Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2023 17:31
Behavioral task
behavioral1
Sample
NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe
-
Size
329KB
-
MD5
ebfef184f70ff826d96c741c3f5a2bb0
-
SHA1
d44874a16c5397481396d3481dd7fbab9e29c1dd
-
SHA256
959331b39fcb921d2903fa8e1b96ac4da7e106fb4a065c880e67fabb02ae3cae
-
SHA512
e7605cb20729317c7670ad619e08fadc2e1082abeceabeb983aa3faa3384a627061156fcb1f6bf9efa32b42ee992a6b71740c3fea46730517bdbf297fc236e4e
-
SSDEEP
6144:AmFCPdqsws+H3Lb+Qw/WYgFIgsh0KXoQr8jTQjewInBIE1+J3RzAHV+EueR2F:1FCPdC7LKQweY0sam38vZwIBIE1+J3pf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbekii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjkpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpofii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfandnla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiknlagg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoqpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcigeooj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmoen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllgnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilgmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejalcgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halhfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihaoqlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmijq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjimhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccfdmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boipmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfiokmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnenlka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpeafcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcigeooj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmfn32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022e3b-7.dat family_berbew behavioral2/files/0x0007000000022e3b-9.dat family_berbew behavioral2/files/0x0006000000022e43-15.dat family_berbew behavioral2/files/0x0006000000022e43-16.dat family_berbew behavioral2/files/0x0006000000022e45-23.dat family_berbew behavioral2/files/0x0006000000022e45-25.dat family_berbew behavioral2/files/0x0006000000022e47-32.dat family_berbew behavioral2/files/0x0006000000022e47-31.dat family_berbew behavioral2/files/0x0006000000022e49-41.dat family_berbew behavioral2/files/0x0006000000022e4b-47.dat family_berbew behavioral2/files/0x0006000000022e4b-49.dat family_berbew behavioral2/files/0x0006000000022e49-39.dat family_berbew behavioral2/files/0x0006000000022e4d-55.dat family_berbew behavioral2/files/0x0006000000022e4d-57.dat family_berbew behavioral2/files/0x0006000000022e4f-63.dat family_berbew behavioral2/files/0x0006000000022e4f-65.dat family_berbew behavioral2/files/0x0006000000022e51-71.dat family_berbew behavioral2/files/0x0006000000022e51-73.dat family_berbew behavioral2/files/0x0006000000022e53-79.dat family_berbew behavioral2/files/0x0006000000022e53-81.dat family_berbew behavioral2/files/0x0006000000022e55-88.dat family_berbew behavioral2/files/0x0006000000022e55-89.dat family_berbew behavioral2/files/0x0006000000022e57-96.dat family_berbew behavioral2/files/0x0006000000022e57-98.dat family_berbew behavioral2/files/0x0006000000022e5a-104.dat family_berbew behavioral2/files/0x0006000000022e5a-105.dat family_berbew behavioral2/files/0x0006000000022e5d-112.dat family_berbew behavioral2/files/0x0006000000022e5d-114.dat family_berbew behavioral2/files/0x0006000000022e65-120.dat family_berbew behavioral2/files/0x0006000000022e65-122.dat family_berbew behavioral2/files/0x0006000000022e67-128.dat family_berbew behavioral2/files/0x0006000000022e67-129.dat family_berbew behavioral2/files/0x0006000000022e69-136.dat family_berbew behavioral2/files/0x0006000000022e69-137.dat family_berbew behavioral2/files/0x0006000000022e6b-144.dat family_berbew behavioral2/files/0x0006000000022e6b-145.dat family_berbew behavioral2/files/0x0006000000022e6d-152.dat family_berbew behavioral2/files/0x0006000000022e6d-154.dat family_berbew behavioral2/files/0x0006000000022e6f-160.dat family_berbew behavioral2/files/0x0006000000022e6f-162.dat family_berbew behavioral2/files/0x0006000000022e71-168.dat family_berbew behavioral2/files/0x0006000000022e71-170.dat family_berbew behavioral2/files/0x0006000000022e73-176.dat family_berbew behavioral2/files/0x0006000000022e73-178.dat family_berbew behavioral2/files/0x0006000000022e75-184.dat family_berbew behavioral2/files/0x0006000000022e75-186.dat family_berbew behavioral2/files/0x0006000000022e77-192.dat family_berbew behavioral2/files/0x0006000000022e77-194.dat family_berbew behavioral2/files/0x0006000000022e79-200.dat family_berbew behavioral2/files/0x0006000000022e79-202.dat family_berbew behavioral2/files/0x0006000000022e7b-208.dat family_berbew behavioral2/files/0x0006000000022e7b-210.dat family_berbew behavioral2/files/0x0006000000022e7d-216.dat family_berbew behavioral2/files/0x0006000000022e7d-218.dat family_berbew behavioral2/files/0x0006000000022e7f-224.dat family_berbew behavioral2/files/0x0006000000022e7f-225.dat family_berbew behavioral2/files/0x0006000000022e81-232.dat family_berbew behavioral2/files/0x0006000000022e81-234.dat family_berbew behavioral2/files/0x0006000000022e83-240.dat family_berbew behavioral2/files/0x0006000000022e83-242.dat family_berbew behavioral2/files/0x0007000000022e86-248.dat family_berbew behavioral2/files/0x0007000000022e86-250.dat family_berbew behavioral2/files/0x0006000000022e8b-256.dat family_berbew behavioral2/files/0x0006000000022e8b-258.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3620 Pckppl32.exe 4424 Poaqemao.exe 2256 Pjgebf32.exe 4116 Plhnda32.exe 2016 Qhonib32.exe 1836 Qgpogili.exe 2420 Qlmgopjq.exe 4960 Agbkmijg.exe 3748 Aihaoqlp.exe 5012 Acnemi32.exe 4996 Amfjeobf.exe 3640 Ajjjocap.exe 4968 Bcbohigp.exe 4416 Boipmj32.exe 3736 Bqilgmdg.exe 440 Bidqko32.exe 3172 Bciehh32.exe 4140 Bmbiamhi.exe 2140 Bfjnjcni.exe 4336 Cgjjdf32.exe 3372 Cpeohh32.exe 3064 Cmipblaq.exe 3392 Cippgm32.exe 2508 Caienjfd.exe 1088 Dpnbog32.exe 2768 Dpqodfij.exe 3380 Diicml32.exe 4944 Dikpbl32.exe 4344 Dhlpqc32.exe 1832 Epcdqd32.exe 4904 Fpeafcfa.exe 4604 Ffpicn32.exe 3632 Fdcjlb32.exe 1284 Fmlneg32.exe 4708 Fhabbp32.exe 2692 Fkpool32.exe 3964 Fajgkfio.exe 3996 Fhdohp32.exe 4660 Gkdhjknm.exe 2020 Ghhhcomg.exe 2988 Ghkeio32.exe 2268 Gnhnaf32.exe 568 Gklnjj32.exe 484 Gddbcp32.exe 2876 Hgghjjid.exe 1260 Hpomcp32.exe 2748 Hkeaqi32.exe 1616 Hpbiip32.exe 3324 Hkgnfhnh.exe 2252 Hdpbon32.exe 2612 Hpfcdojl.exe 4236 Iklgah32.exe 1692 Iddljmpc.exe 2396 Iahlcaol.exe 3616 Iqmidndd.exe 1248 Ikcmbfcj.exe 4052 Ihgnkkbd.exe 3856 Indfca32.exe 2112 Jkhgmf32.exe 640 Jdpkflfe.exe 4160 Jbdlop32.exe 1524 Jjopcb32.exe 1720 Jdedak32.exe 4756 Jnmijq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bcbohigp.exe Ajjjocap.exe File created C:\Windows\SysWOW64\Gpaoobkd.dll Cofecami.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Idahjg32.exe File created C:\Windows\SysWOW64\Feqeog32.exe Fnfmbmbi.exe File created C:\Windows\SysWOW64\Cippgm32.exe Cmipblaq.exe File created C:\Windows\SysWOW64\Fmndpq32.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Idhnkf32.exe Igdnabjh.exe File opened for modification C:\Windows\SysWOW64\Nmnqjp32.exe Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Lihpif32.exe Lldopb32.exe File created C:\Windows\SysWOW64\Nlkngo32.exe Nklbmllg.exe File opened for modification C:\Windows\SysWOW64\Igbalblk.exe Iphioh32.exe File created C:\Windows\SysWOW64\Hgagmm32.dll Qgpogili.exe File created C:\Windows\SysWOW64\Abbkcpma.exe Ahjgjj32.exe File opened for modification C:\Windows\SysWOW64\Ejoomhmi.exe Ebejfk32.exe File opened for modification C:\Windows\SysWOW64\Jdedak32.exe Jjopcb32.exe File created C:\Windows\SysWOW64\Oklkdi32.exe Oiknlagg.exe File opened for modification C:\Windows\SysWOW64\Bhamkipi.exe Bohibc32.exe File opened for modification C:\Windows\SysWOW64\Ccpdoqgd.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Bciehh32.exe Bidqko32.exe File opened for modification C:\Windows\SysWOW64\Epcdqd32.exe Dhlpqc32.exe File created C:\Windows\SysWOW64\Piomhofd.dll Iklgah32.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Idfaefkd.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Ejnocehc.dll Lenicahg.exe File created C:\Windows\SysWOW64\Pfepdg32.exe Pplhhm32.exe File created C:\Windows\SysWOW64\Oblmdhdo.exe Ohghgodi.exe File created C:\Windows\SysWOW64\Oiknlagg.exe Okjnnj32.exe File created C:\Windows\SysWOW64\Abponp32.exe Alcfei32.exe File created C:\Windows\SysWOW64\Fdqfll32.exe Fikbocki.exe File created C:\Windows\SysWOW64\Mdafpj32.dll Kgninn32.exe File opened for modification C:\Windows\SysWOW64\Ohkkhhmh.exe Oaqbkn32.exe File created C:\Windows\SysWOW64\Hnphoj32.exe Halhfe32.exe File opened for modification C:\Windows\SysWOW64\Ghhhcomg.exe Gkdhjknm.exe File opened for modification C:\Windows\SysWOW64\Kghjhemo.exe Jnpfop32.exe File opened for modification C:\Windows\SysWOW64\Pllgnl32.exe Oklkdi32.exe File opened for modification C:\Windows\SysWOW64\Bombmcec.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Pfccogfc.exe Pafkgphl.exe File created C:\Windows\SysWOW64\Chjjqebm.dll Pafkgphl.exe File created C:\Windows\SysWOW64\Dcnfjkma.dll Inqbclob.exe File opened for modification C:\Windows\SysWOW64\Ndflak32.exe Nlkgmh32.exe File created C:\Windows\SysWOW64\Jggocdgo.dll Halhfe32.exe File opened for modification C:\Windows\SysWOW64\Oflmnh32.exe Mlljnf32.exe File opened for modification C:\Windows\SysWOW64\Pfccogfc.exe Pafkgphl.exe File created C:\Windows\SysWOW64\Heolpdjf.dll Ikcmbfcj.exe File opened for modification C:\Windows\SysWOW64\Abbkcpma.exe Ahjgjj32.exe File created C:\Windows\SysWOW64\Bhamkipi.exe Bohibc32.exe File created C:\Windows\SysWOW64\Micoommd.dll Ccmgiaig.exe File created C:\Windows\SysWOW64\Pahilmoc.exe Poimpapp.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Amnlme32.exe File created C:\Windows\SysWOW64\Hlkfbocp.exe Gbbajjlp.exe File opened for modification C:\Windows\SysWOW64\Fajgkfio.exe Fkpool32.exe File created C:\Windows\SysWOW64\Lhmmjbkf.exe Lacdmh32.exe File created C:\Windows\SysWOW64\Aqdjon32.dll Bombmcec.exe File opened for modification C:\Windows\SysWOW64\Hlppno32.exe Heegad32.exe File created C:\Windows\SysWOW64\Jadelk32.dll Lldopb32.exe File created C:\Windows\SysWOW64\Ocjggbdl.dll Gdlfhj32.exe File created C:\Windows\SysWOW64\Hpabni32.exe Hpofii32.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File created C:\Windows\SysWOW64\Ilnjmilq.dll Mcdeeq32.exe File created C:\Windows\SysWOW64\Achgjc32.dll Kiggbhda.exe File created C:\Windows\SysWOW64\Cpdndomn.dll Majjng32.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Lkchelci.exe File opened for modification C:\Windows\SysWOW64\Kdbjhbbd.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Bomfgoah.dll Mkadfj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4864 5168 WerFault.exe 425 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpf32.dll" Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejechjg.dll" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfdlg32.dll" Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggebqoki.dll" Ffpicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmell32.dll" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbqla32.dll" Dhlpqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panhbfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhonib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmmjbkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqjcbao.dll" Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gologg32.dll" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" Mjmoag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpomcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhblne32.dll" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ephccnmj.dll" Bhamkipi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll" Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbbpbop.dll" Dikpbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oflmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaqbelh.dll" Ccpdoqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iklgah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefiblfk.dll" Cmipblaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpld32.dll" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefioe32.dll" Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnofdl32.dll" Dbqqkkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkgnfhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigmlgok.dll" Iddljmpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahqoq32.dll" Abponp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbeapmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoffg32.dll" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpnbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhikb32.dll" Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfccogfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achgjc32.dll" Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebqacjl.dll" Mnnkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modpib32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 3620 3916 NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe 87 PID 3916 wrote to memory of 3620 3916 NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe 87 PID 3916 wrote to memory of 3620 3916 NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe 87 PID 3620 wrote to memory of 4424 3620 Pckppl32.exe 88 PID 3620 wrote to memory of 4424 3620 Pckppl32.exe 88 PID 3620 wrote to memory of 4424 3620 Pckppl32.exe 88 PID 4424 wrote to memory of 2256 4424 Poaqemao.exe 89 PID 4424 wrote to memory of 2256 4424 Poaqemao.exe 89 PID 4424 wrote to memory of 2256 4424 Poaqemao.exe 89 PID 2256 wrote to memory of 4116 2256 Pjgebf32.exe 90 PID 2256 wrote to memory of 4116 2256 Pjgebf32.exe 90 PID 2256 wrote to memory of 4116 2256 Pjgebf32.exe 90 PID 4116 wrote to memory of 2016 4116 Plhnda32.exe 91 PID 4116 wrote to memory of 2016 4116 Plhnda32.exe 91 PID 4116 wrote to memory of 2016 4116 Plhnda32.exe 91 PID 2016 wrote to memory of 1836 2016 Qhonib32.exe 92 PID 2016 wrote to memory of 1836 2016 Qhonib32.exe 92 PID 2016 wrote to memory of 1836 2016 Qhonib32.exe 92 PID 1836 wrote to memory of 2420 1836 Qgpogili.exe 93 PID 1836 wrote to memory of 2420 1836 Qgpogili.exe 93 PID 1836 wrote to memory of 2420 1836 Qgpogili.exe 93 PID 2420 wrote to memory of 4960 2420 Qlmgopjq.exe 95 PID 2420 wrote to memory of 4960 2420 Qlmgopjq.exe 95 PID 2420 wrote to memory of 4960 2420 Qlmgopjq.exe 95 PID 4960 wrote to memory of 3748 4960 Agbkmijg.exe 96 PID 4960 wrote to memory of 3748 4960 Agbkmijg.exe 96 PID 4960 wrote to memory of 3748 4960 Agbkmijg.exe 96 PID 3748 wrote to memory of 5012 3748 Aihaoqlp.exe 97 PID 3748 wrote to memory of 5012 3748 Aihaoqlp.exe 97 PID 3748 wrote to memory of 5012 3748 Aihaoqlp.exe 97 PID 5012 wrote to memory of 4996 5012 Acnemi32.exe 98 PID 5012 wrote to memory of 4996 5012 Acnemi32.exe 98 PID 5012 wrote to memory of 4996 5012 Acnemi32.exe 98 PID 4996 wrote to memory of 3640 4996 Amfjeobf.exe 99 PID 4996 wrote to memory of 3640 4996 Amfjeobf.exe 99 PID 4996 wrote to memory of 3640 4996 Amfjeobf.exe 99 PID 3640 wrote to memory of 4968 3640 Ajjjocap.exe 100 PID 3640 wrote to memory of 4968 3640 Ajjjocap.exe 100 PID 3640 wrote to memory of 4968 3640 Ajjjocap.exe 100 PID 4968 wrote to memory of 4416 4968 Bcbohigp.exe 101 PID 4968 wrote to memory of 4416 4968 Bcbohigp.exe 101 PID 4968 wrote to memory of 4416 4968 Bcbohigp.exe 101 PID 4416 wrote to memory of 3736 4416 Boipmj32.exe 102 PID 4416 wrote to memory of 3736 4416 Boipmj32.exe 102 PID 4416 wrote to memory of 3736 4416 Boipmj32.exe 102 PID 3736 wrote to memory of 440 3736 Bqilgmdg.exe 103 PID 3736 wrote to memory of 440 3736 Bqilgmdg.exe 103 PID 3736 wrote to memory of 440 3736 Bqilgmdg.exe 103 PID 440 wrote to memory of 3172 440 Bidqko32.exe 104 PID 440 wrote to memory of 3172 440 Bidqko32.exe 104 PID 440 wrote to memory of 3172 440 Bidqko32.exe 104 PID 3172 wrote to memory of 4140 3172 Bciehh32.exe 105 PID 3172 wrote to memory of 4140 3172 Bciehh32.exe 105 PID 3172 wrote to memory of 4140 3172 Bciehh32.exe 105 PID 4140 wrote to memory of 2140 4140 Bmbiamhi.exe 106 PID 4140 wrote to memory of 2140 4140 Bmbiamhi.exe 106 PID 4140 wrote to memory of 2140 4140 Bmbiamhi.exe 106 PID 2140 wrote to memory of 4336 2140 Bfjnjcni.exe 107 PID 2140 wrote to memory of 4336 2140 Bfjnjcni.exe 107 PID 2140 wrote to memory of 4336 2140 Bfjnjcni.exe 107 PID 4336 wrote to memory of 3372 4336 Cgjjdf32.exe 108 PID 4336 wrote to memory of 3372 4336 Cgjjdf32.exe 108 PID 4336 wrote to memory of 3372 4336 Cgjjdf32.exe 108 PID 3372 wrote to memory of 3064 3372 Cpeohh32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ebfef184f70ff826d96c741c3f5a2bb0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe24⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe25⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe27⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe28⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4944 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe31⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe35⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe36⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe38⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe39⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe41⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe42⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe43⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe44⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe45⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe46⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe48⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe49⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe51⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe52⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe55⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe56⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe58⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe59⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe61⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe64⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe66⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe67⤵
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe68⤵PID:1488
-
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4016 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe71⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4920 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe73⤵PID:928
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe74⤵PID:456
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe75⤵PID:2516
-
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe76⤵PID:824
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe77⤵PID:3196
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:260 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe79⤵PID:5080
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe81⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe82⤵PID:4012
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe83⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe84⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe86⤵PID:4504
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe87⤵
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe89⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe90⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe91⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe92⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe93⤵PID:5328
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5372 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe95⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe96⤵PID:5460
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe97⤵PID:5504
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe98⤵PID:5548
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe99⤵PID:5588
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe100⤵PID:5632
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe101⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe102⤵PID:5724
-
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe103⤵
- Modifies registry class
PID:5772 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe104⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe106⤵PID:5904
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe111⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe112⤵PID:5160
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe113⤵PID:2604
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe114⤵PID:4404
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe115⤵PID:5204
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe118⤵PID:5380
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe119⤵PID:5448
-
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-