Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:31
Behavioral task
behavioral1
Sample
NEAS.c97f4b852e52dd287b523360eef5ffa0.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c97f4b852e52dd287b523360eef5ffa0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c97f4b852e52dd287b523360eef5ffa0.exe
-
Size
366KB
-
MD5
c97f4b852e52dd287b523360eef5ffa0
-
SHA1
5d595ae8d4644149bbe1b78280bcc7ef2475db60
-
SHA256
65b4a52796cf4bbfd6309020c32bc43d10378b374f4fce742e3c7579349038d6
-
SHA512
dd23e8a800a1683fc5bfe91e8ac9a3f381779c3f5be5bcba6dbe4ef45a8b7e298586ea047a3a6d2cd8da053bea68ce3f57ce1e3845f586f78a5a05946dff80f5
-
SSDEEP
6144:anT9icxWURhhz5LRlUivKvUmKyIxLDXXoq9FJZCUmKyIxLpmAqkCcoMOk:MTQqfZoivKv32XXf9Do3+IviD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqhoeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knmpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjpmfpid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaodkmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eieplhlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmkeekag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioicnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgngqico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfakcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbblhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcihjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmohmoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Canocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclhjkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Memalfcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhghge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggocbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnoknihb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodnmkap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iafkld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koajmepf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnphd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnoiqdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljglnmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnapgjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jomeoggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckjlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahokfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdofpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noaeqjpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddqejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpqklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckmmpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfmqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mofmobmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegnol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddmoj32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2820-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0008000000022e4d-6.dat family_berbew behavioral2/memory/3620-7-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0008000000022e4d-8.dat family_berbew behavioral2/files/0x0006000000022e69-14.dat family_berbew behavioral2/memory/852-15-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e69-16.dat family_berbew behavioral2/files/0x0006000000022e6b-17.dat family_berbew behavioral2/files/0x0006000000022e6b-22.dat family_berbew behavioral2/memory/3512-23-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6b-24.dat family_berbew behavioral2/files/0x0006000000022e6d-30.dat family_berbew behavioral2/memory/2152-31-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6d-32.dat family_berbew behavioral2/memory/1488-39-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6f-38.dat family_berbew behavioral2/files/0x0006000000022e6f-40.dat family_berbew behavioral2/files/0x0006000000022e72-47.dat family_berbew behavioral2/memory/1120-48-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e72-46.dat family_berbew behavioral2/files/0x0008000000022e5b-54.dat family_berbew behavioral2/memory/2316-55-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0008000000022e5b-56.dat family_berbew behavioral2/files/0x0006000000022e77-62.dat family_berbew behavioral2/files/0x0006000000022e77-63.dat family_berbew behavioral2/memory/4884-64-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e79-70.dat family_berbew behavioral2/files/0x0006000000022e79-72.dat family_berbew behavioral2/memory/3720-71-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7b-78.dat family_berbew behavioral2/files/0x0006000000022e7b-79.dat family_berbew behavioral2/memory/4916-80-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7d-86.dat family_berbew behavioral2/memory/1984-88-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7d-87.dat family_berbew behavioral2/files/0x0006000000022e7f-94.dat family_berbew behavioral2/memory/5100-95-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7f-96.dat family_berbew behavioral2/files/0x0006000000022e81-102.dat family_berbew behavioral2/memory/4880-103-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e81-104.dat family_berbew behavioral2/files/0x0006000000022e83-110.dat family_berbew behavioral2/files/0x0006000000022e83-112.dat family_berbew behavioral2/memory/4968-111-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e85-118.dat family_berbew behavioral2/memory/1884-119-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e85-120.dat family_berbew behavioral2/files/0x0006000000022e87-126.dat family_berbew behavioral2/memory/4028-127-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e87-128.dat family_berbew behavioral2/files/0x0006000000022e89-134.dat family_berbew behavioral2/files/0x0006000000022e89-136.dat family_berbew behavioral2/memory/4812-135-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8b-142.dat family_berbew behavioral2/files/0x0006000000022e8b-144.dat family_berbew behavioral2/memory/4560-143-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8d-150.dat family_berbew behavioral2/files/0x0006000000022e8d-152.dat family_berbew behavioral2/memory/1260-151-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8f-158.dat family_berbew behavioral2/memory/3104-159-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8f-160.dat family_berbew behavioral2/files/0x0006000000022e91-167.dat family_berbew behavioral2/files/0x0006000000022e91-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3620 Obafpg32.exe 852 Oeaoab32.exe 3512 Phbhcmjl.exe 2152 Pcjiff32.exe 1488 Papfgbmg.exe 1120 Pocfpf32.exe 2316 Blhpqhlh.exe 4884 Ffmfchle.exe 3720 Fjjnifbl.exe 4916 Fbhpch32.exe 1984 Fffhifdk.exe 5100 Gbmingjo.exe 4880 Gfkbde32.exe 4968 Gfmojenc.exe 1884 Hkbmqb32.exe 4028 Hdjbiheb.exe 4812 Hkfglb32.exe 4560 Hpcodihc.exe 1260 Iinqbn32.exe 3104 Idcepgmg.exe 1536 Iciaqc32.exe 2764 Idhnkf32.exe 4588 Jncoikmp.exe 1460 Jcphab32.exe 4440 Jgnqgqan.exe 3404 Jqhafffk.exe 2224 Jnlbojee.exe 2372 Kmaopfjm.exe 232 Kgipcogp.exe 4848 Kjjiej32.exe 2424 Kcbnnpka.exe 5084 Kqfngd32.exe 880 Lcggio32.exe 400 Lcjcnoej.exe 3964 Lnohlgep.exe 1820 Lkchelci.exe 1400 Mnpabe32.exe 2188 Nnbnhedj.exe 1064 Nelfeo32.exe 5092 Nenbjo32.exe 1220 Naecop32.exe 4964 Nlkgmh32.exe 2180 Ndflak32.exe 2972 Najmjokc.exe 1824 Onnmdcjm.exe 1520 Odjeljhd.exe 4564 Ojdnid32.exe 564 Odmbaj32.exe 3812 Ojgjndno.exe 1392 Odoogi32.exe 4956 Omgcpokp.exe 3068 Olicnfco.exe 1164 Peahgl32.exe 752 Pdfehh32.exe 2296 Poliea32.exe 3360 Phdnngdn.exe 3836 Pdkoch32.exe 3128 Pmcclm32.exe 4056 Phigif32.exe 5012 Qdphngfl.exe 3944 Qmhlgmmm.exe 2936 Qlimed32.exe 1908 Addaif32.exe 4684 Anmfbl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Anhaoj32.dll Fgjhpcmo.exe File opened for modification C:\Windows\SysWOW64\Ieccbbkn.exe Iojkeh32.exe File created C:\Windows\SysWOW64\Dojpmiij.dll Jllhpkfk.exe File created C:\Windows\SysWOW64\Aalmimfd.exe Affikdfn.exe File opened for modification C:\Windows\SysWOW64\Kaqejcep.exe Kfkamk32.exe File created C:\Windows\SysWOW64\Mnailf32.dll Opjgidfa.exe File created C:\Windows\SysWOW64\Oajccgmd.exe Ogdofo32.exe File opened for modification C:\Windows\SysWOW64\Filapfbo.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Hmcipf32.dll Ifphkbep.exe File created C:\Windows\SysWOW64\Pkoemhao.exe Pbgqdb32.exe File opened for modification C:\Windows\SysWOW64\Ellicihn.exe Eeaqfo32.exe File created C:\Windows\SysWOW64\Fhllni32.exe Fgjpfqpi.exe File created C:\Windows\SysWOW64\Nhjmnaoj.dll Hladlc32.exe File created C:\Windows\SysWOW64\Foenplji.exe Fhkecb32.exe File opened for modification C:\Windows\SysWOW64\Hafpiehg.exe Hhnkppbf.exe File created C:\Windows\SysWOW64\Ppgomnai.exe Qnopjfgi.exe File created C:\Windows\SysWOW64\Nfmcle32.dll Dpgbgpbe.exe File created C:\Windows\SysWOW64\Fiodpl32.exe Fnipbc32.exe File created C:\Windows\SysWOW64\Lpiaimfg.dll Inebjihf.exe File opened for modification C:\Windows\SysWOW64\Caqpkjcl.exe Cgklmacf.exe File opened for modification C:\Windows\SysWOW64\Kmpido32.exe Kfeagefd.exe File created C:\Windows\SysWOW64\Kmpcpigl.dll Kmobii32.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cammjakm.exe File created C:\Windows\SysWOW64\Eaecci32.dll Edaaccbj.exe File created C:\Windows\SysWOW64\Piffmfnj.dll Pkhhbbck.exe File opened for modification C:\Windows\SysWOW64\Becknc32.exe Biljib32.exe File opened for modification C:\Windows\SysWOW64\Dfngcdhi.exe Dlicflic.exe File created C:\Windows\SysWOW64\Nhhldc32.exe Nmbhgjoi.exe File created C:\Windows\SysWOW64\Fhgccijm.exe Feifgnki.exe File created C:\Windows\SysWOW64\Jmmcgbnf.exe Ijngkf32.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Gbnoiqdq.exe File created C:\Windows\SysWOW64\Giidol32.dll Pnifekmd.exe File created C:\Windows\SysWOW64\Cnidqf32.dll Fgiaemic.exe File opened for modification C:\Windows\SysWOW64\Icgbob32.exe Inkjfk32.exe File created C:\Windows\SysWOW64\Hnlnbkcc.dll Okeklcen.exe File opened for modification C:\Windows\SysWOW64\Pdbiphhi.exe Pnhacn32.exe File created C:\Windows\SysWOW64\Ihlgan32.exe Ikhghi32.exe File created C:\Windows\SysWOW64\Gjgmjh32.dll Bmddihfj.exe File opened for modification C:\Windows\SysWOW64\Iooimi32.exe Iibaeb32.exe File opened for modification C:\Windows\SysWOW64\Gflhoo32.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Kfnfjehl.exe Kodnmkap.exe File created C:\Windows\SysWOW64\Mcelpggq.exe Mnhdgpii.exe File created C:\Windows\SysWOW64\Lllagh32.exe Lcclncbh.exe File opened for modification C:\Windows\SysWOW64\Qfmfefni.exe Qapnmopa.exe File created C:\Windows\SysWOW64\Lcgagm32.dll Gnfooe32.exe File created C:\Windows\SysWOW64\Dcknnglh.dll Jjpmfpid.exe File created C:\Windows\SysWOW64\Jofill32.dll Fffhifdk.exe File created C:\Windows\SysWOW64\Hpqkcc32.dll Pnknim32.exe File created C:\Windows\SysWOW64\Qpdhhmkg.dll Gqokekph.exe File created C:\Windows\SysWOW64\Qejfcl32.dll Kaqejcep.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Hpcodihc.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Mjggal32.exe Nhafcd32.exe File created C:\Windows\SysWOW64\Gbhhqamj.dll Nfldgk32.exe File created C:\Windows\SysWOW64\Ncapfeoc.dll Hkohchko.exe File created C:\Windows\SysWOW64\Piifjomf.dll Bpgjpb32.exe File created C:\Windows\SysWOW64\Bihhkm32.dll Namnmp32.exe File created C:\Windows\SysWOW64\Mpkkgbmi.exe Ljoboloa.exe File opened for modification C:\Windows\SysWOW64\Bclppboi.exe Bldgoeog.exe File created C:\Windows\SysWOW64\Glpdjpbj.exe Gajpmg32.exe File created C:\Windows\SysWOW64\Eephln32.dll Idhnkf32.exe File opened for modification C:\Windows\SysWOW64\Hefnkkkj.exe Holfoqcm.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Pplobcpp.exe File opened for modification C:\Windows\SysWOW64\Oihmedma.exe Pjoknhbe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9920 4660 WerFault.exe 1024 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdffah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbdnipf.dll" Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfeagefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhelp32.dll" Lihpdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noqofdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll" Mqafhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgekdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdofh32.dll" Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancoda32.dll" Chddpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffpcbchm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afboah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgfeb32.dll" Bldgoeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnhacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqdmghnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maoakaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjghqbi.dll" Jcihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jopiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnfaohbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kibeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll" Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll" Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpnfc32.dll" Fgijkgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biadee32.dll" Lennpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll" Ekdnei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieknpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll" Mofmobmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgklmacf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loiong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmknd32.dll" Kfeagefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll" Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddifgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhlfoodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpidjlh.dll" Hlnqln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gimqajgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lckboblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll" Mohidbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkcpql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clpgkcdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlicflic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgkelj32.dll" Gaoihfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdannb32.dll" Hqddqj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 3620 2820 NEAS.c97f4b852e52dd287b523360eef5ffa0.exe 83 PID 2820 wrote to memory of 3620 2820 NEAS.c97f4b852e52dd287b523360eef5ffa0.exe 83 PID 2820 wrote to memory of 3620 2820 NEAS.c97f4b852e52dd287b523360eef5ffa0.exe 83 PID 3620 wrote to memory of 852 3620 Obafpg32.exe 84 PID 3620 wrote to memory of 852 3620 Obafpg32.exe 84 PID 3620 wrote to memory of 852 3620 Obafpg32.exe 84 PID 852 wrote to memory of 3512 852 Oeaoab32.exe 85 PID 852 wrote to memory of 3512 852 Oeaoab32.exe 85 PID 852 wrote to memory of 3512 852 Oeaoab32.exe 85 PID 3512 wrote to memory of 2152 3512 Phbhcmjl.exe 86 PID 3512 wrote to memory of 2152 3512 Phbhcmjl.exe 86 PID 3512 wrote to memory of 2152 3512 Phbhcmjl.exe 86 PID 2152 wrote to memory of 1488 2152 Pcjiff32.exe 87 PID 2152 wrote to memory of 1488 2152 Pcjiff32.exe 87 PID 2152 wrote to memory of 1488 2152 Pcjiff32.exe 87 PID 1488 wrote to memory of 1120 1488 Papfgbmg.exe 88 PID 1488 wrote to memory of 1120 1488 Papfgbmg.exe 88 PID 1488 wrote to memory of 1120 1488 Papfgbmg.exe 88 PID 1120 wrote to memory of 2316 1120 Pocfpf32.exe 90 PID 1120 wrote to memory of 2316 1120 Pocfpf32.exe 90 PID 1120 wrote to memory of 2316 1120 Pocfpf32.exe 90 PID 2316 wrote to memory of 4884 2316 Blhpqhlh.exe 91 PID 2316 wrote to memory of 4884 2316 Blhpqhlh.exe 91 PID 2316 wrote to memory of 4884 2316 Blhpqhlh.exe 91 PID 4884 wrote to memory of 3720 4884 Ffmfchle.exe 92 PID 4884 wrote to memory of 3720 4884 Ffmfchle.exe 92 PID 4884 wrote to memory of 3720 4884 Ffmfchle.exe 92 PID 3720 wrote to memory of 4916 3720 Fjjnifbl.exe 94 PID 3720 wrote to memory of 4916 3720 Fjjnifbl.exe 94 PID 3720 wrote to memory of 4916 3720 Fjjnifbl.exe 94 PID 4916 wrote to memory of 1984 4916 Fbhpch32.exe 95 PID 4916 wrote to memory of 1984 4916 Fbhpch32.exe 95 PID 4916 wrote to memory of 1984 4916 Fbhpch32.exe 95 PID 1984 wrote to memory of 5100 1984 Fffhifdk.exe 96 PID 1984 wrote to memory of 5100 1984 Fffhifdk.exe 96 PID 1984 wrote to memory of 5100 1984 Fffhifdk.exe 96 PID 5100 wrote to memory of 4880 5100 Gbmingjo.exe 97 PID 5100 wrote to memory of 4880 5100 Gbmingjo.exe 97 PID 5100 wrote to memory of 4880 5100 Gbmingjo.exe 97 PID 4880 wrote to memory of 4968 4880 Gfkbde32.exe 98 PID 4880 wrote to memory of 4968 4880 Gfkbde32.exe 98 PID 4880 wrote to memory of 4968 4880 Gfkbde32.exe 98 PID 4968 wrote to memory of 1884 4968 Gfmojenc.exe 100 PID 4968 wrote to memory of 1884 4968 Gfmojenc.exe 100 PID 4968 wrote to memory of 1884 4968 Gfmojenc.exe 100 PID 1884 wrote to memory of 4028 1884 Hkbmqb32.exe 101 PID 1884 wrote to memory of 4028 1884 Hkbmqb32.exe 101 PID 1884 wrote to memory of 4028 1884 Hkbmqb32.exe 101 PID 4028 wrote to memory of 4812 4028 Hdjbiheb.exe 102 PID 4028 wrote to memory of 4812 4028 Hdjbiheb.exe 102 PID 4028 wrote to memory of 4812 4028 Hdjbiheb.exe 102 PID 4812 wrote to memory of 4560 4812 Hkfglb32.exe 103 PID 4812 wrote to memory of 4560 4812 Hkfglb32.exe 103 PID 4812 wrote to memory of 4560 4812 Hkfglb32.exe 103 PID 4560 wrote to memory of 1260 4560 Hpcodihc.exe 104 PID 4560 wrote to memory of 1260 4560 Hpcodihc.exe 104 PID 4560 wrote to memory of 1260 4560 Hpcodihc.exe 104 PID 1260 wrote to memory of 3104 1260 Iinqbn32.exe 105 PID 1260 wrote to memory of 3104 1260 Iinqbn32.exe 105 PID 1260 wrote to memory of 3104 1260 Iinqbn32.exe 105 PID 3104 wrote to memory of 1536 3104 Idcepgmg.exe 106 PID 3104 wrote to memory of 1536 3104 Idcepgmg.exe 106 PID 3104 wrote to memory of 1536 3104 Idcepgmg.exe 106 PID 1536 wrote to memory of 2764 1536 Iciaqc32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c97f4b852e52dd287b523360eef5ffa0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c97f4b852e52dd287b523360eef5ffa0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe24⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe25⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe26⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe28⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe29⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe30⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe31⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe32⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe33⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe34⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe35⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe36⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe37⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe39⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe40⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe41⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe42⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe43⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe44⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe45⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe46⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe47⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe48⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe50⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe51⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe52⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe53⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe54⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe55⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe56⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe57⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe58⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe59⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe60⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe61⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe62⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe65⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe66⤵PID:4172
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe67⤵PID:3932
-
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe68⤵PID:4272
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe69⤵PID:3448
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe70⤵PID:4076
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe71⤵PID:3328
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe72⤵PID:4416
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe73⤵PID:2592
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe74⤵PID:1212
-
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe75⤵PID:4648
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe77⤵PID:844
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe79⤵PID:3444
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe80⤵PID:2948
-
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe81⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe82⤵PID:1404
-
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4168 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe84⤵PID:3704
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe85⤵PID:1492
-
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe86⤵PID:4336
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe87⤵PID:4480
-
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe88⤵PID:5004
-
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe89⤵PID:1532
-
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe90⤵
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe91⤵
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe92⤵PID:4160
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe93⤵PID:4620
-
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe94⤵PID:3156
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe95⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe96⤵PID:3372
-
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe97⤵
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe98⤵PID:3148
-
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe99⤵PID:1880
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe100⤵PID:4952
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe101⤵PID:4392
-
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe102⤵PID:3920
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe104⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe105⤵PID:392
-
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe106⤵PID:4104
-
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe107⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe108⤵PID:2412
-
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe109⤵PID:4068
-
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe110⤵
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe111⤵PID:708
-
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe112⤵PID:5128
-
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe114⤵PID:5220
-
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe115⤵PID:5268
-
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe116⤵PID:5308
-
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe117⤵PID:5356
-
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe119⤵PID:5440
-
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe121⤵PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-