Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 18:02
Behavioral task
behavioral1
Sample
NEAS.0c3ed27671ab753d46b3a066d002cf80.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0c3ed27671ab753d46b3a066d002cf80.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.0c3ed27671ab753d46b3a066d002cf80.exe
-
Size
664KB
-
MD5
0c3ed27671ab753d46b3a066d002cf80
-
SHA1
a755d6e94fdb285ccf21768d9f434ff2fc095b7a
-
SHA256
d696feefc2d8bdd4f99e3e7da2c502e911ddf96e7b57d2b4de61a4938f2de8f0
-
SHA512
428378dde1183cff601bf1dd40b7dd246bc89782e160825c1624a757cae564615bbdcf9a6617841e6160421c3183e639d8382538bc8956d23de2b2b4abaa197c
-
SSDEEP
12288:5QHdECpV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjF:5QHbW4XWleKWNUir2MhNl6zX3w9As/xi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjfhbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bghddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibcjqgnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdcmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ababkdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceeaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndfanlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilfennic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icklhnop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdadpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldckan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbjjkble.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glmhdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeamcmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgfhnpde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcaqka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfobofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifleji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laglkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hofmaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfokff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meoggpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biljib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmplbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cinpdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcipcnac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljffccjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agckiqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpnkdfko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oggllnkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cponen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnoacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmfodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilmeida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibqnkh32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022e12-6.dat family_berbew behavioral2/files/0x0007000000022e12-8.dat family_berbew behavioral2/files/0x0006000000022e1d-14.dat family_berbew behavioral2/files/0x0006000000022e1d-15.dat family_berbew behavioral2/files/0x0006000000022e20-22.dat family_berbew behavioral2/files/0x0006000000022e20-24.dat family_berbew behavioral2/files/0x0006000000022e22-30.dat family_berbew behavioral2/files/0x0006000000022e22-31.dat family_berbew behavioral2/files/0x0006000000022e2b-38.dat family_berbew behavioral2/files/0x0006000000022e2b-39.dat family_berbew behavioral2/files/0x0006000000022e2d-46.dat family_berbew behavioral2/files/0x0006000000022e2d-48.dat family_berbew behavioral2/files/0x0006000000022e2f-49.dat family_berbew behavioral2/files/0x0006000000022e2f-54.dat family_berbew behavioral2/files/0x0006000000022e2f-55.dat family_berbew behavioral2/files/0x0006000000022e31-62.dat family_berbew behavioral2/files/0x0006000000022e31-63.dat family_berbew behavioral2/files/0x0006000000022e33-71.dat family_berbew behavioral2/files/0x0006000000022e33-70.dat family_berbew behavioral2/files/0x0006000000022e35-78.dat family_berbew behavioral2/files/0x0006000000022e35-80.dat family_berbew behavioral2/files/0x0006000000022e37-86.dat family_berbew behavioral2/files/0x0006000000022e37-88.dat family_berbew behavioral2/files/0x0006000000022e39-94.dat family_berbew behavioral2/files/0x0006000000022e39-96.dat family_berbew behavioral2/files/0x0006000000022e3b-102.dat family_berbew behavioral2/files/0x0006000000022e3b-104.dat family_berbew behavioral2/files/0x0006000000022e3d-110.dat family_berbew behavioral2/files/0x0006000000022e3d-111.dat family_berbew behavioral2/files/0x0006000000022e3f-118.dat family_berbew behavioral2/files/0x0006000000022e3f-120.dat family_berbew behavioral2/files/0x0006000000022e41-126.dat family_berbew behavioral2/files/0x0006000000022e45-135.dat family_berbew behavioral2/files/0x0006000000022e45-134.dat family_berbew behavioral2/files/0x0006000000022e41-127.dat family_berbew behavioral2/files/0x0006000000022e47-137.dat family_berbew behavioral2/files/0x0006000000022e47-143.dat family_berbew behavioral2/files/0x0006000000022e47-142.dat family_berbew behavioral2/files/0x0006000000022e4b-150.dat family_berbew behavioral2/files/0x0006000000022e4b-152.dat family_berbew behavioral2/files/0x0006000000022e4d-159.dat family_berbew behavioral2/files/0x0006000000022e4d-158.dat family_berbew behavioral2/files/0x0006000000022e4f-166.dat family_berbew behavioral2/files/0x0006000000022e4f-168.dat family_berbew behavioral2/files/0x0006000000022e51-169.dat family_berbew behavioral2/files/0x0006000000022e51-174.dat family_berbew behavioral2/files/0x0006000000022e55-183.dat family_berbew behavioral2/files/0x0006000000022e57-191.dat family_berbew behavioral2/files/0x0006000000022e59-199.dat family_berbew behavioral2/files/0x0006000000022e59-198.dat family_berbew behavioral2/files/0x0006000000022e57-190.dat family_berbew behavioral2/files/0x0006000000022e5b-207.dat family_berbew behavioral2/files/0x0006000000022e5b-206.dat family_berbew behavioral2/files/0x0006000000022e55-182.dat family_berbew behavioral2/files/0x0006000000022e51-176.dat family_berbew behavioral2/files/0x0006000000022e5d-214.dat family_berbew behavioral2/files/0x0006000000022e5d-216.dat family_berbew behavioral2/files/0x0006000000022e5f-222.dat family_berbew behavioral2/files/0x0006000000022e5f-224.dat family_berbew behavioral2/files/0x0006000000022e62-230.dat family_berbew behavioral2/files/0x0006000000022e62-232.dat family_berbew behavioral2/files/0x0006000000022e64-238.dat family_berbew behavioral2/files/0x0006000000022e64-240.dat family_berbew behavioral2/files/0x0006000000022e66-246.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 916 Fligqhga.exe 3956 Fmhdkknd.exe 3888 Fmkqpkla.exe 4968 Fpkibf32.exe 4908 Glbjggof.exe 3492 Gldglf32.exe 4532 Goglcahb.exe 3260 Gimqajgh.exe 4848 Gbeejp32.exe 3784 Hfcnpn32.exe 3132 Hlglidlo.exe 4676 Imgicgca.exe 3016 Iinjhh32.exe 588 Imkbnf32.exe 4816 Iibccgep.exe 4004 Ilcldb32.exe 2516 Jgkmgk32.exe 5072 Jlgepanl.exe 372 Jinboekc.exe 1876 Jjpode32.exe 4580 Kegpifod.exe 1540 Knqepc32.exe 3356 Klfaapbl.exe 5032 Kfnfjehl.exe 392 Kpcjgnhb.exe 3264 Kjlopc32.exe 4912 Lnjgfb32.exe 5008 Lckiihok.exe 2156 Ljhnlb32.exe 3892 Mgloefco.exe 2244 Moipoh32.exe 4156 Mjaabq32.exe 2652 Mfhbga32.exe 4956 Nggnadib.exe 3592 Nqpcjj32.exe 884 Nflkbanj.exe 1748 Npepkf32.exe 2328 Nmipdk32.exe 3540 Nnhmnn32.exe 3148 Ogcnmc32.exe 728 Oakbehfe.exe 4592 Ofhknodl.exe 4204 Ofkgcobj.exe 1436 Omdppiif.exe 812 Ofmdio32.exe 2648 Opeiadfg.exe 1736 Pnfiplog.exe 4152 Pagbaglh.exe 3920 Pfdjinjo.exe 2848 Paiogf32.exe 2348 Pffgom32.exe 2812 Ppolhcnm.exe 832 Pdmdnadc.exe 8 Qmeigg32.exe 1816 Qfmmplad.exe 3832 Qacameaj.exe 980 Aogbfi32.exe 4408 Afbgkl32.exe 3252 Ahaceo32.exe 4688 Amcehdod.exe 4452 Bhkfkmmg.exe 2520 Bmhocd32.exe 5088 Bhmbqm32.exe 3468 Baegibae.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hhfpbpdo.exe Halhfe32.exe File created C:\Windows\SysWOW64\Jblmgf32.exe Jlbejloe.exe File created C:\Windows\SysWOW64\Doljemai.dll Jmgmhgig.exe File opened for modification C:\Windows\SysWOW64\Meoggpmd.exe Mgngih32.exe File created C:\Windows\SysWOW64\Pnhacn32.exe Pkjegb32.exe File created C:\Windows\SysWOW64\Qdllffpo.exe Qbmpjkqk.exe File opened for modification C:\Windows\SysWOW64\Nhhldc32.exe Niglfl32.exe File created C:\Windows\SysWOW64\Eglfjicq.dll Finnef32.exe File created C:\Windows\SysWOW64\Laeojd32.dll Decmjjie.exe File opened for modification C:\Windows\SysWOW64\Jaefne32.exe Jjknakhq.exe File opened for modification C:\Windows\SysWOW64\Gheodg32.exe Ggdbmoho.exe File created C:\Windows\SysWOW64\Apalniie.dll Lmneemaq.exe File opened for modification C:\Windows\SysWOW64\Bgelgi32.exe Bnlhncgi.exe File created C:\Windows\SysWOW64\Godcje32.dll Qmeigg32.exe File created C:\Windows\SysWOW64\Fjeibc32.exe Bmagch32.exe File created C:\Windows\SysWOW64\Ifqoehhl.exe Ioffhn32.exe File created C:\Windows\SysWOW64\Nnfiop32.dll Imgicgca.exe File created C:\Windows\SysWOW64\Ilfjfdhp.dll Pdbiphhi.exe File created C:\Windows\SysWOW64\Efampahd.exe Ehpmbj32.exe File created C:\Windows\SysWOW64\Kpgoolbl.exe Jfokff32.exe File created C:\Windows\SysWOW64\Kchjaj32.dll Pndhhnda.exe File created C:\Windows\SysWOW64\Haodle32.exe Hhfpbpdo.exe File created C:\Windows\SysWOW64\Gfgjbb32.exe Gdfmkjlg.exe File created C:\Windows\SysWOW64\Oingap32.dll Qacameaj.exe File created C:\Windows\SysWOW64\Ifomef32.dll Oakbehfe.exe File created C:\Windows\SysWOW64\Acankf32.dll Dkekjdck.exe File created C:\Windows\SysWOW64\Hbgkei32.exe Hhaggp32.exe File created C:\Windows\SysWOW64\Halhfe32.exe Hhdcmp32.exe File created C:\Windows\SysWOW64\Pnknim32.exe Pklamb32.exe File created C:\Windows\SysWOW64\Bfnnmg32.exe Bpdfpmoo.exe File created C:\Windows\SysWOW64\Ldgnbg32.exe Lmneemaq.exe File opened for modification C:\Windows\SysWOW64\Fmhdkknd.exe Fligqhga.exe File created C:\Windows\SysWOW64\Onqdhh32.exe Oggllnkl.exe File created C:\Windows\SysWOW64\Docpdpol.dll Jmpgghoo.exe File created C:\Windows\SysWOW64\Lfjkngdo.dll Jggapj32.exe File created C:\Windows\SysWOW64\Ajodef32.exe Adbkmo32.exe File created C:\Windows\SysWOW64\Eignjamf.dll Aogbfi32.exe File created C:\Windows\SysWOW64\Gbpnedga.dll Gnoacp32.exe File created C:\Windows\SysWOW64\Hnhjcpmd.dll Ifaepolg.exe File created C:\Windows\SysWOW64\Onhhmpoo.exe Ngnppfgb.exe File created C:\Windows\SysWOW64\Ogefqeaj.exe Oahnhncc.exe File created C:\Windows\SysWOW64\Dpdogj32.exe Deokja32.exe File created C:\Windows\SysWOW64\Alnjhe32.dll Bdphnmjk.exe File created C:\Windows\SysWOW64\Npqfogdn.dll Cnkilbni.exe File created C:\Windows\SysWOW64\Eecgicmp.dll Fnkfmm32.exe File created C:\Windows\SysWOW64\Bhgbbckh.dll Nmipdk32.exe File created C:\Windows\SysWOW64\Apgnjp32.dll Pfdjinjo.exe File created C:\Windows\SysWOW64\Egohdegl.exe Enfckp32.exe File created C:\Windows\SysWOW64\Gdfmkjlg.exe Gnlenp32.exe File created C:\Windows\SysWOW64\Cihjeq32.exe Cbnbhfde.exe File opened for modification C:\Windows\SysWOW64\Ljhnlb32.exe Lckiihok.exe File opened for modification C:\Windows\SysWOW64\Pdnpeh32.exe Pndhhnda.exe File opened for modification C:\Windows\SysWOW64\Clbmfm32.exe Cicqja32.exe File opened for modification C:\Windows\SysWOW64\Ggfobofl.exe Googaaej.exe File opened for modification C:\Windows\SysWOW64\Goadfa32.exe Ggfobofl.exe File opened for modification C:\Windows\SysWOW64\Cinpdl32.exe Bjmpfdhb.exe File opened for modification C:\Windows\SysWOW64\Kmeiie32.exe Kjfmminc.exe File created C:\Windows\SysWOW64\Glmhdm32.exe Fdadpk32.exe File created C:\Windows\SysWOW64\Ifaepolg.exe Iqdmghnp.exe File opened for modification C:\Windows\SysWOW64\Jjknakhq.exe Jeneidji.exe File opened for modification C:\Windows\SysWOW64\Ldoafodd.exe Kmeiie32.exe File created C:\Windows\SysWOW64\Nhhldc32.exe Niglfl32.exe File created C:\Windows\SysWOW64\Kiamigil.dll Bbpolb32.exe File created C:\Windows\SysWOW64\Cnkilbni.exe Cinpdl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9916 9856 WerFault.exe 573 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfqgkgc.dll" Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifleji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqelb32.dll" Bgeadjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkefphem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll" Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcmnd32.dll" Nmpkakak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqhphq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cinpdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geanfelc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jocnlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mknlef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oacmchcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll" Fpkibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmhocd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgpdg32.dll" Gcfjfqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iijfhbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oahnhncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odkcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfioj32.dll" Kcgekjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moglpedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknohl32.dll" Clpppmqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpbbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknhkonb.dll" Cgcmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cigcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjakkmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qbmpjkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngfkf32.dll" Ailabddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gohapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogbbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfmpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneilj32.dll" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicjl32.dll" Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebcdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll" Oggllnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnfiplog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objnjm32.dll" Ljijci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijomapp.dll" Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfghn32.dll" Lpbokjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnamkncf.dll" Glmhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchjaj32.dll" Pndhhnda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgkimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dciqifgc.dll" Ioffhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jggapj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omdppiif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 916 4964 NEAS.0c3ed27671ab753d46b3a066d002cf80.exe 87 PID 4964 wrote to memory of 916 4964 NEAS.0c3ed27671ab753d46b3a066d002cf80.exe 87 PID 4964 wrote to memory of 916 4964 NEAS.0c3ed27671ab753d46b3a066d002cf80.exe 87 PID 916 wrote to memory of 3956 916 Fligqhga.exe 88 PID 916 wrote to memory of 3956 916 Fligqhga.exe 88 PID 916 wrote to memory of 3956 916 Fligqhga.exe 88 PID 3956 wrote to memory of 3888 3956 Fmhdkknd.exe 89 PID 3956 wrote to memory of 3888 3956 Fmhdkknd.exe 89 PID 3956 wrote to memory of 3888 3956 Fmhdkknd.exe 89 PID 3888 wrote to memory of 4968 3888 Fmkqpkla.exe 90 PID 3888 wrote to memory of 4968 3888 Fmkqpkla.exe 90 PID 3888 wrote to memory of 4968 3888 Fmkqpkla.exe 90 PID 4968 wrote to memory of 4908 4968 Fpkibf32.exe 91 PID 4968 wrote to memory of 4908 4968 Fpkibf32.exe 91 PID 4968 wrote to memory of 4908 4968 Fpkibf32.exe 91 PID 4908 wrote to memory of 3492 4908 Glbjggof.exe 93 PID 4908 wrote to memory of 3492 4908 Glbjggof.exe 93 PID 4908 wrote to memory of 3492 4908 Glbjggof.exe 93 PID 3492 wrote to memory of 4532 3492 Gldglf32.exe 94 PID 3492 wrote to memory of 4532 3492 Gldglf32.exe 94 PID 3492 wrote to memory of 4532 3492 Gldglf32.exe 94 PID 4532 wrote to memory of 3260 4532 Goglcahb.exe 95 PID 4532 wrote to memory of 3260 4532 Goglcahb.exe 95 PID 4532 wrote to memory of 3260 4532 Goglcahb.exe 95 PID 3260 wrote to memory of 4848 3260 Gimqajgh.exe 96 PID 3260 wrote to memory of 4848 3260 Gimqajgh.exe 96 PID 3260 wrote to memory of 4848 3260 Gimqajgh.exe 96 PID 4848 wrote to memory of 3784 4848 Gbeejp32.exe 97 PID 4848 wrote to memory of 3784 4848 Gbeejp32.exe 97 PID 4848 wrote to memory of 3784 4848 Gbeejp32.exe 97 PID 3784 wrote to memory of 3132 3784 Hfcnpn32.exe 98 PID 3784 wrote to memory of 3132 3784 Hfcnpn32.exe 98 PID 3784 wrote to memory of 3132 3784 Hfcnpn32.exe 98 PID 3132 wrote to memory of 4676 3132 Hlglidlo.exe 99 PID 3132 wrote to memory of 4676 3132 Hlglidlo.exe 99 PID 3132 wrote to memory of 4676 3132 Hlglidlo.exe 99 PID 4676 wrote to memory of 3016 4676 Imgicgca.exe 101 PID 4676 wrote to memory of 3016 4676 Imgicgca.exe 101 PID 4676 wrote to memory of 3016 4676 Imgicgca.exe 101 PID 3016 wrote to memory of 588 3016 Iinjhh32.exe 102 PID 3016 wrote to memory of 588 3016 Iinjhh32.exe 102 PID 3016 wrote to memory of 588 3016 Iinjhh32.exe 102 PID 588 wrote to memory of 4816 588 Imkbnf32.exe 103 PID 588 wrote to memory of 4816 588 Imkbnf32.exe 103 PID 588 wrote to memory of 4816 588 Imkbnf32.exe 103 PID 4816 wrote to memory of 4004 4816 Iibccgep.exe 104 PID 4816 wrote to memory of 4004 4816 Iibccgep.exe 104 PID 4816 wrote to memory of 4004 4816 Iibccgep.exe 104 PID 4004 wrote to memory of 2516 4004 Ilcldb32.exe 105 PID 4004 wrote to memory of 2516 4004 Ilcldb32.exe 105 PID 4004 wrote to memory of 2516 4004 Ilcldb32.exe 105 PID 2516 wrote to memory of 5072 2516 Jgkmgk32.exe 106 PID 2516 wrote to memory of 5072 2516 Jgkmgk32.exe 106 PID 2516 wrote to memory of 5072 2516 Jgkmgk32.exe 106 PID 5072 wrote to memory of 372 5072 Jlgepanl.exe 107 PID 5072 wrote to memory of 372 5072 Jlgepanl.exe 107 PID 5072 wrote to memory of 372 5072 Jlgepanl.exe 107 PID 372 wrote to memory of 1876 372 Jinboekc.exe 108 PID 372 wrote to memory of 1876 372 Jinboekc.exe 108 PID 372 wrote to memory of 1876 372 Jinboekc.exe 108 PID 1876 wrote to memory of 4580 1876 Jjpode32.exe 109 PID 1876 wrote to memory of 4580 1876 Jjpode32.exe 109 PID 1876 wrote to memory of 4580 1876 Jjpode32.exe 109 PID 4580 wrote to memory of 1540 4580 Kegpifod.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0c3ed27671ab753d46b3a066d002cf80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0c3ed27671ab753d46b3a066d002cf80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe23⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe24⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe25⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe26⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe27⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe28⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe30⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe31⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe32⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe33⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe34⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe35⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe36⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe37⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe40⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe41⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:728 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe43⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe44⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe46⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe49⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe51⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe52⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe53⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe54⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe56⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3832 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe59⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe60⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe61⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe62⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe65⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe66⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe67⤵PID:5004
-
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4352 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe69⤵PID:3288
-
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe70⤵PID:3624
-
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe71⤵PID:4188
-
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe72⤵PID:2588
-
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe73⤵PID:5168
-
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe74⤵PID:5224
-
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe76⤵PID:5316
-
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe77⤵PID:5360
-
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe78⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe80⤵PID:5484
-
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe81⤵PID:5528
-
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe83⤵PID:5624
-
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe84⤵PID:5668
-
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe85⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe86⤵PID:5756
-
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe87⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe88⤵PID:5844
-
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe89⤵
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe90⤵
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe91⤵PID:5984
-
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe92⤵PID:6036
-
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe93⤵PID:6096
-
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe94⤵PID:5136
-
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe97⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe98⤵PID:5476
-
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe99⤵PID:5560
-
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe100⤵PID:5636
-
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe101⤵PID:5700
-
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe102⤵PID:5788
-
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe103⤵PID:5856
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe104⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe105⤵PID:2564
-
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe106⤵PID:6076
-
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe108⤵PID:5296
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe109⤵PID:5464
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe110⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe111⤵PID:5692
-
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5776 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe113⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe114⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe115⤵PID:6128
-
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe116⤵PID:5352
-
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe117⤵PID:5632
-
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Iijfhbhl.exeC:\Windows\system32\Iijfhbhl.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe121⤵PID:5432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-