Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 19:58
Behavioral task
behavioral1
Sample
NEAS.a08965908ab265e12d53f2a665cc4430.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a08965908ab265e12d53f2a665cc4430.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a08965908ab265e12d53f2a665cc4430.exe
-
Size
80KB
-
MD5
a08965908ab265e12d53f2a665cc4430
-
SHA1
5ff1009c473bc57e00118a861065caab7605912f
-
SHA256
2c995521269a85f1b9a9693b109e6b18ef125549020ebc413d6096aa3f545878
-
SHA512
c87738fd788eec0465d7b681050de6aefef9bc734683c392b60ef0f22b3b6b7ce2cc3c7dc5fca9b650646b693c82735e44630734107d3f91f3bf44c65227bf51
-
SSDEEP
1536:VbHrciUnJuvAlopWG9lcPOsS7EZudtKp2Lt85wfi+TjRC/6i:VbLctukPOsK5P8wf1TjYL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfldf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofgmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omopjcjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjblf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcneeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkocid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhbbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coegoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egegjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggpfkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafkld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjeplijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hepgkohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mojopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqopeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cboibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goglcahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Memalfcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblpcndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noaeqjpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepnaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omopjcjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgdmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmedf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnnianm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmgof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefaomcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2384-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/2384-1-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/memory/1800-8-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-9.dat family_berbew behavioral2/memory/4108-16-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022df0-15.dat family_berbew behavioral2/files/0x0008000000022df0-17.dat family_berbew behavioral2/files/0x0007000000022e01-23.dat family_berbew behavioral2/files/0x0007000000022e01-25.dat family_berbew behavioral2/memory/3920-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0c-31.dat family_berbew behavioral2/files/0x0006000000022e0c-33.dat family_berbew behavioral2/memory/4104-32-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0e-40.dat family_berbew behavioral2/memory/5064-41-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0e-39.dat family_berbew behavioral2/files/0x0006000000022e10-47.dat family_berbew behavioral2/files/0x0006000000022e10-48.dat family_berbew behavioral2/memory/1848-49-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e12-55.dat family_berbew behavioral2/files/0x0006000000022e12-56.dat family_berbew behavioral2/memory/2804-57-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e15-64.dat family_berbew behavioral2/memory/4884-65-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e15-63.dat family_berbew behavioral2/files/0x0006000000022e18-72.dat family_berbew behavioral2/files/0x0006000000022e18-71.dat family_berbew behavioral2/memory/3568-73-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1c-79.dat family_berbew behavioral2/memory/2384-80-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1c-82.dat family_berbew behavioral2/memory/3272-81-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1d-88.dat family_berbew behavioral2/files/0x0006000000022e1d-90.dat family_berbew behavioral2/memory/4864-89-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-96.dat family_berbew behavioral2/memory/892-98-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-97.dat family_berbew behavioral2/files/0x0006000000022e21-104.dat family_berbew behavioral2/files/0x0006000000022e21-106.dat family_berbew behavioral2/memory/3932-105-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-112.dat family_berbew behavioral2/memory/2436-113-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-114.dat family_berbew behavioral2/files/0x0006000000022e27-115.dat family_berbew behavioral2/files/0x0006000000022e27-120.dat family_berbew behavioral2/memory/3800-121-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-122.dat family_berbew behavioral2/files/0x0006000000022e2f-128.dat family_berbew behavioral2/memory/868-130-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2f-129.dat family_berbew behavioral2/files/0x0006000000022e31-136.dat family_berbew behavioral2/memory/1516-138-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-137.dat family_berbew behavioral2/files/0x0006000000022e33-146.dat family_berbew behavioral2/memory/2560-145-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e33-144.dat family_berbew behavioral2/files/0x0006000000022e35-152.dat family_berbew behavioral2/files/0x0006000000022e35-154.dat family_berbew behavioral2/memory/3964-153-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-160.dat family_berbew behavioral2/memory/2280-161-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-162.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1800 Aqncedbp.exe 4108 Ajfhnjhq.exe 3920 Acnlgp32.exe 4104 Andqdh32.exe 5064 Ajkaii32.exe 1848 Aadifclh.exe 2804 Bjmnoi32.exe 4884 Bebblb32.exe 3568 Bnkgeg32.exe 3272 Bchomn32.exe 4864 Bnpppgdj.exe 892 Bhhdil32.exe 3932 Bnbmefbg.exe 2436 Cfmajipb.exe 3800 Cabfga32.exe 868 Cnffqf32.exe 1516 Ceqnmpfo.exe 2560 Cmlcbbcj.exe 3964 Cfdhkhjj.exe 2280 Cdhhdlid.exe 3356 Ddjejl32.exe 4772 Dopigd32.exe 1436 Dhhnpjmh.exe 1304 Delnin32.exe 1540 Dfnjafap.exe 3640 Dmgbnq32.exe 644 Dhmgki32.exe 4388 Dknpmdfc.exe 1044 Edfdej32.exe 2056 Eefaomcg.exe 1564 Ealadnik.exe 4984 Egijmegb.exe 5012 Ehiffh32.exe 4116 Eemgplno.exe 1556 Egnchd32.exe 4620 Iohjlmeg.exe 3968 Inkjhi32.exe 3000 Ikokan32.exe 3196 Ifdonfka.exe 4968 Inpccihl.exe 1580 Ikcdlmgf.exe 4500 Ibnligoc.exe 1536 Iigdfa32.exe 512 Pomgjn32.exe 2344 Pjbkgfej.exe 4020 Plagcbdn.exe 2808 Pckppl32.exe 2864 Fgdbnmji.exe 2268 Fajgkfio.exe 3944 Fhdohp32.exe 1748 Fielph32.exe 800 Fdkpma32.exe 3804 Gigheh32.exe 2432 Gdmmbq32.exe 1836 Ggpbjkpl.exe 1320 Gphgbafl.exe 3184 Gknkpjfb.exe 4656 Gahcmd32.exe 3448 Hgelek32.exe 1592 Hdilnojp.exe 3532 Hammhcij.exe 2204 Hgiepjga.exe 4988 Hncmmd32.exe 4088 Hglaej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Egnchd32.exe Eemgplno.exe File created C:\Windows\SysWOW64\Debcil32.dll Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Qcnjijoe.exe Qapnmopa.exe File opened for modification C:\Windows\SysWOW64\Nfiagd32.exe Ncjdki32.exe File created C:\Windows\SysWOW64\Cieonn32.dll Pmhkflnj.exe File opened for modification C:\Windows\SysWOW64\Gnepna32.exe Gemkelcd.exe File created C:\Windows\SysWOW64\Bphgeo32.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Hbnckkha.dll Edeeci32.exe File created C:\Windows\SysWOW64\Cbkfbcpb.exe Cpljehpo.exe File created C:\Windows\SysWOW64\Pomgjn32.exe Iigdfa32.exe File created C:\Windows\SysWOW64\Fbdnne32.exe Fkjfakng.exe File created C:\Windows\SysWOW64\Igmoih32.exe Iabglnco.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fdepgkgj.exe File created C:\Windows\SysWOW64\Fdglmkeg.exe Ffclcgfn.exe File opened for modification C:\Windows\SysWOW64\Eoideh32.exe Eecphp32.exe File created C:\Windows\SysWOW64\Kbblcj32.dll Enpmld32.exe File opened for modification C:\Windows\SysWOW64\Gdknpp32.exe Gnaecedp.exe File opened for modification C:\Windows\SysWOW64\Hchqbkkm.exe Haidfpki.exe File created C:\Windows\SysWOW64\Fjjjgh32.exe Fcpakn32.exe File created C:\Windows\SysWOW64\Kblpcndd.exe Khfkfedn.exe File opened for modification C:\Windows\SysWOW64\Abgjkpll.exe Apimodmh.exe File opened for modification C:\Windows\SysWOW64\Iklgah32.exe Idbodn32.exe File opened for modification C:\Windows\SysWOW64\Cacckp32.exe Coegoe32.exe File opened for modification C:\Windows\SysWOW64\Kekbjo32.exe Kcmfnd32.exe File opened for modification C:\Windows\SysWOW64\Oiagde32.exe Ooibkpmi.exe File created C:\Windows\SysWOW64\Lckggdbo.dll Iiopca32.exe File created C:\Windows\SysWOW64\Naagioah.dll Nbnlaldg.exe File opened for modification C:\Windows\SysWOW64\Nciopppp.exe Mlofcf32.exe File created C:\Windows\SysWOW64\Iocmhlca.dll Bmdkcnie.exe File created C:\Windows\SysWOW64\Epaaihpg.dll Iecmhlhb.exe File opened for modification C:\Windows\SysWOW64\Iajmmm32.exe Inkaqb32.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Iomoenej.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Bcoaln32.dll Eklajcmc.exe File created C:\Windows\SysWOW64\Gbbajjlp.exe Gpdennml.exe File created C:\Windows\SysWOW64\Fnbcgn32.exe Eghkjdoa.exe File created C:\Windows\SysWOW64\Eibmbgdm.dll Gndick32.exe File created C:\Windows\SysWOW64\Fhcbhh32.dll Qcnjijoe.exe File created C:\Windows\SysWOW64\Dmncdk32.dll Bphgeo32.exe File created C:\Windows\SysWOW64\Fkaokcqj.dll Mfnhfm32.exe File opened for modification C:\Windows\SysWOW64\Cdjblf32.exe Cienon32.exe File created C:\Windows\SysWOW64\Moqkim32.dll Hdpbon32.exe File created C:\Windows\SysWOW64\Cohddjgl.dll Pcegclgp.exe File opened for modification C:\Windows\SysWOW64\Gdgdeppb.exe Gnmlhf32.exe File created C:\Windows\SysWOW64\Dpchag32.dll Inkaqb32.exe File created C:\Windows\SysWOW64\Pkholi32.exe Pdngpo32.exe File created C:\Windows\SysWOW64\Gqnejaff.exe Gjcmngnj.exe File created C:\Windows\SysWOW64\Mhegobpi.dll Iomoenej.exe File created C:\Windows\SysWOW64\Hikemehi.dll Cdimqm32.exe File opened for modification C:\Windows\SysWOW64\Dqnjgl32.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Opbean32.exe File created C:\Windows\SysWOW64\Bhcmal32.dll Modpib32.exe File created C:\Windows\SysWOW64\Anijgd32.dll Edoencdm.exe File created C:\Windows\SysWOW64\Pffgom32.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Cgifbhid.exe File created C:\Windows\SysWOW64\Aobmce32.dll Feqeog32.exe File opened for modification C:\Windows\SysWOW64\Ledoegkm.exe Lbebilli.exe File created C:\Windows\SysWOW64\Haaggn32.dll Bfoegm32.exe File created C:\Windows\SysWOW64\Ghdief32.dll Lgjijmin.exe File created C:\Windows\SysWOW64\Goniok32.dll Iialhaad.exe File created C:\Windows\SysWOW64\Hnhkdd32.exe Hkjohi32.exe File created C:\Windows\SysWOW64\Omaeem32.exe Ofgmib32.exe File created C:\Windows\SysWOW64\Dmoohe32.exe Ahcajk32.exe File opened for modification C:\Windows\SysWOW64\Jhoeef32.exe Jogqlpde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11624 11488 WerFault.exe 719 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgiepjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Apodoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll" Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgihop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll" Fggdpnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll" Fcbnpnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoaln32.dll" Eklajcmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll" Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpopbepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfodpbqp.dll" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnbgaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koonge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnjecfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbfldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hioflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll" Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll" Odbgdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpemkcck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdjlcnk.dll" Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coppbe32.dll" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khgbqkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kminigbj.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfamlaff.dll" Ilkhog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmhko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niojoeel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll" Kdmlkfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkenjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcehdod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealadnik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhmbihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggepalof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbijgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll" Ncmaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddhomdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedlip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnqcfjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mafofggd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcncodki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll" Pmjhlklg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iohjlmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejalcgkg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 1800 2384 NEAS.a08965908ab265e12d53f2a665cc4430.exe 85 PID 2384 wrote to memory of 1800 2384 NEAS.a08965908ab265e12d53f2a665cc4430.exe 85 PID 2384 wrote to memory of 1800 2384 NEAS.a08965908ab265e12d53f2a665cc4430.exe 85 PID 1800 wrote to memory of 4108 1800 Aqncedbp.exe 86 PID 1800 wrote to memory of 4108 1800 Aqncedbp.exe 86 PID 1800 wrote to memory of 4108 1800 Aqncedbp.exe 86 PID 4108 wrote to memory of 3920 4108 Ajfhnjhq.exe 87 PID 4108 wrote to memory of 3920 4108 Ajfhnjhq.exe 87 PID 4108 wrote to memory of 3920 4108 Ajfhnjhq.exe 87 PID 3920 wrote to memory of 4104 3920 Acnlgp32.exe 88 PID 3920 wrote to memory of 4104 3920 Acnlgp32.exe 88 PID 3920 wrote to memory of 4104 3920 Acnlgp32.exe 88 PID 4104 wrote to memory of 5064 4104 Andqdh32.exe 89 PID 4104 wrote to memory of 5064 4104 Andqdh32.exe 89 PID 4104 wrote to memory of 5064 4104 Andqdh32.exe 89 PID 5064 wrote to memory of 1848 5064 Ajkaii32.exe 90 PID 5064 wrote to memory of 1848 5064 Ajkaii32.exe 90 PID 5064 wrote to memory of 1848 5064 Ajkaii32.exe 90 PID 1848 wrote to memory of 2804 1848 Aadifclh.exe 91 PID 1848 wrote to memory of 2804 1848 Aadifclh.exe 91 PID 1848 wrote to memory of 2804 1848 Aadifclh.exe 91 PID 2804 wrote to memory of 4884 2804 Bjmnoi32.exe 92 PID 2804 wrote to memory of 4884 2804 Bjmnoi32.exe 92 PID 2804 wrote to memory of 4884 2804 Bjmnoi32.exe 92 PID 4884 wrote to memory of 3568 4884 Bebblb32.exe 94 PID 4884 wrote to memory of 3568 4884 Bebblb32.exe 94 PID 4884 wrote to memory of 3568 4884 Bebblb32.exe 94 PID 3568 wrote to memory of 3272 3568 Bnkgeg32.exe 95 PID 3568 wrote to memory of 3272 3568 Bnkgeg32.exe 95 PID 3568 wrote to memory of 3272 3568 Bnkgeg32.exe 95 PID 3272 wrote to memory of 4864 3272 Bchomn32.exe 96 PID 3272 wrote to memory of 4864 3272 Bchomn32.exe 96 PID 3272 wrote to memory of 4864 3272 Bchomn32.exe 96 PID 4864 wrote to memory of 892 4864 Bnpppgdj.exe 98 PID 4864 wrote to memory of 892 4864 Bnpppgdj.exe 98 PID 4864 wrote to memory of 892 4864 Bnpppgdj.exe 98 PID 892 wrote to memory of 3932 892 Bhhdil32.exe 99 PID 892 wrote to memory of 3932 892 Bhhdil32.exe 99 PID 892 wrote to memory of 3932 892 Bhhdil32.exe 99 PID 3932 wrote to memory of 2436 3932 Bnbmefbg.exe 100 PID 3932 wrote to memory of 2436 3932 Bnbmefbg.exe 100 PID 3932 wrote to memory of 2436 3932 Bnbmefbg.exe 100 PID 2436 wrote to memory of 3800 2436 Cfmajipb.exe 101 PID 2436 wrote to memory of 3800 2436 Cfmajipb.exe 101 PID 2436 wrote to memory of 3800 2436 Cfmajipb.exe 101 PID 3800 wrote to memory of 868 3800 Cabfga32.exe 102 PID 3800 wrote to memory of 868 3800 Cabfga32.exe 102 PID 3800 wrote to memory of 868 3800 Cabfga32.exe 102 PID 868 wrote to memory of 1516 868 Cnffqf32.exe 103 PID 868 wrote to memory of 1516 868 Cnffqf32.exe 103 PID 868 wrote to memory of 1516 868 Cnffqf32.exe 103 PID 1516 wrote to memory of 2560 1516 Ceqnmpfo.exe 104 PID 1516 wrote to memory of 2560 1516 Ceqnmpfo.exe 104 PID 1516 wrote to memory of 2560 1516 Ceqnmpfo.exe 104 PID 2560 wrote to memory of 3964 2560 Cmlcbbcj.exe 105 PID 2560 wrote to memory of 3964 2560 Cmlcbbcj.exe 105 PID 2560 wrote to memory of 3964 2560 Cmlcbbcj.exe 105 PID 3964 wrote to memory of 2280 3964 Cfdhkhjj.exe 106 PID 3964 wrote to memory of 2280 3964 Cfdhkhjj.exe 106 PID 3964 wrote to memory of 2280 3964 Cfdhkhjj.exe 106 PID 2280 wrote to memory of 3356 2280 Cdhhdlid.exe 108 PID 2280 wrote to memory of 3356 2280 Cdhhdlid.exe 108 PID 2280 wrote to memory of 3356 2280 Cdhhdlid.exe 108 PID 3356 wrote to memory of 4772 3356 Ddjejl32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a08965908ab265e12d53f2a665cc4430.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a08965908ab265e12d53f2a665cc4430.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe23⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe24⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe25⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe26⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe27⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe28⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe30⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe33⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe34⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe36⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe38⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe39⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe40⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe41⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe42⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe43⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe45⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe46⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe47⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe48⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe49⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe50⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe52⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe53⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe55⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe56⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe57⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe58⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe59⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe60⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe61⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe62⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe64⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe65⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe66⤵PID:4756
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe67⤵
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe68⤵
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe69⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe70⤵PID:212
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe71⤵PID:5004
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe72⤵
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe74⤵PID:960
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe75⤵PID:4876
-
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe76⤵PID:1324
-
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe77⤵PID:4520
-
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe78⤵PID:4432
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe79⤵PID:1976
-
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe80⤵PID:3080
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe81⤵PID:1920
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe82⤵PID:4484
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe83⤵PID:3848
-
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe84⤵PID:2776
-
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe86⤵PID:4916
-
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe87⤵PID:2872
-
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe88⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe89⤵
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe90⤵PID:208
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe91⤵PID:3240
-
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe92⤵PID:1812
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe93⤵PID:4708
-
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe95⤵PID:380
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe96⤵PID:1560
-
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe97⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe98⤵PID:4872
-
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe99⤵PID:4436
-
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe100⤵PID:5132
-
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe102⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe103⤵PID:5268
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe104⤵PID:5312
-
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe105⤵PID:5436
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe106⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe107⤵PID:5532
-
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe108⤵PID:5580
-
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe109⤵PID:5620
-
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe110⤵PID:5680
-
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe111⤵PID:5732
-
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe112⤵PID:5796
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe113⤵PID:5840
-
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe114⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe116⤵PID:5996
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe117⤵PID:6036
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe118⤵PID:6080
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe119⤵PID:6124
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe120⤵PID:5124
-
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-