfj32.exe 104 PID 1392 wrote to memory of 3332 1392 Fmmmfj32.exe 104 PID 1392 wrote to memory of 3332 1392 Fmmmfj32.exe 104 PID 3332 wrote to memory of 676 3332 Gidnkkpc.exe 105 PID 3332 wrote to memory of 676 3332 Gidnkkpc.exe 105 PID 3332 wrote to memory of 676 3332 Gidnkkpc.exe 105 PID 676 wrote to memory of 4008 676 Gejopl32.exe 106 PID 676 wrote to memory of 4008 676 Gejopl32.exe 106 PID 676 wrote to memory of 4008 676 Gejopl32.exe 106 PID 4008 wrote to memory of 1288 4008 Gfjkjo32.exe 107 PID 4008 wrote to memory of 1288 4008 Gfjkjo32.exe 107 PID 4008 wrote to memory of 1288 4008 Gfjkjo32.exe 107 PID 1288 wrote to memory of 2448 1288 Gnepna32.exe 109 PID 1288 wrote to memory of 2448 1288 Gnepna32.exe 109 PID 1288 wrote to memory of 2448 1288 Gnepna32.exe 109 PID 2448 wrote to memory of 3012 2448 Glipgf32.exe 110 PID 2448 wrote to memory of 3012 2448 Glipgf32.exe 110 PID 2448 wrote to memory of 3012 2448 Glipgf32.exe 110 PID 3012 wrote to memory of 3484 3012 Gmimai32.exe 111 PID 3012 wrote to memory of 3484 3012 Gmimai32.exe 111 PID 3012 wrote to memory of 3484 3012 Gmimai32.exe 111 PID 3484 wrote to memory of 1084 3484 Hfaajnfb.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.191dba3e226b4ebbeffc726c7ee02ec0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe23⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe26⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe31⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe34⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe36⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe37⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe45⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe47⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe48⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe51⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe52⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe54⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe58⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe60⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe62⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe65⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:5080 -
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe67⤵PID:1060
-
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe68⤵PID:2028
-
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe69⤵PID:2736
-
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe70⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe71⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe73⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe74⤵PID:1112
-
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe75⤵PID:2608
-
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3880 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe77⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe78⤵
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe79⤵PID:1168
-
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe80⤵PID:2520
-
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe81⤵PID:856
-
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4392 -
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Akpoaj32.exeC:\Windows\system32\Akpoaj32.exe84⤵PID:5216
-
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe86⤵PID:5308
-
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe87⤵PID:5348
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe89⤵PID:5444
-
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe91⤵PID:5524
-
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe92⤵PID:5576
-
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe93⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe94⤵PID:5680
-
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe97⤵PID:5832
-
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe101⤵PID:6008
-
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe102⤵PID:6064
-
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe104⤵PID:5152
-
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe106⤵PID:5288
-
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe107⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe108⤵PID:5476
-
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe109⤵PID:5552
-
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Ddnobj32.exeC:\Windows\system32\Ddnobj32.exe111⤵PID:5732
-
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe112⤵PID:5852
-
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe115⤵PID:6124
-
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe116⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe118⤵PID:5452
-
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe119⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe121⤵PID:5956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-