Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 17:53
Behavioral task
behavioral1
Sample
NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe
-
Size
198KB
-
MD5
fc1d9a3142f192451fed0f526e6a1b68
-
SHA1
c8e5c3d825db0eb29d17824edcb6f016c0ef2057
-
SHA256
8a5fa68d7f20479f068fb83aeff9610f8f62c875943bc336df29f311bb0a9f85
-
SHA512
b7e3b91537e8204add73b586341f9b882a3245e4d5c19c5f3a2d14bfb38b3c892453d0cda76a013f774059daed66720f20491c4746c121b9daf2d38db6f0c7c5
-
SSDEEP
3072:S3vVgvuQlbKKdDEBli74Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrCIwfE:Sdgvnm1i7BOHhkym/89bKws
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afghgkdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeami32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdhbepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjlnhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikmepj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbedag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aichng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhfgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pglcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofgmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmnnamb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klfjbpmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogccnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmipnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foakpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpjebcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iophnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdpmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhldio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahiiqafa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmeaafi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkmoifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfpcijlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgdhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moglkikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nockfgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlmbnof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcabo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjheejff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmegkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oapljmgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelcbmcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdodekhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baohmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pojccmii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaogm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njahki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgddkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdjapphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfjcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpckclld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdoofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldhbnhlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifefbbdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqfef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amloakki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggoaje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogkhjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goabhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpffgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kldmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpodkdll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpljdjnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamhhjbd.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022c8f-6.dat family_berbew behavioral2/files/0x0007000000022c8f-8.dat family_berbew behavioral2/files/0x0007000000022c93-14.dat family_berbew behavioral2/files/0x0007000000022c93-16.dat family_berbew behavioral2/files/0x0007000000022c99-22.dat family_berbew behavioral2/files/0x0007000000022c99-24.dat family_berbew behavioral2/files/0x0007000000022c9c-26.dat family_berbew behavioral2/files/0x0007000000022c9c-30.dat family_berbew behavioral2/files/0x0007000000022c9c-32.dat family_berbew behavioral2/files/0x0007000000022c9e-38.dat family_berbew behavioral2/files/0x0007000000022c9e-40.dat family_berbew behavioral2/files/0x0007000000022ca0-46.dat family_berbew behavioral2/files/0x0007000000022ca0-48.dat family_berbew behavioral2/files/0x0007000000022ca2-49.dat family_berbew behavioral2/files/0x0007000000022ca2-54.dat family_berbew behavioral2/files/0x0007000000022ca2-55.dat family_berbew behavioral2/files/0x0008000000022ca3-62.dat family_berbew behavioral2/files/0x0008000000022ca3-64.dat family_berbew behavioral2/files/0x0008000000022ca5-70.dat family_berbew behavioral2/files/0x0008000000022ca5-72.dat family_berbew behavioral2/files/0x0009000000022cb4-74.dat family_berbew behavioral2/files/0x0009000000022cb4-78.dat family_berbew behavioral2/files/0x0009000000022cb4-80.dat family_berbew behavioral2/files/0x0008000000022cbb-86.dat family_berbew behavioral2/files/0x0008000000022cbb-88.dat family_berbew behavioral2/files/0x0006000000022cbd-94.dat family_berbew behavioral2/files/0x0006000000022cbd-96.dat family_berbew behavioral2/files/0x0006000000022cbf-102.dat family_berbew behavioral2/files/0x0006000000022cbf-104.dat family_berbew behavioral2/files/0x0006000000022cc1-110.dat family_berbew behavioral2/files/0x0006000000022cc1-112.dat family_berbew behavioral2/files/0x0006000000022cc3-118.dat family_berbew behavioral2/files/0x0006000000022cc3-120.dat family_berbew behavioral2/files/0x0006000000022cc5-121.dat family_berbew behavioral2/files/0x0006000000022cc5-126.dat family_berbew behavioral2/files/0x0006000000022cc5-128.dat family_berbew behavioral2/files/0x0006000000022cc7-134.dat family_berbew behavioral2/files/0x0006000000022cc7-136.dat family_berbew behavioral2/files/0x0006000000022cc9-142.dat family_berbew behavioral2/files/0x0006000000022cc9-144.dat family_berbew behavioral2/files/0x0006000000022ccb-150.dat family_berbew behavioral2/files/0x0006000000022ccb-152.dat family_berbew behavioral2/files/0x0006000000022ccd-158.dat family_berbew behavioral2/files/0x0006000000022ccd-160.dat family_berbew behavioral2/files/0x0006000000022ccf-167.dat family_berbew behavioral2/files/0x0006000000022ccf-166.dat family_berbew behavioral2/files/0x0006000000022cd1-174.dat family_berbew behavioral2/files/0x0006000000022cd1-176.dat family_berbew behavioral2/files/0x0006000000022cd3-182.dat family_berbew behavioral2/files/0x0006000000022cd3-184.dat family_berbew behavioral2/files/0x0006000000022cd5-190.dat family_berbew behavioral2/files/0x0006000000022cd5-192.dat family_berbew behavioral2/files/0x0006000000022cd7-198.dat family_berbew behavioral2/files/0x0006000000022cd7-200.dat family_berbew behavioral2/files/0x0006000000022cd9-206.dat family_berbew behavioral2/files/0x0006000000022cd9-207.dat family_berbew behavioral2/files/0x0006000000022cdb-214.dat family_berbew behavioral2/files/0x0006000000022cdb-215.dat family_berbew behavioral2/files/0x0006000000022cdd-222.dat family_berbew behavioral2/files/0x0006000000022cdd-223.dat family_berbew behavioral2/files/0x0006000000022cdf-230.dat family_berbew behavioral2/files/0x0006000000022cdf-232.dat family_berbew behavioral2/files/0x0006000000022ce1-238.dat family_berbew behavioral2/files/0x0006000000022ce1-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4884 Pkonbamc.exe 224 Aijeme32.exe 1832 Afboah32.exe 1504 Bgokdomj.exe 4412 Cpmifkgd.exe 3504 Cpbbak32.exe 4056 Dojlhg32.exe 4732 Elilmi32.exe 2072 Foakpc32.exe 3808 Gcfjfqah.exe 2404 Gpodkdll.exe 5096 Hjieii32.exe 3188 Igkadlcd.exe 4560 Jfokff32.exe 4832 Kcgekjgp.exe 2008 Lcnkli32.exe 4860 Mdlgmgdh.exe 4348 Nmlafk32.exe 3924 Nplkhf32.exe 2508 Nhfoocaa.exe 2360 Ngklppei.exe 4436 Pdklebje.exe 4528 Pjlnhi32.exe 1136 Pafcofcg.exe 5036 Qkcackeb.exe 5048 Ajjjjghg.exe 3432 Adbkmo32.exe 3176 Bnaffdfc.exe 2656 Bilcol32.exe 3956 Cnmebblf.exe 3952 Cghgpgqd.exe 3496 Dalkek32.exe 2892 Enbhdojn.exe 4492 Ejiiippb.exe 1896 Ejnbdp32.exe 4628 Fefcgh32.exe 4532 Fbnmkk32.exe 4432 Gikbneio.exe 4580 Gajpmg32.exe 2092 Gkcdfl32.exe 3940 Hlgjko32.exe 2148 Hebkid32.exe 1200 Hlnqln32.exe 3640 Ikejbjip.exe 4864 Ifnkeb32.exe 4308 Ijkdkq32.exe 3388 Jchaoe32.exe 768 Jlafhkfe.exe 3852 Jjefao32.exe 5032 Jkhpogij.exe 4936 Kjipmoai.exe 4484 Kjlmbnof.exe 4180 Kokbpe32.exe 2096 Kjcccm32.exe 3156 Lfjchn32.exe 4420 Lbcabo32.exe 1324 Llpofd32.exe 4304 Mlbllc32.exe 2240 Mldhacpj.exe 1184 Mjheejff.exe 4952 Mjjbjjdd.exe 4836 Nfabok32.exe 2920 Nbhcdl32.exe 4324 Njahki32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dehkbkip.exe Cdiohhbm.exe File created C:\Windows\SysWOW64\Ndgpii32.dll Pjalpida.exe File created C:\Windows\SysWOW64\Epkakham.dll Bchogd32.exe File opened for modification C:\Windows\SysWOW64\Elilmi32.exe Dojlhg32.exe File created C:\Windows\SysWOW64\Pndbhf32.dll Cmpoch32.exe File created C:\Windows\SysWOW64\Iafgob32.exe Hpgkeodo.exe File created C:\Windows\SysWOW64\Ecafgo32.exe Endnohdp.exe File opened for modification C:\Windows\SysWOW64\Ffhnocfd.exe Fakfglhm.exe File created C:\Windows\SysWOW64\Gqdbbelf.exe Gbcaemdg.exe File created C:\Windows\SysWOW64\Hpchdf32.exe Hhhdpd32.exe File opened for modification C:\Windows\SysWOW64\Fhbpqb32.exe Fcfhhk32.exe File opened for modification C:\Windows\SysWOW64\Jngbcj32.exe Jenmlmll.exe File opened for modification C:\Windows\SysWOW64\Omldnfkj.exe Nhokeolc.exe File opened for modification C:\Windows\SysWOW64\Bkdieo32.exe Bmqhlk32.exe File created C:\Windows\SysWOW64\Hboaql32.exe Hifmhf32.exe File opened for modification C:\Windows\SysWOW64\Fcfhhk32.exe Fhpckb32.exe File opened for modification C:\Windows\SysWOW64\Npcokpln.exe Nconal32.exe File created C:\Windows\SysWOW64\Ajhdmplk.exe Ajfhhp32.exe File created C:\Windows\SysWOW64\Hkfhkhnb.dll Ahacndjo.exe File opened for modification C:\Windows\SysWOW64\Peddhb32.exe Ogljcokf.exe File created C:\Windows\SysWOW64\Bcnbmdbj.dll Pbmnlf32.exe File opened for modification C:\Windows\SysWOW64\Kcgnkgkl.exe Jnjecp32.exe File created C:\Windows\SysWOW64\Mbpdkabl.exe Mlflog32.exe File created C:\Windows\SysWOW64\Mjlhpgfn.exe Mogccnfg.exe File opened for modification C:\Windows\SysWOW64\Doidql32.exe Dgnolj32.exe File created C:\Windows\SysWOW64\Ffhnocfd.exe Fakfglhm.exe File opened for modification C:\Windows\SysWOW64\Pbmnlf32.exe Peimcaae.exe File created C:\Windows\SysWOW64\Enphcaof.dll Fhmpkmpm.exe File opened for modification C:\Windows\SysWOW64\Mlflog32.exe Lelcbmcc.exe File opened for modification C:\Windows\SysWOW64\Deliaf32.exe Dooaip32.exe File created C:\Windows\SysWOW64\Kogffd32.dll Bqokhi32.exe File created C:\Windows\SysWOW64\Onkhgheg.dll Kfdcbiol.exe File created C:\Windows\SysWOW64\Fakfglhm.exe Fgcang32.exe File created C:\Windows\SysWOW64\Niipdpae.exe Nockfgao.exe File opened for modification C:\Windows\SysWOW64\Jggjpgmc.exe Ipjenn32.exe File created C:\Windows\SysWOW64\Amddeq32.dll Dcglfjgf.exe File opened for modification C:\Windows\SysWOW64\Ibhdgjap.exe Iafgob32.exe File opened for modification C:\Windows\SysWOW64\Kldmmp32.exe Kejepfgd.exe File created C:\Windows\SysWOW64\Olqpomip.dll Foekbg32.exe File created C:\Windows\SysWOW64\Johnkbaj.exe Jngbcj32.exe File created C:\Windows\SysWOW64\Adbkmo32.exe Ajjjjghg.exe File created C:\Windows\SysWOW64\Nlhkqngo.exe Nmgjbg32.exe File created C:\Windows\SysWOW64\Cknqppmi.dll Lfpcijlg.exe File created C:\Windows\SysWOW64\Ibhdgjap.exe Iafgob32.exe File created C:\Windows\SysWOW64\Cmedcqge.dll Afghgkdl.exe File opened for modification C:\Windows\SysWOW64\Mqfpma32.exe Mjlhpgfn.exe File opened for modification C:\Windows\SysWOW64\Fhalcm32.exe Ecccmo32.exe File opened for modification C:\Windows\SysWOW64\Ihhmgaqb.exe Iophnl32.exe File created C:\Windows\SysWOW64\Ohbfgkan.dll Qgmbkp32.exe File created C:\Windows\SysWOW64\Dodjemee.exe Dobnpm32.exe File created C:\Windows\SysWOW64\Eekcho32.dll Ihhmgaqb.exe File created C:\Windows\SysWOW64\Pggcdm32.dll Kcgnkgkl.exe File opened for modification C:\Windows\SysWOW64\Fajgekol.exe Fkpoha32.exe File created C:\Windows\SysWOW64\Hijjpjqc.dll Pkonbamc.exe File created C:\Windows\SysWOW64\Ekahhn32.exe Dqigee32.exe File created C:\Windows\SysWOW64\Ifnbhc32.dll Idjdqc32.exe File opened for modification C:\Windows\SysWOW64\Aikbpckb.exe Apbngn32.exe File created C:\Windows\SysWOW64\Nonjbeab.dll Pegqmbch.exe File created C:\Windows\SysWOW64\Ioeqqnmg.dll Phqbaj32.exe File created C:\Windows\SysWOW64\Gbcaemdg.exe Gijmlh32.exe File opened for modification C:\Windows\SysWOW64\Foekbg32.exe Deokhc32.exe File created C:\Windows\SysWOW64\Qjafniab.dll Kpankd32.exe File created C:\Windows\SysWOW64\Dnpiedch.dll Hhhdpd32.exe File created C:\Windows\SysWOW64\Ghklmk32.exe Gaadpqmp.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4736 3812 WerFault.exe 749 6216 3812 WerFault.exe 749 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opiidhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gokdoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diicfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaofphbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amqfdcji.dll" Njahki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepmno32.dll" Ggoaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkacebhg.dll" Ojgjhicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlomemlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphigdll.dll" Gmjlmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bchogd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fojenfeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keakqeal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oanodnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnalem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlkkb32.dll" Ipjenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bilcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhgheg.dll" Kfdcbiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pegqmbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfcdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amaqde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkmki32.dll" Napjnfik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miqlpbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bniacddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkddhdgk.dll" Pqmjhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoocf32.dll" Kdfjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enbhdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhalmkbm.dll" Kjlmbnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebkco32.dll" Gfqjkljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfhdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ammnclcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bniacddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ompmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmfjfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjeiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfeqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njahki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmfjfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmgdaokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plpqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijoaml.dll" Bbgehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacqnom.dll" Jnelha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oajoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnldeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajpmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klfjbpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpocm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgbej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojabkqc.dll" Ppgeqijb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jakkplbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjickj32.dll" Feapdaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggpbcaei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mldhacpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeocem32.dll" Fgcang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncenga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhdmplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhjegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnkig32.dll" Hjieii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahiiqafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhmpkmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkpoha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4884 4204 NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe 91 PID 4204 wrote to memory of 4884 4204 NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe 91 PID 4204 wrote to memory of 4884 4204 NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe 91 PID 4884 wrote to memory of 224 4884 Pkonbamc.exe 92 PID 4884 wrote to memory of 224 4884 Pkonbamc.exe 92 PID 4884 wrote to memory of 224 4884 Pkonbamc.exe 92 PID 224 wrote to memory of 1832 224 Aijeme32.exe 93 PID 224 wrote to memory of 1832 224 Aijeme32.exe 93 PID 224 wrote to memory of 1832 224 Aijeme32.exe 93 PID 1832 wrote to memory of 1504 1832 Afboah32.exe 94 PID 1832 wrote to memory of 1504 1832 Afboah32.exe 94 PID 1832 wrote to memory of 1504 1832 Afboah32.exe 94 PID 1504 wrote to memory of 4412 1504 Bgokdomj.exe 95 PID 1504 wrote to memory of 4412 1504 Bgokdomj.exe 95 PID 1504 wrote to memory of 4412 1504 Bgokdomj.exe 95 PID 4412 wrote to memory of 3504 4412 Cpmifkgd.exe 96 PID 4412 wrote to memory of 3504 4412 Cpmifkgd.exe 96 PID 4412 wrote to memory of 3504 4412 Cpmifkgd.exe 96 PID 3504 wrote to memory of 4056 3504 Cpbbak32.exe 98 PID 3504 wrote to memory of 4056 3504 Cpbbak32.exe 98 PID 3504 wrote to memory of 4056 3504 Cpbbak32.exe 98 PID 4056 wrote to memory of 4732 4056 Dojlhg32.exe 99 PID 4056 wrote to memory of 4732 4056 Dojlhg32.exe 99 PID 4056 wrote to memory of 4732 4056 Dojlhg32.exe 99 PID 4732 wrote to memory of 2072 4732 Elilmi32.exe 100 PID 4732 wrote to memory of 2072 4732 Elilmi32.exe 100 PID 4732 wrote to memory of 2072 4732 Elilmi32.exe 100 PID 2072 wrote to memory of 3808 2072 Foakpc32.exe 101 PID 2072 wrote to memory of 3808 2072 Foakpc32.exe 101 PID 2072 wrote to memory of 3808 2072 Foakpc32.exe 101 PID 3808 wrote to memory of 2404 3808 Gcfjfqah.exe 102 PID 3808 wrote to memory of 2404 3808 Gcfjfqah.exe 102 PID 3808 wrote to memory of 2404 3808 Gcfjfqah.exe 102 PID 2404 wrote to memory of 5096 2404 Gpodkdll.exe 103 PID 2404 wrote to memory of 5096 2404 Gpodkdll.exe 103 PID 2404 wrote to memory of 5096 2404 Gpodkdll.exe 103 PID 5096 wrote to memory of 3188 5096 Hjieii32.exe 104 PID 5096 wrote to memory of 3188 5096 Hjieii32.exe 104 PID 5096 wrote to memory of 3188 5096 Hjieii32.exe 104 PID 3188 wrote to memory of 4560 3188 Igkadlcd.exe 105 PID 3188 wrote to memory of 4560 3188 Igkadlcd.exe 105 PID 3188 wrote to memory of 4560 3188 Igkadlcd.exe 105 PID 4560 wrote to memory of 4832 4560 Jfokff32.exe 106 PID 4560 wrote to memory of 4832 4560 Jfokff32.exe 106 PID 4560 wrote to memory of 4832 4560 Jfokff32.exe 106 PID 4832 wrote to memory of 2008 4832 Kcgekjgp.exe 107 PID 4832 wrote to memory of 2008 4832 Kcgekjgp.exe 107 PID 4832 wrote to memory of 2008 4832 Kcgekjgp.exe 107 PID 2008 wrote to memory of 4860 2008 Lcnkli32.exe 108 PID 2008 wrote to memory of 4860 2008 Lcnkli32.exe 108 PID 2008 wrote to memory of 4860 2008 Lcnkli32.exe 108 PID 4860 wrote to memory of 4348 4860 Mdlgmgdh.exe 109 PID 4860 wrote to memory of 4348 4860 Mdlgmgdh.exe 109 PID 4860 wrote to memory of 4348 4860 Mdlgmgdh.exe 109 PID 4348 wrote to memory of 3924 4348 Nmlafk32.exe 110 PID 4348 wrote to memory of 3924 4348 Nmlafk32.exe 110 PID 4348 wrote to memory of 3924 4348 Nmlafk32.exe 110 PID 3924 wrote to memory of 2508 3924 Nplkhf32.exe 111 PID 3924 wrote to memory of 2508 3924 Nplkhf32.exe 111 PID 3924 wrote to memory of 2508 3924 Nplkhf32.exe 111 PID 2508 wrote to memory of 2360 2508 Nhfoocaa.exe 112 PID 2508 wrote to memory of 2360 2508 Nhfoocaa.exe 112 PID 2508 wrote to memory of 2360 2508 Nhfoocaa.exe 112 PID 2360 wrote to memory of 4436 2360 Ngklppei.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fc1d9a3142f192451fed0f526e6a1b68.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Igkadlcd.exeC:\Windows\system32\Igkadlcd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Lcnkli32.exeC:\Windows\system32\Lcnkli32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Mdlgmgdh.exeC:\Windows\system32\Mdlgmgdh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe23⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe25⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe26⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5048 -
C:\Windows\SysWOW64\Adbkmo32.exeC:\Windows\system32\Adbkmo32.exe28⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe29⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe31⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Cghgpgqd.exeC:\Windows\system32\Cghgpgqd.exe32⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Dalkek32.exeC:\Windows\system32\Dalkek32.exe33⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Enbhdojn.exeC:\Windows\system32\Enbhdojn.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe35⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe36⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe37⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe38⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe39⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe41⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe42⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe43⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe44⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe45⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe46⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe47⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe48⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe49⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe50⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe51⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Kjipmoai.exeC:\Windows\system32\Kjipmoai.exe52⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Kokbpe32.exeC:\Windows\system32\Kokbpe32.exe54⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe55⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe56⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Lbcabo32.exeC:\Windows\system32\Lbcabo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe58⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Mlbllc32.exeC:\Windows\system32\Mlbllc32.exe59⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Mjjbjjdd.exeC:\Windows\system32\Mjjbjjdd.exe62⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe63⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe64⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Njahki32.exeC:\Windows\system32\Njahki32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe66⤵PID:3528
-
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe67⤵PID:4396
-
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe68⤵PID:4988
-
C:\Windows\SysWOW64\Pdoofl32.exeC:\Windows\system32\Pdoofl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:452 -
C:\Windows\SysWOW64\Pcdlghgl.exeC:\Windows\system32\Pcdlghgl.exe70⤵PID:724
-
C:\Windows\SysWOW64\Pllppnnm.exeC:\Windows\system32\Pllppnnm.exe71⤵PID:4520
-
C:\Windows\SysWOW64\Qlomemlj.exeC:\Windows\system32\Qlomemlj.exe72⤵
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe73⤵PID:4340
-
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe74⤵PID:4620
-
C:\Windows\SysWOW64\Bqokhi32.exeC:\Windows\system32\Bqokhi32.exe75⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4184 -
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe77⤵PID:1640
-
C:\Windows\SysWOW64\Cmpoch32.exeC:\Windows\system32\Cmpoch32.exe78⤵
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Ckqoapgd.exeC:\Windows\system32\Ckqoapgd.exe79⤵PID:2408
-
C:\Windows\SysWOW64\Cqmgigfk.exeC:\Windows\system32\Cqmgigfk.exe80⤵PID:4424
-
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe81⤵PID:4576
-
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe82⤵PID:3860
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe83⤵
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe84⤵PID:3408
-
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe85⤵PID:3088
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe86⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe87⤵PID:5020
-
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe88⤵PID:3920
-
C:\Windows\SysWOW64\Ecccmo32.exeC:\Windows\system32\Ecccmo32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe90⤵PID:4284
-
C:\Windows\SysWOW64\Fdmfcn32.exeC:\Windows\system32\Fdmfcn32.exe91⤵PID:1364
-
C:\Windows\SysWOW64\Gjkgkg32.exeC:\Windows\system32\Gjkgkg32.exe92⤵PID:4144
-
C:\Windows\SysWOW64\Hmjmnpmb.exeC:\Windows\system32\Hmjmnpmb.exe93⤵PID:2384
-
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe94⤵PID:5152
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe95⤵PID:5196
-
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe96⤵PID:5240
-
C:\Windows\SysWOW64\Idpdfija.exeC:\Windows\system32\Idpdfija.exe97⤵PID:5276
-
C:\Windows\SysWOW64\Inhion32.exeC:\Windows\system32\Inhion32.exe98⤵PID:5328
-
C:\Windows\SysWOW64\Jhbfgflc.exeC:\Windows\system32\Jhbfgflc.exe99⤵PID:5372
-
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe100⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Jnalem32.exeC:\Windows\system32\Jnalem32.exe101⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Kadnfkji.exeC:\Windows\system32\Kadnfkji.exe102⤵PID:5508
-
C:\Windows\SysWOW64\Kohnpoib.exeC:\Windows\system32\Kohnpoib.exe103⤵PID:5552
-
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe104⤵PID:5596
-
C:\Windows\SysWOW64\Kfdcbiol.exeC:\Windows\system32\Kfdcbiol.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Komhkn32.exeC:\Windows\system32\Komhkn32.exe106⤵PID:5684
-
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe107⤵PID:5720
-
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe108⤵PID:5768
-
C:\Windows\SysWOW64\Ldlmieaa.exeC:\Windows\system32\Ldlmieaa.exe109⤵PID:5812
-
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe110⤵PID:5860
-
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe111⤵PID:5904
-
C:\Windows\SysWOW64\Lbdgmh32.exeC:\Windows\system32\Lbdgmh32.exe112⤵PID:5948
-
C:\Windows\SysWOW64\Lkmkfncf.exeC:\Windows\system32\Lkmkfncf.exe113⤵PID:5992
-
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe114⤵
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Mkdagm32.exeC:\Windows\system32\Mkdagm32.exe115⤵PID:6080
-
C:\Windows\SysWOW64\Mbnjcg32.exeC:\Windows\system32\Mbnjcg32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6124 -
C:\Windows\SysWOW64\Mbpfig32.exeC:\Windows\system32\Mbpfig32.exe117⤵PID:5132
-
C:\Windows\SysWOW64\Mmfjfp32.exeC:\Windows\system32\Mmfjfp32.exe118⤵
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe119⤵PID:5296
-
C:\Windows\SysWOW64\Nbgljf32.exeC:\Windows\system32\Nbgljf32.exe120⤵PID:5360
-
C:\Windows\SysWOW64\Nlpabkba.exeC:\Windows\system32\Nlpabkba.exe121⤵PID:5472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-