Analysis
-
max time kernel
169s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 20:19
Behavioral task
behavioral1
Sample
NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe
-
Size
141KB
-
MD5
f8c54a57457f0cb7d888d048f2fbb760
-
SHA1
4c1feb9c4e9b465881526ed8309435a5a660896e
-
SHA256
a628a3d28bea0a6295fed9fb2a62d38e0c3b631942e8293dc2c9af24a46306fb
-
SHA512
bbce4cea7bb16a9a65f7084926333226d2bc3e0abe5e3acb616c4f3d183ac8e6d870005ff2be6e8afadd35a0e8217549b90493bdeceb60618fb841ecbae22a83
-
SSDEEP
3072:em2KdL4YlaFbuwQ9bGCmBJFWpoPSkGFj/p7sW0l:T2KdL4YlaF6N9bGCKJFtE/JK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfemkdbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhhnmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjggkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeacmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejfjocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammnclcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoadecal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipqkopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgopbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhkqngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclpamg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpaanfce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhkqngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amgefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbngn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkacoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdncfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aklddmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmkhkff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjinjnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidgko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmgphma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaijl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngccbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbhqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjagapbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmlckhig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgeegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjknljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnpdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjqienq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaodkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjfoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjnnmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgjbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehdcij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicemccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfffcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqqeahl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmobhdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcjne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amibklml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkbka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olangmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabpan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abfqbdhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdlnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgneqha.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1536-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/1536-1-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-7.dat family_berbew behavioral2/files/0x0006000000022cfe-9.dat family_berbew behavioral2/memory/4148-8-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf6-15.dat family_berbew behavioral2/files/0x0007000000022cf6-17.dat family_berbew behavioral2/memory/3340-16-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x000a000000022cf9-18.dat family_berbew behavioral2/files/0x000a000000022cf9-23.dat family_berbew behavioral2/files/0x000a000000022cf9-25.dat family_berbew behavioral2/memory/4628-24-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cfd-31.dat family_berbew behavioral2/memory/3136-32-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cfd-33.dat family_berbew behavioral2/files/0x0007000000022d00-34.dat family_berbew behavioral2/files/0x0007000000022d00-39.dat family_berbew behavioral2/files/0x0007000000022d00-41.dat family_berbew behavioral2/memory/2940-40-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022d02-47.dat family_berbew behavioral2/memory/2692-48-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022d02-49.dat family_berbew behavioral2/files/0x0006000000022d05-55.dat family_berbew behavioral2/memory/1900-56-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-57.dat family_berbew behavioral2/files/0x0006000000022d07-63.dat family_berbew behavioral2/memory/1536-64-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d07-65.dat family_berbew behavioral2/memory/1396-66-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d09-72.dat family_berbew behavioral2/memory/3436-73-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d09-74.dat family_berbew behavioral2/files/0x0006000000022d0b-75.dat family_berbew behavioral2/memory/3956-81-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0b-80.dat family_berbew behavioral2/files/0x0006000000022d0b-82.dat family_berbew behavioral2/files/0x0006000000022d0d-88.dat family_berbew behavioral2/files/0x0006000000022d0d-90.dat family_berbew behavioral2/memory/5008-89-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0f-96.dat family_berbew behavioral2/memory/812-97-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0f-98.dat family_berbew behavioral2/files/0x0006000000022d11-104.dat family_berbew behavioral2/memory/3776-105-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d11-106.dat family_berbew behavioral2/files/0x0006000000022d13-112.dat family_berbew behavioral2/files/0x0006000000022d13-114.dat family_berbew behavioral2/memory/3760-113-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d15-120.dat family_berbew behavioral2/memory/3632-121-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d15-122.dat family_berbew behavioral2/memory/4428-129-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d17-128.dat family_berbew behavioral2/files/0x0006000000022d17-130.dat family_berbew behavioral2/files/0x0006000000022d19-131.dat family_berbew behavioral2/files/0x0006000000022d19-136.dat family_berbew behavioral2/memory/1008-137-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d19-138.dat family_berbew behavioral2/files/0x0006000000022d1b-144.dat family_berbew behavioral2/files/0x0006000000022d1b-146.dat family_berbew behavioral2/memory/4172-145-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1d-152.dat family_berbew behavioral2/memory/4788-154-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1d-153.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4148 Cemndbci.exe 3340 Gheodg32.exe 4628 Hgmebnpd.exe 3136 Hfbbdj32.exe 2940 Imcqacfq.exe 2692 Icbbimih.exe 1900 Jjemle32.exe 1396 Kiaqnagj.exe 3436 Kjamhd32.exe 3956 Liifnp32.exe 5008 Lmfodn32.exe 812 Ndjcne32.exe 3776 Opmcod32.exe 3760 Pjlnhi32.exe 3632 Pafcofcg.exe 4428 Ahgamo32.exe 1008 Ababkdij.exe 4172 Bnaffdfc.exe 4788 Cbfema32.exe 4756 Dnghhqdk.exe 3180 Engaon32.exe 912 Fhiinbdo.exe 4296 Hcflch32.exe 4764 Ileflmpb.exe 2496 Iohlcg32.exe 3980 Jomeoggk.exe 4476 Jcknee32.exe 3924 Kmjinjnj.exe 3812 Kkofofbb.exe 2256 Lfjchn32.exe 1824 Lmheph32.exe 4292 Mjaodkmo.exe 2176 Niblafgi.exe 1952 Oljkcpnb.exe 2536 Ofdhlh32.exe 4052 Piikhc32.exe 1464 Qpjifl32.exe 4840 Qibmoa32.exe 2560 Qdhalj32.exe 1712 Ajjcoqdl.exe 4400 Bpmobi32.exe 1300 Ccendc32.exe 3220 Dgjmkqke.exe 544 Eghimo32.exe 1116 Eelifc32.exe 3020 Ekeacmel.exe 1792 Emgnje32.exe 2932 Elhnhm32.exe 4760 Fnmqegle.exe 3328 Gechnpid.exe 4320 Haobnpkc.exe 2732 Idmhqi32.exe 2104 Ikgpmc32.exe 5048 Idpdfija.exe 4576 Ieoapl32.exe 4908 Jhpjbgne.exe 4584 Jahnkl32.exe 380 Jlnbhe32.exe 4912 Jnoopm32.exe 3064 Jkcpia32.exe 2060 Jlblcdpf.exe 4012 Kkaljpmd.exe 2288 Lkchpoka.exe 4304 Lbpmbipk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oegejc32.exe Ompmie32.exe File created C:\Windows\SysWOW64\Pmgcidqm.exe Olfgbl32.exe File opened for modification C:\Windows\SysWOW64\Phfjmlhh.exe Palbpb32.exe File created C:\Windows\SysWOW64\Kjclmbhq.dll Amhlpb32.exe File opened for modification C:\Windows\SysWOW64\Fdlcehhn.exe Embkhn32.exe File opened for modification C:\Windows\SysWOW64\Oobfhh32.exe Oldjlm32.exe File created C:\Windows\SysWOW64\Qmmekboo.dll Jpnhof32.exe File opened for modification C:\Windows\SysWOW64\Phmjdbpo.exe Plocob32.exe File created C:\Windows\SysWOW64\Ejlban32.exe Ecbjdcml.exe File created C:\Windows\SysWOW64\Bjmjinog.dll Ncjmob32.exe File created C:\Windows\SysWOW64\Cicipa32.dll Chpangnk.exe File created C:\Windows\SysWOW64\Analdh32.dll Aclpkffa.exe File opened for modification C:\Windows\SysWOW64\Efhlan32.exe Emphhhoh.exe File created C:\Windows\SysWOW64\Kglmbd32.exe Kdmqfi32.exe File opened for modification C:\Windows\SysWOW64\Pagbklae.exe Pjmjnb32.exe File created C:\Windows\SysWOW64\Iabbeiag.dll Liifnp32.exe File created C:\Windows\SysWOW64\Ifefggbd.dll Caeiam32.exe File created C:\Windows\SysWOW64\Hodogb32.dll Coohbbeb.exe File created C:\Windows\SysWOW64\Opmcod32.exe Ndjcne32.exe File created C:\Windows\SysWOW64\Ekbage32.dll Dgjmkqke.exe File created C:\Windows\SysWOW64\Majoikof.exe Mkpglqgj.exe File created C:\Windows\SysWOW64\Oednclpf.dll Fdccka32.exe File created C:\Windows\SysWOW64\Onicbi32.exe Nhokeolc.exe File created C:\Windows\SysWOW64\Pdhbgn32.exe Poliog32.exe File created C:\Windows\SysWOW64\Ejgcpn32.dll Fdpnpe32.exe File created C:\Windows\SysWOW64\Nknjak32.dll Nlhkqngo.exe File created C:\Windows\SysWOW64\Clohhbli.exe Cphgca32.exe File created C:\Windows\SysWOW64\Dnjdncio.exe Doidql32.exe File opened for modification C:\Windows\SysWOW64\Lhijcohe.exe Lblakh32.exe File created C:\Windows\SysWOW64\Cbfema32.exe Bnaffdfc.exe File created C:\Windows\SysWOW64\Qlkbka32.exe Pbbnbkpe.exe File opened for modification C:\Windows\SysWOW64\Allpnplb.exe Acclejeb.exe File created C:\Windows\SysWOW64\Hhglhi32.exe Goediekj.exe File created C:\Windows\SysWOW64\Aggdaq32.dll Hphpap32.exe File created C:\Windows\SysWOW64\Bdmdhmch.dll Aojepe32.exe File created C:\Windows\SysWOW64\Apeiij32.dll Emoaopnf.exe File created C:\Windows\SysWOW64\Gjagapbn.exe Fpbpmhjb.exe File created C:\Windows\SysWOW64\Nkddhdgk.dll Pmangnmg.exe File created C:\Windows\SysWOW64\Ffqgddjj.dll Kpccgk32.exe File created C:\Windows\SysWOW64\Mlohjpoi.exe Meepne32.exe File opened for modification C:\Windows\SysWOW64\Oljkcpnb.exe Niblafgi.exe File created C:\Windows\SysWOW64\Dahogoog.dll Fnacfp32.exe File created C:\Windows\SysWOW64\Dhjknljl.exe Dcmcfeke.exe File created C:\Windows\SysWOW64\Blakhgoo.exe Beefenie.exe File opened for modification C:\Windows\SysWOW64\Pgaboa32.exe Pphjbgfj.exe File created C:\Windows\SysWOW64\Gkckcj32.dll Olfgbl32.exe File created C:\Windows\SysWOW64\Ognginic.exe Obanqgkl.exe File opened for modification C:\Windows\SysWOW64\Bjkacoji.exe Amfqikko.exe File created C:\Windows\SysWOW64\Eoadmoig.dll Dnhgcgbi.exe File created C:\Windows\SysWOW64\Jaddpppa.exe Iapjeq32.exe File opened for modification C:\Windows\SysWOW64\Ckpjob32.exe Cbefkp32.exe File opened for modification C:\Windows\SysWOW64\Mlpeol32.exe Mefmbbod.exe File opened for modification C:\Windows\SysWOW64\Ackbfioj.exe Ahenip32.exe File created C:\Windows\SysWOW64\Enhpje32.exe Ehlhbn32.exe File opened for modification C:\Windows\SysWOW64\Enhpje32.exe Ehlhbn32.exe File created C:\Windows\SysWOW64\Okbccg32.dll Hfklamii.exe File created C:\Windows\SysWOW64\Dfmcpf32.exe Djfckenm.exe File created C:\Windows\SysWOW64\Fmlnomif.exe Fkmbbajb.exe File created C:\Windows\SysWOW64\Djjmpi32.dll Dbnmek32.exe File opened for modification C:\Windows\SysWOW64\Gjagapbn.exe Fpbpmhjb.exe File opened for modification C:\Windows\SysWOW64\Mjnnmn32.exe Mcdepd32.exe File created C:\Windows\SysWOW64\Opqhhqdh.dll Cbefkp32.exe File created C:\Windows\SysWOW64\Hfemkdbm.exe Gkoinlbg.exe File created C:\Windows\SysWOW64\Acclejeb.exe Aklddmep.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4652 5124 WerFault.exe 729 5212 5124 WerFault.exe 729 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbpmbipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clohhbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlihek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgcej32.dll" Cdicdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbhhkoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibeqgdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moobkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ognginic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iejcco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faeihogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qofjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolbedeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eboieeff.dll" Ppclej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idpdfija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clolpq32.dll" Mmnlnfcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipdoedg.dll" Milinkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oegejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddecpgko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakofc32.dll" Pjlnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgfnlcj.dll" Gechnpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnlhgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkbglei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caachqjp.dll" Gmmome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdicdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjcjjfj.dll" Pkoldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbnomjg.dll" Fgppgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbddnj32.dll" Hfcnicjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaobe32.dll" Bmqhlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabjjipm.dll" Dmqdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haobnpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nombnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgjekai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lblakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmioicek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppclej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdcepc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeqqnmg.dll" Pphjbgfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooejhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elienf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkibqnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncpnljf.dll" Alcfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflql32.dll" Pmiidnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flplcjpa.dll" Fpbpmhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imieblgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdglka32.dll" Hppedpkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lanpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqpjhepn.dll" Lblakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmiidnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafmjb32.dll" Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anpnmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mefmbbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmobi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knofif32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 4148 1536 NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe 92 PID 1536 wrote to memory of 4148 1536 NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe 92 PID 1536 wrote to memory of 4148 1536 NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe 92 PID 4148 wrote to memory of 3340 4148 Cemndbci.exe 93 PID 4148 wrote to memory of 3340 4148 Cemndbci.exe 93 PID 4148 wrote to memory of 3340 4148 Cemndbci.exe 93 PID 3340 wrote to memory of 4628 3340 Gheodg32.exe 94 PID 3340 wrote to memory of 4628 3340 Gheodg32.exe 94 PID 3340 wrote to memory of 4628 3340 Gheodg32.exe 94 PID 4628 wrote to memory of 3136 4628 Hgmebnpd.exe 95 PID 4628 wrote to memory of 3136 4628 Hgmebnpd.exe 95 PID 4628 wrote to memory of 3136 4628 Hgmebnpd.exe 95 PID 3136 wrote to memory of 2940 3136 Hfbbdj32.exe 96 PID 3136 wrote to memory of 2940 3136 Hfbbdj32.exe 96 PID 3136 wrote to memory of 2940 3136 Hfbbdj32.exe 96 PID 2940 wrote to memory of 2692 2940 Imcqacfq.exe 97 PID 2940 wrote to memory of 2692 2940 Imcqacfq.exe 97 PID 2940 wrote to memory of 2692 2940 Imcqacfq.exe 97 PID 2692 wrote to memory of 1900 2692 Icbbimih.exe 98 PID 2692 wrote to memory of 1900 2692 Icbbimih.exe 98 PID 2692 wrote to memory of 1900 2692 Icbbimih.exe 98 PID 1900 wrote to memory of 1396 1900 Jjemle32.exe 99 PID 1900 wrote to memory of 1396 1900 Jjemle32.exe 99 PID 1900 wrote to memory of 1396 1900 Jjemle32.exe 99 PID 1396 wrote to memory of 3436 1396 Kiaqnagj.exe 100 PID 1396 wrote to memory of 3436 1396 Kiaqnagj.exe 100 PID 1396 wrote to memory of 3436 1396 Kiaqnagj.exe 100 PID 3436 wrote to memory of 3956 3436 Kjamhd32.exe 101 PID 3436 wrote to memory of 3956 3436 Kjamhd32.exe 101 PID 3436 wrote to memory of 3956 3436 Kjamhd32.exe 101 PID 3956 wrote to memory of 5008 3956 Liifnp32.exe 102 PID 3956 wrote to memory of 5008 3956 Liifnp32.exe 102 PID 3956 wrote to memory of 5008 3956 Liifnp32.exe 102 PID 5008 wrote to memory of 812 5008 Lmfodn32.exe 103 PID 5008 wrote to memory of 812 5008 Lmfodn32.exe 103 PID 5008 wrote to memory of 812 5008 Lmfodn32.exe 103 PID 812 wrote to memory of 3776 812 Ndjcne32.exe 104 PID 812 wrote to memory of 3776 812 Ndjcne32.exe 104 PID 812 wrote to memory of 3776 812 Ndjcne32.exe 104 PID 3776 wrote to memory of 3760 3776 Opmcod32.exe 105 PID 3776 wrote to memory of 3760 3776 Opmcod32.exe 105 PID 3776 wrote to memory of 3760 3776 Opmcod32.exe 105 PID 3760 wrote to memory of 3632 3760 Pjlnhi32.exe 106 PID 3760 wrote to memory of 3632 3760 Pjlnhi32.exe 106 PID 3760 wrote to memory of 3632 3760 Pjlnhi32.exe 106 PID 3632 wrote to memory of 4428 3632 Pafcofcg.exe 107 PID 3632 wrote to memory of 4428 3632 Pafcofcg.exe 107 PID 3632 wrote to memory of 4428 3632 Pafcofcg.exe 107 PID 4428 wrote to memory of 1008 4428 Ahgamo32.exe 108 PID 4428 wrote to memory of 1008 4428 Ahgamo32.exe 108 PID 4428 wrote to memory of 1008 4428 Ahgamo32.exe 108 PID 1008 wrote to memory of 4172 1008 Ababkdij.exe 109 PID 1008 wrote to memory of 4172 1008 Ababkdij.exe 109 PID 1008 wrote to memory of 4172 1008 Ababkdij.exe 109 PID 4172 wrote to memory of 4788 4172 Bnaffdfc.exe 110 PID 4172 wrote to memory of 4788 4172 Bnaffdfc.exe 110 PID 4172 wrote to memory of 4788 4172 Bnaffdfc.exe 110 PID 4788 wrote to memory of 4756 4788 Cbfema32.exe 111 PID 4788 wrote to memory of 4756 4788 Cbfema32.exe 111 PID 4788 wrote to memory of 4756 4788 Cbfema32.exe 111 PID 4756 wrote to memory of 3180 4756 Dnghhqdk.exe 112 PID 4756 wrote to memory of 3180 4756 Dnghhqdk.exe 112 PID 4756 wrote to memory of 3180 4756 Dnghhqdk.exe 112 PID 3180 wrote to memory of 912 3180 Engaon32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f8c54a57457f0cb7d888d048f2fbb760.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Hfbbdj32.exeC:\Windows\system32\Hfbbdj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Kiaqnagj.exeC:\Windows\system32\Kiaqnagj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe23⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe24⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe25⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe26⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe27⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe30⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe31⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe32⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe35⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe37⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe38⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe39⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe40⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe43⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Dgjmkqke.exeC:\Windows\system32\Dgjmkqke.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Eghimo32.exeC:\Windows\system32\Eghimo32.exe45⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe46⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Emgnje32.exeC:\Windows\system32\Emgnje32.exe48⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe49⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe50⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Idmhqi32.exeC:\Windows\system32\Idmhqi32.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ikgpmc32.exeC:\Windows\system32\Ikgpmc32.exe54⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Idpdfija.exeC:\Windows\system32\Idpdfija.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Ieoapl32.exeC:\Windows\system32\Ieoapl32.exe56⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Jhpjbgne.exeC:\Windows\system32\Jhpjbgne.exe57⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe58⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Jlnbhe32.exeC:\Windows\system32\Jlnbhe32.exe59⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe60⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe61⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe62⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Kkaljpmd.exeC:\Windows\system32\Kkaljpmd.exe63⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Lkchpoka.exeC:\Windows\system32\Lkchpoka.exe64⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Lhjeoc32.exeC:\Windows\system32\Lhjeoc32.exe66⤵PID:3304
-
C:\Windows\SysWOW64\Meepoc32.exeC:\Windows\system32\Meepoc32.exe67⤵PID:5052
-
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe68⤵PID:740
-
C:\Windows\SysWOW64\Nnidcg32.exeC:\Windows\system32\Nnidcg32.exe69⤵PID:2728
-
C:\Windows\SysWOW64\Neclpamg.exeC:\Windows\system32\Neclpamg.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe71⤵PID:2716
-
C:\Windows\SysWOW64\Oijgmokc.exeC:\Windows\system32\Oijgmokc.exe72⤵PID:3948
-
C:\Windows\SysWOW64\Opiidhoj.exeC:\Windows\system32\Opiidhoj.exe73⤵PID:936
-
C:\Windows\SysWOW64\Bipcei32.exeC:\Windows\system32\Bipcei32.exe74⤵PID:2520
-
C:\Windows\SysWOW64\Cphgca32.exeC:\Windows\system32\Cphgca32.exe75⤵
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Clohhbli.exeC:\Windows\system32\Clohhbli.exe76⤵
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe77⤵PID:3280
-
C:\Windows\SysWOW64\Doidql32.exeC:\Windows\system32\Doidql32.exe78⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Dnjdncio.exeC:\Windows\system32\Dnjdncio.exe79⤵PID:3672
-
C:\Windows\SysWOW64\Dokqfl32.exeC:\Windows\system32\Dokqfl32.exe80⤵PID:2816
-
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe81⤵PID:4548
-
C:\Windows\SysWOW64\Emoaopnf.exeC:\Windows\system32\Emoaopnf.exe82⤵
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\Emdjjo32.exeC:\Windows\system32\Emdjjo32.exe83⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe84⤵PID:1588
-
C:\Windows\SysWOW64\Ffahnd32.exeC:\Windows\system32\Ffahnd32.exe85⤵PID:3644
-
C:\Windows\SysWOW64\Fmkqknci.exeC:\Windows\system32\Fmkqknci.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Ffcedd32.exeC:\Windows\system32\Ffcedd32.exe87⤵PID:3196
-
C:\Windows\SysWOW64\Fnacfp32.exeC:\Windows\system32\Fnacfp32.exe88⤵
- Drops file in System32 directory
PID:244 -
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3332 -
C:\Windows\SysWOW64\Gpnoigpe.exeC:\Windows\system32\Gpnoigpe.exe91⤵PID:2832
-
C:\Windows\SysWOW64\Hhhdpd32.exeC:\Windows\system32\Hhhdpd32.exe92⤵PID:836
-
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe93⤵PID:1656
-
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe94⤵PID:3380
-
C:\Windows\SysWOW64\Habeni32.exeC:\Windows\system32\Habeni32.exe95⤵PID:2920
-
C:\Windows\SysWOW64\Hjkigojc.exeC:\Windows\system32\Hjkigojc.exe96⤵PID:3712
-
C:\Windows\SysWOW64\Ionlhlld.exeC:\Windows\system32\Ionlhlld.exe97⤵PID:536
-
C:\Windows\SysWOW64\Idonlbff.exeC:\Windows\system32\Idonlbff.exe98⤵PID:1076
-
C:\Windows\SysWOW64\Jdajabdc.exeC:\Windows\system32\Jdajabdc.exe99⤵PID:1732
-
C:\Windows\SysWOW64\Jognokdi.exeC:\Windows\system32\Jognokdi.exe100⤵PID:5128
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe101⤵PID:5160
-
C:\Windows\SysWOW64\Kpdjbapj.exeC:\Windows\system32\Kpdjbapj.exe102⤵PID:5204
-
C:\Windows\SysWOW64\Kgnbol32.exeC:\Windows\system32\Kgnbol32.exe103⤵PID:5240
-
C:\Windows\SysWOW64\Knhkkfod.exeC:\Windows\system32\Knhkkfod.exe104⤵PID:5300
-
C:\Windows\SysWOW64\Kpkqbq32.exeC:\Windows\system32\Kpkqbq32.exe105⤵PID:5344
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe106⤵PID:5388
-
C:\Windows\SysWOW64\Lajmmc32.exeC:\Windows\system32\Lajmmc32.exe107⤵PID:5432
-
C:\Windows\SysWOW64\Lppjnpem.exeC:\Windows\system32\Lppjnpem.exe108⤵PID:5504
-
C:\Windows\SysWOW64\Mkoaagmh.exeC:\Windows\system32\Mkoaagmh.exe109⤵PID:5540
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe110⤵PID:5592
-
C:\Windows\SysWOW64\Nombnc32.exeC:\Windows\system32\Nombnc32.exe111⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Oecnmi32.exeC:\Windows\system32\Oecnmi32.exe112⤵PID:5680
-
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe113⤵PID:5724
-
C:\Windows\SysWOW64\Oeekbhif.exeC:\Windows\system32\Oeekbhif.exe114⤵PID:5764
-
C:\Windows\SysWOW64\Plocob32.exeC:\Windows\system32\Plocob32.exe115⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe116⤵PID:5852
-
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe117⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Aocamk32.exeC:\Windows\system32\Aocamk32.exe119⤵PID:5996
-
C:\Windows\SysWOW64\Aihfjd32.exeC:\Windows\system32\Aihfjd32.exe120⤵PID:6044
-
C:\Windows\SysWOW64\Apbngn32.exeC:\Windows\system32\Apbngn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-