Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 20:18
Behavioral task
behavioral1
Sample
NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe
-
Size
106KB
-
MD5
f60085d8df53a9e043f6476f9d78a5c0
-
SHA1
1cc6705bd3deaea726a00fdee54ba64b87336390
-
SHA256
0d440ee9f2a71d519c1e8761713bdb45598cfaa1d5abedb06a7a0118b1c3bdbd
-
SHA512
815d0c23b70f11cc7ddc0e5955aa1a353cca469229c1c43cc39ca10f137770deaa09a8feb280a7f8673b2ba6afa9df5699849c1ede40803e9089d2c6f7a02c30
-
SSDEEP
3072:NAcCWV84GIQl3aS1NOFnrXW1WdTCn93OGey/ZhC:NA3WV84SRaS1N4rXNTCndOGeKY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojdnbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclljaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adpogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqinng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmgdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbbmjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neppiagi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppjpmim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiihkncb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnklnfpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfieagka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkbmjhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiackied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnphio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnpja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigjifgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjlep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamkgpbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcocff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnapgjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioffhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odaiodbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkkggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqfeag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jifabb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghanoeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meefhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emmkci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnhfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljgfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppclej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjhelnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjoeoedo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adapqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knoonphp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnnphhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqmjqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foghhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifglmlol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihaifam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfikaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oinkmdml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkfil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leipbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghdkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnienqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onekeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmolimg.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3656-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000a000000022cc5-6.dat family_berbew behavioral2/files/0x000a000000022cc5-8.dat family_berbew behavioral2/memory/1588-7-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf1-14.dat family_berbew behavioral2/files/0x0007000000022cf1-16.dat family_berbew behavioral2/memory/2016-15-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf3-22.dat family_berbew behavioral2/memory/2460-23-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf3-24.dat family_berbew behavioral2/files/0x0008000000022cf5-29.dat family_berbew behavioral2/memory/1344-31-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf5-32.dat family_berbew behavioral2/files/0x0006000000022cf7-33.dat family_berbew behavioral2/files/0x0006000000022cf7-38.dat family_berbew behavioral2/memory/4912-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf7-39.dat family_berbew behavioral2/files/0x0006000000022cf9-46.dat family_berbew behavioral2/files/0x0006000000022cf9-48.dat family_berbew behavioral2/memory/3372-47-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-54.dat family_berbew behavioral2/memory/4916-55-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-56.dat family_berbew behavioral2/files/0x0006000000022cfd-62.dat family_berbew behavioral2/files/0x0006000000022cfd-64.dat family_berbew behavioral2/memory/2536-63-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-70.dat family_berbew behavioral2/memory/4052-71-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-72.dat family_berbew behavioral2/files/0x0006000000022d01-73.dat family_berbew behavioral2/memory/1464-79-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d01-78.dat family_berbew behavioral2/files/0x0006000000022d01-80.dat family_berbew behavioral2/files/0x0006000000022d03-82.dat family_berbew behavioral2/files/0x0006000000022d03-86.dat family_berbew behavioral2/files/0x0006000000022d03-88.dat family_berbew behavioral2/memory/1460-87-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d07-94.dat family_berbew behavioral2/memory/3788-96-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-97.dat family_berbew behavioral2/files/0x0006000000022d07-95.dat family_berbew behavioral2/memory/1508-104-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-103.dat family_berbew behavioral2/files/0x0006000000022d0a-102.dat family_berbew behavioral2/files/0x0006000000022d0c-106.dat family_berbew behavioral2/files/0x0006000000022d0c-110.dat family_berbew behavioral2/memory/1432-111-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-112.dat family_berbew behavioral2/memory/2696-119-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d0f-118.dat family_berbew behavioral2/files/0x0007000000022d0f-120.dat family_berbew behavioral2/files/0x0006000000022d11-121.dat family_berbew behavioral2/files/0x0006000000022d11-126.dat family_berbew behavioral2/files/0x0006000000022d11-128.dat family_berbew behavioral2/memory/4792-127-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d13-134.dat family_berbew behavioral2/memory/3244-135-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d13-136.dat family_berbew behavioral2/files/0x0006000000022d15-142.dat family_berbew behavioral2/memory/916-143-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d15-144.dat family_berbew behavioral2/files/0x0006000000022d17-150.dat family_berbew behavioral2/memory/2164-151-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d17-152.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1588 Cleqfb32.exe 2016 Fljlom32.exe 2460 Gcimfg32.exe 1344 Hgnlmdcp.exe 4912 Hmbkfjko.exe 3372 Jclljaei.exe 4916 Jnapgjdo.exe 2536 Jglaepim.exe 4052 Logbigbg.exe 1464 Mhmcck32.exe 1460 Naokbokn.exe 3788 Ogcike32.exe 1508 Okeklcen.exe 1432 Pnhacn32.exe 2696 Aijeme32.exe 4792 Anijjkbj.exe 3244 Bfieagka.exe 916 Bfpkbfdi.exe 2164 Cnlpgibd.exe 4948 Cfgace32.exe 4836 Dbjade32.exe 4756 Eeodqocd.exe 4180 Ehpmbj32.exe 4576 Fhiphi32.exe 2092 Gccmaack.exe 2076 Gheodg32.exe 3172 Ggfobofl.exe 2744 Ghjhofjg.exe 3536 Hcdfho32.exe 4600 Ifleji32.exe 2960 Ioffhn32.exe 3572 Jokpcmmj.exe 2940 Jifabb32.exe 2652 Kcehejic.exe 1244 Kiaqnagj.exe 2796 Kggjghkd.exe 4024 Liifnp32.exe 4644 Libido32.exe 3760 Lhcjbfag.exe 3428 Midfjnge.exe 4828 Mmbopm32.exe 3204 Mmiealgc.exe 5016 Odaiodbp.exe 2456 Opopdd32.exe 4364 Qhbhapha.exe 244 Adpogp32.exe 4944 Bhennm32.exe 3332 Bglgdi32.exe 2304 Bqdlmo32.exe 4308 Ckoifgmb.exe 4060 Dgmpkg32.exe 1920 Dnienqbi.exe 3320 Enpknplq.exe 3380 Gimoce32.exe 2832 Golcak32.exe 3832 Hohcmjic.exe 4460 Ilgcblnp.exe 1948 Jfikaqme.exe 2520 Kcikfcab.exe 3588 Ljoboloa.exe 3524 Nlbdba32.exe 1700 Niiaae32.exe 3708 Obafjk32.exe 1556 Oinkmdml.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Neiiibnn.dll NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe File opened for modification C:\Windows\SysWOW64\Dmhkoaco.exe Dodjemee.exe File opened for modification C:\Windows\SysWOW64\Qimfoe32.exe Mnjqhcno.exe File opened for modification C:\Windows\SysWOW64\Mallojmd.exe Mcklac32.exe File opened for modification C:\Windows\SysWOW64\Lmaafcml.exe Lcbfmomc.exe File created C:\Windows\SysWOW64\Ifkfgiph.dll Lmkfah32.exe File opened for modification C:\Windows\SysWOW64\Bddcocff.exe Akmbepke.exe File opened for modification C:\Windows\SysWOW64\Pnhacn32.exe Okeklcen.exe File created C:\Windows\SysWOW64\Cimckcoe.exe Cglgck32.exe File created C:\Windows\SysWOW64\Pjofcb32.exe Pmkfjn32.exe File created C:\Windows\SysWOW64\Amegnd32.dll Doojni32.exe File created C:\Windows\SysWOW64\Hkdgdjib.dll Jnapgjdo.exe File created C:\Windows\SysWOW64\Fghhpq32.dll Gmmome32.exe File created C:\Windows\SysWOW64\Oenldl32.dll Aqkgikip.exe File opened for modification C:\Windows\SysWOW64\Inbpbnlg.exe Ifglmlol.exe File created C:\Windows\SysWOW64\Pjehflie.exe Phqbaj32.exe File opened for modification C:\Windows\SysWOW64\Ofaeffpa.exe Npgmjl32.exe File created C:\Windows\SysWOW64\Dklomnmf.exe Ckclfp32.exe File created C:\Windows\SysWOW64\Bpcbjg32.dll Olqofjhn.exe File opened for modification C:\Windows\SysWOW64\Nlbnhkqo.exe Nkkggl32.exe File opened for modification C:\Windows\SysWOW64\Leihlj32.exe Lplpcc32.exe File opened for modification C:\Windows\SysWOW64\Pjehflie.exe Phqbaj32.exe File opened for modification C:\Windows\SysWOW64\Ghdoae32.exe Fajgekol.exe File created C:\Windows\SysWOW64\Pihggn32.dll Pjofcb32.exe File created C:\Windows\SysWOW64\Ckoifgmb.exe Bqdlmo32.exe File created C:\Windows\SysWOW64\Pjngbdgb.dll Bgafin32.exe File created C:\Windows\SysWOW64\Annbli32.dll Llbphdfl.exe File opened for modification C:\Windows\SysWOW64\Oobfhh32.exe Odmbkolo.exe File created C:\Windows\SysWOW64\Oaifin32.exe Onkimc32.exe File created C:\Windows\SysWOW64\Jdjfmjhm.exe Jmpnppap.exe File created C:\Windows\SysWOW64\Ccpdhfmb.exe Cmflkl32.exe File created C:\Windows\SysWOW64\Mnfnfl32.exe Mcqjhc32.exe File created C:\Windows\SysWOW64\Knoonphp.exe Jqhaolli.exe File created C:\Windows\SysWOW64\Iifmfh32.exe Hnphio32.exe File created C:\Windows\SysWOW64\Icncngca.dll Hgnlmdcp.exe File created C:\Windows\SysWOW64\Ngpekcgb.dll Nkncno32.exe File created C:\Windows\SysWOW64\Knboee32.dll Goabhl32.exe File created C:\Windows\SysWOW64\Pacfdila.exe Olgnlb32.exe File created C:\Windows\SysWOW64\Kjhlipla.exe Kcndlf32.exe File created C:\Windows\SysWOW64\Mefmbbod.exe Mpiejkql.exe File opened for modification C:\Windows\SysWOW64\Mceccbpj.exe Mgoboake.exe File created C:\Windows\SysWOW64\Lmaafcml.exe Lcbfmomc.exe File opened for modification C:\Windows\SysWOW64\Qfkqcb32.exe Qmblkmcd.exe File opened for modification C:\Windows\SysWOW64\Hgnlmdcp.exe Gcimfg32.exe File opened for modification C:\Windows\SysWOW64\Ogcike32.exe Naokbokn.exe File opened for modification C:\Windows\SysWOW64\Gccmaack.exe Fhiphi32.exe File opened for modification C:\Windows\SysWOW64\Idfaolpb.exe Inlibb32.exe File created C:\Windows\SysWOW64\Ibgkdmmh.dll Mceccbpj.exe File opened for modification C:\Windows\SysWOW64\Ghgjlaln.exe Fckacknf.exe File opened for modification C:\Windows\SysWOW64\Hdlphjaf.exe Hkckoe32.exe File created C:\Windows\SysWOW64\Ofcbkf32.dll Nockfgao.exe File created C:\Windows\SysWOW64\Jiciqh32.dll Mnochl32.exe File opened for modification C:\Windows\SysWOW64\Nljgfn32.exe Naecieef.exe File opened for modification C:\Windows\SysWOW64\Jefpahoi.exe Ihbphcpo.exe File created C:\Windows\SysWOW64\Dncmld32.dll Dklomnmf.exe File created C:\Windows\SysWOW64\Hmghka32.dll Aichng32.exe File created C:\Windows\SysWOW64\Gofnqfah.dll Ehndhn32.exe File opened for modification C:\Windows\SysWOW64\Qibmoa32.exe Ppafpm32.exe File created C:\Windows\SysWOW64\Pcgdcome.exe Ojopki32.exe File created C:\Windows\SysWOW64\Hlkhpned.dll Cbnpja32.exe File created C:\Windows\SysWOW64\Jhaicomh.dll Hlcjaq32.exe File created C:\Windows\SysWOW64\Gmmome32.exe Gfcgpkhk.exe File opened for modification C:\Windows\SysWOW64\Eaklcj32.exe Eddodfhp.exe File created C:\Windows\SysWOW64\Ljoboloa.exe Kcikfcab.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 6148 7084 WerFault.exe 705 5672 7084 WerFault.exe 705 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoimajg.dll" Gaqmej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmpkkjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjhpccnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbpkdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibadoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnendhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabmnd32.dll" Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdji32.dll" Opbcdieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efhcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojfbfmbf.dll" Emhahiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogqaqigd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fckacknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnigkcd.dll" Kcndlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nackep32.dll" Qfkqcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fibncmpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajikhfpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnmnpano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhlgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Polpim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjjlep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnaacjha.dll" Hmbflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddcocff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekladi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablgll32.dll" Kcehejic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpqcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcldo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nanmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmkfjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbhbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icenpi32.dll" Lhdeinhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leppfinp.dll" Keoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnppim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnhphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efnolmmb.dll" Fealcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojegojfc.dll" Inlibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohfmn32.dll" Mgoboake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkibk32.dll" Fibncmpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiackied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpjffh.dll" Ijadljdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idahcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocofijd.dll" Oeehdcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndanne32.dll" Cqinng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poackh32.dll" Jkmgladi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfoa32.dll" Amibklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddndonph.dll" Ilgcblnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmkfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfkqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iijfagmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klgend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkqpcnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklimgbb.dll" Iddlccfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkcchff.dll" Piphaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pibdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnebbgl.dll" Mflbdibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cihjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpedl32.dll" Pdalfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofaeffpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhcjbfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqghbd32.dll" Flkdpnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojcghc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3656 wrote to memory of 1588 3656 NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe 89 PID 3656 wrote to memory of 1588 3656 NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe 89 PID 3656 wrote to memory of 1588 3656 NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe 89 PID 1588 wrote to memory of 2016 1588 Cleqfb32.exe 90 PID 1588 wrote to memory of 2016 1588 Cleqfb32.exe 90 PID 1588 wrote to memory of 2016 1588 Cleqfb32.exe 90 PID 2016 wrote to memory of 2460 2016 Fljlom32.exe 91 PID 2016 wrote to memory of 2460 2016 Fljlom32.exe 91 PID 2016 wrote to memory of 2460 2016 Fljlom32.exe 91 PID 2460 wrote to memory of 1344 2460 Gcimfg32.exe 92 PID 2460 wrote to memory of 1344 2460 Gcimfg32.exe 92 PID 2460 wrote to memory of 1344 2460 Gcimfg32.exe 92 PID 1344 wrote to memory of 4912 1344 Hgnlmdcp.exe 93 PID 1344 wrote to memory of 4912 1344 Hgnlmdcp.exe 93 PID 1344 wrote to memory of 4912 1344 Hgnlmdcp.exe 93 PID 4912 wrote to memory of 3372 4912 Hmbkfjko.exe 94 PID 4912 wrote to memory of 3372 4912 Hmbkfjko.exe 94 PID 4912 wrote to memory of 3372 4912 Hmbkfjko.exe 94 PID 3372 wrote to memory of 4916 3372 Jclljaei.exe 95 PID 3372 wrote to memory of 4916 3372 Jclljaei.exe 95 PID 3372 wrote to memory of 4916 3372 Jclljaei.exe 95 PID 4916 wrote to memory of 2536 4916 Jnapgjdo.exe 96 PID 4916 wrote to memory of 2536 4916 Jnapgjdo.exe 96 PID 4916 wrote to memory of 2536 4916 Jnapgjdo.exe 96 PID 2536 wrote to memory of 4052 2536 Jglaepim.exe 97 PID 2536 wrote to memory of 4052 2536 Jglaepim.exe 97 PID 2536 wrote to memory of 4052 2536 Jglaepim.exe 97 PID 4052 wrote to memory of 1464 4052 Logbigbg.exe 98 PID 4052 wrote to memory of 1464 4052 Logbigbg.exe 98 PID 4052 wrote to memory of 1464 4052 Logbigbg.exe 98 PID 1464 wrote to memory of 1460 1464 Mhmcck32.exe 101 PID 1464 wrote to memory of 1460 1464 Mhmcck32.exe 101 PID 1464 wrote to memory of 1460 1464 Mhmcck32.exe 101 PID 1460 wrote to memory of 3788 1460 Naokbokn.exe 102 PID 1460 wrote to memory of 3788 1460 Naokbokn.exe 102 PID 1460 wrote to memory of 3788 1460 Naokbokn.exe 102 PID 3788 wrote to memory of 1508 3788 Ogcike32.exe 103 PID 3788 wrote to memory of 1508 3788 Ogcike32.exe 103 PID 3788 wrote to memory of 1508 3788 Ogcike32.exe 103 PID 1508 wrote to memory of 1432 1508 Okeklcen.exe 104 PID 1508 wrote to memory of 1432 1508 Okeklcen.exe 104 PID 1508 wrote to memory of 1432 1508 Okeklcen.exe 104 PID 1432 wrote to memory of 2696 1432 Pnhacn32.exe 105 PID 1432 wrote to memory of 2696 1432 Pnhacn32.exe 105 PID 1432 wrote to memory of 2696 1432 Pnhacn32.exe 105 PID 2696 wrote to memory of 4792 2696 Aijeme32.exe 106 PID 2696 wrote to memory of 4792 2696 Aijeme32.exe 106 PID 2696 wrote to memory of 4792 2696 Aijeme32.exe 106 PID 4792 wrote to memory of 3244 4792 Anijjkbj.exe 107 PID 4792 wrote to memory of 3244 4792 Anijjkbj.exe 107 PID 4792 wrote to memory of 3244 4792 Anijjkbj.exe 107 PID 3244 wrote to memory of 916 3244 Bfieagka.exe 108 PID 3244 wrote to memory of 916 3244 Bfieagka.exe 108 PID 3244 wrote to memory of 916 3244 Bfieagka.exe 108 PID 916 wrote to memory of 2164 916 Bfpkbfdi.exe 109 PID 916 wrote to memory of 2164 916 Bfpkbfdi.exe 109 PID 916 wrote to memory of 2164 916 Bfpkbfdi.exe 109 PID 2164 wrote to memory of 4948 2164 Cnlpgibd.exe 110 PID 2164 wrote to memory of 4948 2164 Cnlpgibd.exe 110 PID 2164 wrote to memory of 4948 2164 Cnlpgibd.exe 110 PID 4948 wrote to memory of 4836 4948 Cfgace32.exe 111 PID 4948 wrote to memory of 4836 4948 Cfgace32.exe 111 PID 4948 wrote to memory of 4836 4948 Cfgace32.exe 111 PID 4836 wrote to memory of 4756 4836 Dbjade32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f60085d8df53a9e043f6476f9d78a5c0.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Eeodqocd.exeC:\Windows\system32\Eeodqocd.exe23⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe24⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe26⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe27⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe28⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe29⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe30⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Ifleji32.exeC:\Windows\system32\Ifleji32.exe31⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Ioffhn32.exeC:\Windows\system32\Ioffhn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Jokpcmmj.exeC:\Windows\system32\Jokpcmmj.exe33⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kcehejic.exeC:\Windows\system32\Kcehejic.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Kiaqnagj.exeC:\Windows\system32\Kiaqnagj.exe36⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Kggjghkd.exeC:\Windows\system32\Kggjghkd.exe37⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe38⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Libido32.exeC:\Windows\system32\Libido32.exe39⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Midfjnge.exeC:\Windows\system32\Midfjnge.exe41⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Mmbopm32.exeC:\Windows\system32\Mmbopm32.exe42⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe43⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe45⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe46⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe48⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe49⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe52⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Enpknplq.exeC:\Windows\system32\Enpknplq.exe54⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe55⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe57⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Ilgcblnp.exeC:\Windows\system32\Ilgcblnp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe59⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Kcikfcab.exeC:\Windows\system32\Kcikfcab.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe61⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Nlbdba32.exeC:\Windows\system32\Nlbdba32.exe62⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe63⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Obafjk32.exeC:\Windows\system32\Obafjk32.exe64⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Oinkmdml.exeC:\Windows\system32\Oinkmdml.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Opgciodi.exeC:\Windows\system32\Opgciodi.exe66⤵PID:1848
-
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe67⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe68⤵PID:1720
-
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe69⤵PID:2664
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe70⤵PID:3436
-
C:\Windows\SysWOW64\Cqinng32.exeC:\Windows\system32\Cqinng32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Cknbkpif.exeC:\Windows\system32\Cknbkpif.exe72⤵PID:3136
-
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe73⤵PID:2172
-
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe74⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe75⤵
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Dcgcaq32.exeC:\Windows\system32\Dcgcaq32.exe76⤵PID:1808
-
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe77⤵PID:756
-
C:\Windows\SysWOW64\Fjphoi32.exeC:\Windows\system32\Fjphoi32.exe78⤵PID:1928
-
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe79⤵PID:4996
-
C:\Windows\SysWOW64\Hknmgd32.exeC:\Windows\system32\Hknmgd32.exe80⤵PID:552
-
C:\Windows\SysWOW64\Ionbcb32.exeC:\Windows\system32\Ionbcb32.exe81⤵PID:3580
-
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe82⤵PID:4860
-
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe83⤵PID:872
-
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe84⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe85⤵PID:4928
-
C:\Windows\SysWOW64\Klnkoc32.exeC:\Windows\system32\Klnkoc32.exe86⤵PID:4480
-
C:\Windows\SysWOW64\Lbbjhini.exeC:\Windows\system32\Lbbjhini.exe87⤵PID:3356
-
C:\Windows\SysWOW64\Lkmkfncf.exeC:\Windows\system32\Lkmkfncf.exe88⤵PID:1728
-
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe89⤵PID:3892
-
C:\Windows\SysWOW64\Nkkggl32.exeC:\Windows\system32\Nkkggl32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe91⤵PID:3372
-
C:\Windows\SysWOW64\Opbcdieb.exeC:\Windows\system32\Opbcdieb.exe92⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Olidijjf.exeC:\Windows\system32\Olidijjf.exe93⤵PID:3656
-
C:\Windows\SysWOW64\Ofnhfbjl.exeC:\Windows\system32\Ofnhfbjl.exe94⤵PID:4968
-
C:\Windows\SysWOW64\Pidjcm32.exeC:\Windows\system32\Pidjcm32.exe95⤵PID:2440
-
C:\Windows\SysWOW64\Pfhklabb.exeC:\Windows\system32\Pfhklabb.exe96⤵PID:1188
-
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe97⤵PID:2548
-
C:\Windows\SysWOW64\Peaahmcd.exeC:\Windows\system32\Peaahmcd.exe98⤵PID:3004
-
C:\Windows\SysWOW64\Ppgeff32.exeC:\Windows\system32\Ppgeff32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Qednnm32.exeC:\Windows\system32\Qednnm32.exe100⤵PID:4920
-
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe101⤵PID:3552
-
C:\Windows\SysWOW64\Ampojimo.exeC:\Windows\system32\Ampojimo.exe102⤵PID:4508
-
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe103⤵PID:5136
-
C:\Windows\SysWOW64\Bgafin32.exeC:\Windows\system32\Bgafin32.exe104⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Cgmfel32.exeC:\Windows\system32\Cgmfel32.exe105⤵PID:5224
-
C:\Windows\SysWOW64\Cjbhbf32.exeC:\Windows\system32\Cjbhbf32.exe106⤵PID:5268
-
C:\Windows\SysWOW64\Copajm32.exeC:\Windows\system32\Copajm32.exe107⤵PID:5308
-
C:\Windows\SysWOW64\Dlcaca32.exeC:\Windows\system32\Dlcaca32.exe108⤵PID:5356
-
C:\Windows\SysWOW64\Dcmjpl32.exeC:\Windows\system32\Dcmjpl32.exe109⤵PID:5392
-
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe111⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Dmhkoaco.exeC:\Windows\system32\Dmhkoaco.exe112⤵PID:5540
-
C:\Windows\SysWOW64\Ghanoeel.exeC:\Windows\system32\Ghanoeel.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Gnkflo32.exeC:\Windows\system32\Gnkflo32.exe114⤵PID:5620
-
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe115⤵PID:5668
-
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe116⤵PID:5712
-
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe117⤵PID:5752
-
C:\Windows\SysWOW64\Hdodeedi.exeC:\Windows\system32\Hdodeedi.exe118⤵PID:5800
-
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe119⤵PID:5844
-
C:\Windows\SysWOW64\Hdcnpd32.exeC:\Windows\system32\Hdcnpd32.exe120⤵PID:5888
-
C:\Windows\SysWOW64\Iophnl32.exeC:\Windows\system32\Iophnl32.exe121⤵PID:5932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-