Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 19:57
Behavioral task
behavioral1
Sample
NEAS.8c4439aa079a2879352d63360ab9c510.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.8c4439aa079a2879352d63360ab9c510.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.8c4439aa079a2879352d63360ab9c510.exe
-
Size
143KB
-
MD5
8c4439aa079a2879352d63360ab9c510
-
SHA1
d90d10a0790538911a703feb942f4a6633bf3d37
-
SHA256
d7131a70dcfb9f70a8058e07b54ef8c98b6f2615d4cb47cd70c601c79e6d8bcd
-
SHA512
e8f02d3e9475c5674337307f480784dc1e7e407f6d2864bc29458ce309bb7051d71ee1f4e27f328f4eb79dbd50c444d7384384c6c6b5c0f6886330215b3821da
-
SSDEEP
1536:M028myC3Zdw1f7t22SSfUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:MH8U3TwG2df3N93bsGfhv0vt3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkbde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkbde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffclcgfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeelnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfjcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/5068-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/3640-7-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022df8-8.dat family_berbew behavioral2/files/0x0008000000022df8-6.dat family_berbew behavioral2/files/0x0007000000022e0c-15.dat family_berbew behavioral2/memory/4364-17-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e0c-14.dat family_berbew behavioral2/files/0x0006000000022e17-22.dat family_berbew behavioral2/memory/416-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e17-23.dat family_berbew behavioral2/files/0x0006000000022e19-25.dat family_berbew behavioral2/files/0x0006000000022e19-30.dat family_berbew behavioral2/memory/4572-31-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e19-32.dat family_berbew behavioral2/files/0x0006000000022e1b-38.dat family_berbew behavioral2/memory/3856-39-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1b-40.dat family_berbew behavioral2/files/0x0006000000022e1d-46.dat family_berbew behavioral2/files/0x0006000000022e1d-48.dat family_berbew behavioral2/memory/2524-47-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-54.dat family_berbew behavioral2/memory/1692-56-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-55.dat family_berbew behavioral2/files/0x0006000000022e22-63.dat family_berbew behavioral2/files/0x0006000000022e22-62.dat family_berbew behavioral2/memory/400-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e25-70.dat family_berbew behavioral2/files/0x0006000000022e25-72.dat family_berbew behavioral2/memory/4952-71-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e28-73.dat family_berbew behavioral2/files/0x0006000000022e28-78.dat family_berbew behavioral2/memory/5100-79-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e28-80.dat family_berbew behavioral2/files/0x0008000000022dfe-86.dat family_berbew behavioral2/files/0x0008000000022dfe-87.dat family_berbew behavioral2/memory/4928-88-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2c-94.dat family_berbew behavioral2/memory/904-96-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2c-95.dat family_berbew behavioral2/files/0x0006000000022e2e-102.dat family_berbew behavioral2/memory/4620-104-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2e-103.dat family_berbew behavioral2/files/0x0006000000022e31-110.dat family_berbew behavioral2/files/0x0006000000022e31-112.dat family_berbew behavioral2/memory/2804-111-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e33-118.dat family_berbew behavioral2/memory/1300-119-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e33-120.dat family_berbew behavioral2/files/0x0006000000022e35-127.dat family_berbew behavioral2/files/0x0006000000022e35-126.dat family_berbew behavioral2/memory/3780-128-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-134.dat family_berbew behavioral2/memory/4660-135-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-136.dat family_berbew behavioral2/files/0x0006000000022e39-143.dat family_berbew behavioral2/memory/2676-148-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e39-142.dat family_berbew behavioral2/files/0x0006000000022e3b-150.dat family_berbew behavioral2/memory/2580-151-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3b-152.dat family_berbew behavioral2/files/0x0006000000022e3d-158.dat family_berbew behavioral2/memory/2552-159-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-160.dat family_berbew behavioral2/files/0x0006000000022e3f-168.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3640 Nefped32.exe 4364 Okchnk32.exe 416 Oehlkc32.exe 4572 Okedcjcm.exe 3856 Okgaijaj.exe 2524 Oemefcap.exe 1692 Okjnnj32.exe 400 Oadfkdgd.exe 4952 Oafcqcea.exe 5100 Pcepkfld.exe 4928 Pakllc32.exe 904 Plpqil32.exe 4620 Pamiaboj.exe 2804 Plbmokop.exe 1300 Phincl32.exe 3780 Pabblb32.exe 4660 Qlggjk32.exe 2676 Qepkbpak.exe 2580 Qljcoj32.exe 2552 Ahqddk32.exe 3944 Aojlaeei.exe 1132 Afgacokc.exe 3352 Ackbmcjl.exe 4484 Ajdjin32.exe 936 Aoabad32.exe 2204 Akhcfe32.exe 3928 Bfngdn32.exe 1380 Boflmdkk.exe 5056 Bfpdin32.exe 2252 Bohibc32.exe 3832 Bfbaonae.exe 836 Bhcjqinf.exe 1980 Bombmcec.exe 1824 Bjbfklei.exe 4020 Bkdcbd32.exe 3196 Cjecpkcg.exe 3120 Ccmgiaig.exe 4208 Cmflbf32.exe 2844 Cbbdjm32.exe 4412 Ckkiccep.exe 3772 Cbeapmll.exe 3080 Cioilg32.exe 1964 Coiaiakf.exe 2620 Ckpbnb32.exe 3056 Dbjkkl32.exe 2004 Dmoohe32.exe 3784 Difpmfna.exe 3540 Dkdliame.exe 3484 Dmfeidbe.exe 1312 Dcpmen32.exe 740 Djjebh32.exe 404 Dlkbjqgm.exe 2904 Ebejfk32.exe 5032 Emkndc32.exe 4468 Ecefqnel.exe 5092 Emmkiclm.exe 1008 Ebjcajjd.exe 4828 Epndknin.exe 2840 Eblpgjha.exe 2276 Eleepoob.exe 216 Ejfeng32.exe 4564 Fcniglmb.exe 4344 Fikbocki.exe 3172 Fpejlmcf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iibjhgbi.dll Bahkih32.exe File created C:\Windows\SysWOW64\Njhgbp32.exe Npbceggm.exe File created C:\Windows\SysWOW64\Jcleff32.dll Npbceggm.exe File opened for modification C:\Windows\SysWOW64\Boihcf32.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Jppadk32.dll Okchnk32.exe File created C:\Windows\SysWOW64\Fnnhjlpl.dll Oadfkdgd.exe File created C:\Windows\SysWOW64\Qhkdof32.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Cfpffeaj.exe Cofnik32.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Njhgbp32.exe File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Kglmio32.exe File opened for modification C:\Windows\SysWOW64\Omegjomb.exe Ojgjndno.exe File created C:\Windows\SysWOW64\Bkjiao32.exe Bdpaeehj.exe File opened for modification C:\Windows\SysWOW64\Ddligq32.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Fefedmil.exe Flmqlg32.exe File opened for modification C:\Windows\SysWOW64\Cnfkdb32.exe Cglbhhga.exe File created C:\Windows\SysWOW64\Fppcajgd.dll Cmflbf32.exe File opened for modification C:\Windows\SysWOW64\Nnicid32.exe Nhokljge.exe File created C:\Windows\SysWOW64\Ibknda32.dll Bklfgo32.exe File created C:\Windows\SysWOW64\Omnjojpo.exe Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe Cpfcfmlp.exe File opened for modification C:\Windows\SysWOW64\Dkdliame.exe Difpmfna.exe File created C:\Windows\SysWOW64\Mmkkmc32.exe Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Gfeaopqo.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Onlche32.dll Nenbjo32.exe File created C:\Windows\SysWOW64\Adkgje32.exe Anaomkdb.exe File created C:\Windows\SysWOW64\Baadiiif.exe Akglloai.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Jlobem32.dll Cdimqm32.exe File created C:\Windows\SysWOW64\Pakllc32.exe Pcepkfld.exe File created C:\Windows\SysWOW64\Piiqdm32.dll Dkdliame.exe File created C:\Windows\SysWOW64\Hmlpaoaj.exe Gkmdecbg.exe File opened for modification C:\Windows\SysWOW64\Okchnk32.exe Nefped32.exe File created C:\Windows\SysWOW64\Kcndbp32.exe Kqphfe32.exe File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mebcop32.exe File created C:\Windows\SysWOW64\Miongake.dll Neclenfo.exe File opened for modification C:\Windows\SysWOW64\Lflbkcll.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Ekbmje32.dll Apmhiq32.exe File opened for modification C:\Windows\SysWOW64\Hgmgqc32.exe Hmechmip.exe File opened for modification C:\Windows\SysWOW64\Pmaffnce.exe Pkbjjbda.exe File created C:\Windows\SysWOW64\Lcnfohmi.exe Lmdnbn32.exe File opened for modification C:\Windows\SysWOW64\Jnelok32.exe Jgkdbacp.exe File created C:\Windows\SysWOW64\Oeheqm32.exe Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Pjmjdm32.exe Phonha32.exe File created C:\Windows\SysWOW64\Afbgkl32.exe Adcjop32.exe File created C:\Windows\SysWOW64\Kolfbd32.dll Bpkdjofm.exe File created C:\Windows\SysWOW64\Gpaoobkd.dll Ckkiccep.exe File created C:\Windows\SysWOW64\Cioilg32.exe Cbeapmll.exe File opened for modification C:\Windows\SysWOW64\Fbfcmhpg.exe Fllkqn32.exe File opened for modification C:\Windows\SysWOW64\Lcimdh32.exe Llodgnja.exe File opened for modification C:\Windows\SysWOW64\Bjbfklei.exe Bombmcec.exe File opened for modification C:\Windows\SysWOW64\Mkjnfkma.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Hffpdd32.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Hpnoncim.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hoeieolb.exe File created C:\Windows\SysWOW64\Jbofpe32.dll Njmqnobn.exe File created C:\Windows\SysWOW64\Lcnmin32.exe Lmdemd32.exe File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Fefedmil.exe Flmqlg32.exe File opened for modification C:\Windows\SysWOW64\Aajohjon.exe Akqfkp32.exe File opened for modification C:\Windows\SysWOW64\Hifcgion.exe Hfhgkmpj.exe File opened for modification C:\Windows\SysWOW64\Dgcihgaj.exe Dpiplm32.exe File created C:\Windows\SysWOW64\Eleeje32.dll Lcjcnoej.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10504 10388 WerFault.exe 525 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaiiq32.dll" Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafcqcea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqbclob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odmbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmddqemj.dll" Odoogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll" Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbqoqg.dll" Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qhkdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhpimhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll" Cogddd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faikapbo.dll" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mociom32.dll" Iknmla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faimhjhp.dll" Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeifngp.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll" Mnjqmpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnmaj32.dll" Pamiaboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcbhah32.dll" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoabad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbplg32.dll" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhpfqcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdpoaed.dll" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" Lfjfecno.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 3640 5068 NEAS.8c4439aa079a2879352d63360ab9c510.exe 86 PID 5068 wrote to memory of 3640 5068 NEAS.8c4439aa079a2879352d63360ab9c510.exe 86 PID 5068 wrote to memory of 3640 5068 NEAS.8c4439aa079a2879352d63360ab9c510.exe 86 PID 3640 wrote to memory of 4364 3640 Nefped32.exe 87 PID 3640 wrote to memory of 4364 3640 Nefped32.exe 87 PID 3640 wrote to memory of 4364 3640 Nefped32.exe 87 PID 4364 wrote to memory of 416 4364 Okchnk32.exe 88 PID 4364 wrote to memory of 416 4364 Okchnk32.exe 88 PID 4364 wrote to memory of 416 4364 Okchnk32.exe 88 PID 416 wrote to memory of 4572 416 Oehlkc32.exe 90 PID 416 wrote to memory of 4572 416 Oehlkc32.exe 90 PID 416 wrote to memory of 4572 416 Oehlkc32.exe 90 PID 4572 wrote to memory of 3856 4572 Okedcjcm.exe 91 PID 4572 wrote to memory of 3856 4572 Okedcjcm.exe 91 PID 4572 wrote to memory of 3856 4572 Okedcjcm.exe 91 PID 3856 wrote to memory of 2524 3856 Okgaijaj.exe 92 PID 3856 wrote to memory of 2524 3856 Okgaijaj.exe 92 PID 3856 wrote to memory of 2524 3856 Okgaijaj.exe 92 PID 2524 wrote to memory of 1692 2524 Oemefcap.exe 93 PID 2524 wrote to memory of 1692 2524 Oemefcap.exe 93 PID 2524 wrote to memory of 1692 2524 Oemefcap.exe 93 PID 1692 wrote to memory of 400 1692 Okjnnj32.exe 94 PID 1692 wrote to memory of 400 1692 Okjnnj32.exe 94 PID 1692 wrote to memory of 400 1692 Okjnnj32.exe 94 PID 400 wrote to memory of 4952 400 Oadfkdgd.exe 95 PID 400 wrote to memory of 4952 400 Oadfkdgd.exe 95 PID 400 wrote to memory of 4952 400 Oadfkdgd.exe 95 PID 4952 wrote to memory of 5100 4952 Oafcqcea.exe 96 PID 4952 wrote to memory of 5100 4952 Oafcqcea.exe 96 PID 4952 wrote to memory of 5100 4952 Oafcqcea.exe 96 PID 5100 wrote to memory of 4928 5100 Pcepkfld.exe 97 PID 5100 wrote to memory of 4928 5100 Pcepkfld.exe 97 PID 5100 wrote to memory of 4928 5100 Pcepkfld.exe 97 PID 4928 wrote to memory of 904 4928 Pakllc32.exe 99 PID 4928 wrote to memory of 904 4928 Pakllc32.exe 99 PID 4928 wrote to memory of 904 4928 Pakllc32.exe 99 PID 904 wrote to memory of 4620 904 Plpqil32.exe 100 PID 904 wrote to memory of 4620 904 Plpqil32.exe 100 PID 904 wrote to memory of 4620 904 Plpqil32.exe 100 PID 4620 wrote to memory of 2804 4620 Pamiaboj.exe 101 PID 4620 wrote to memory of 2804 4620 Pamiaboj.exe 101 PID 4620 wrote to memory of 2804 4620 Pamiaboj.exe 101 PID 2804 wrote to memory of 1300 2804 Plbmokop.exe 102 PID 2804 wrote to memory of 1300 2804 Plbmokop.exe 102 PID 2804 wrote to memory of 1300 2804 Plbmokop.exe 102 PID 1300 wrote to memory of 3780 1300 Phincl32.exe 103 PID 1300 wrote to memory of 3780 1300 Phincl32.exe 103 PID 1300 wrote to memory of 3780 1300 Phincl32.exe 103 PID 3780 wrote to memory of 4660 3780 Pabblb32.exe 104 PID 3780 wrote to memory of 4660 3780 Pabblb32.exe 104 PID 3780 wrote to memory of 4660 3780 Pabblb32.exe 104 PID 4660 wrote to memory of 2676 4660 Qlggjk32.exe 105 PID 4660 wrote to memory of 2676 4660 Qlggjk32.exe 105 PID 4660 wrote to memory of 2676 4660 Qlggjk32.exe 105 PID 2676 wrote to memory of 2580 2676 Qepkbpak.exe 106 PID 2676 wrote to memory of 2580 2676 Qepkbpak.exe 106 PID 2676 wrote to memory of 2580 2676 Qepkbpak.exe 106 PID 2580 wrote to memory of 2552 2580 Qljcoj32.exe 107 PID 2580 wrote to memory of 2552 2580 Qljcoj32.exe 107 PID 2580 wrote to memory of 2552 2580 Qljcoj32.exe 107 PID 2552 wrote to memory of 3944 2552 Ahqddk32.exe 108 PID 2552 wrote to memory of 3944 2552 Ahqddk32.exe 108 PID 2552 wrote to memory of 3944 2552 Ahqddk32.exe 108 PID 3944 wrote to memory of 1132 3944 Aojlaeei.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8c4439aa079a2879352d63360ab9c510.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8c4439aa079a2879352d63360ab9c510.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3352 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe27⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe28⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe30⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe31⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe32⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe33⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe35⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe36⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe37⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe38⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe40⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe43⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe45⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe47⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe50⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe51⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe54⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe55⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe56⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe57⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe58⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe59⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe62⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe63⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe66⤵PID:3644
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe67⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe68⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe69⤵PID:4080
-
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe70⤵PID:2496
-
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe72⤵PID:1212
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe73⤵PID:1248
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe74⤵PID:2864
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe76⤵PID:5132
-
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe77⤵PID:5172
-
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe78⤵PID:5216
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe80⤵PID:5296
-
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe81⤵PID:5364
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe82⤵PID:5424
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe83⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe84⤵PID:5528
-
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe85⤵PID:5580
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe86⤵PID:5636
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe87⤵PID:5684
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe88⤵PID:5744
-
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe89⤵PID:5792
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe90⤵PID:5840
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe91⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe92⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe93⤵PID:5988
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe94⤵
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe95⤵PID:6076
-
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe96⤵PID:6120
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe97⤵PID:5140
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe98⤵PID:5196
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe99⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe100⤵PID:5408
-
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe101⤵PID:5488
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe103⤵PID:5660
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe104⤵PID:5736
-
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe105⤵PID:5772
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe106⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe107⤵PID:5984
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe108⤵PID:6020
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe109⤵PID:6100
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe110⤵PID:5148
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe112⤵PID:5432
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe113⤵PID:5536
-
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe115⤵PID:5804
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe116⤵PID:5940
-
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe117⤵PID:6044
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe119⤵PID:5124
-
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe120⤵PID:5516
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe121⤵PID:5696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-