Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 22:36
Behavioral task
behavioral1
Sample
NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe
-
Size
143KB
-
MD5
f8dca8f94af44bc9be469b5e21efd450
-
SHA1
b5a74642c68db3ee0c83e16c2b68561daec53656
-
SHA256
316d18e0be3d968056f38728dcc34c31b94a593cae05731e1ab1e39b0df9c477
-
SHA512
5a570274ce0706ddbf1e267b750842b8d1951dd025722405c84e59ce2c4e05ac6ab613ccfba3fd65e56b0797b1769e48979032978867aec0e9e33a5e993fefdd
-
SSDEEP
1536:8PsT0ct7sCaEjEzAKzi7yLLUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:msT0esCjs4Ov3N93bsGfhv0vt3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhecmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geaepk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbohigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbohigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefphb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaahggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmcmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhljhbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijegcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbfab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koajmepf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jahqiaeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkgkapm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knooej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2152-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/memory/2436-12-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022d21-14.dat family_berbew behavioral2/memory/4064-15-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022d21-16.dat family_berbew behavioral2/files/0x0007000000022d28-22.dat family_berbew behavioral2/memory/1572-23-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d28-24.dat family_berbew behavioral2/files/0x0007000000022d2b-30.dat family_berbew behavioral2/memory/3512-31-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d2b-32.dat family_berbew behavioral2/files/0x0007000000022d33-38.dat family_berbew behavioral2/memory/4100-39-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d33-40.dat family_berbew behavioral2/files/0x0008000000022d3e-46.dat family_berbew behavioral2/memory/2416-47-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022d3e-48.dat family_berbew behavioral2/files/0x0007000000022e0e-54.dat family_berbew behavioral2/memory/2860-56-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e0e-55.dat family_berbew behavioral2/files/0x0007000000022e10-63.dat family_berbew behavioral2/memory/4376-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e10-62.dat family_berbew behavioral2/files/0x0007000000022e14-70.dat family_berbew behavioral2/files/0x0007000000022e14-71.dat family_berbew behavioral2/memory/4616-72-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e17-77.dat family_berbew behavioral2/files/0x0007000000022e17-80.dat family_berbew behavioral2/memory/3224-79-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e19-86.dat family_berbew behavioral2/memory/4000-88-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e19-87.dat family_berbew behavioral2/files/0x0007000000022e1b-94.dat family_berbew behavioral2/memory/1452-95-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e1b-96.dat family_berbew behavioral2/files/0x0006000000022e23-102.dat family_berbew behavioral2/memory/1088-104-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e23-103.dat family_berbew behavioral2/files/0x0006000000022e25-110.dat family_berbew behavioral2/files/0x0006000000022e25-112.dat family_berbew behavioral2/memory/4612-111-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-120.dat family_berbew behavioral2/memory/3272-119-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-118.dat family_berbew behavioral2/files/0x0008000000022e1f-126.dat family_berbew behavioral2/memory/4912-127-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022e1f-128.dat family_berbew behavioral2/files/0x0006000000022e2c-134.dat family_berbew behavioral2/memory/2960-135-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2c-136.dat family_berbew behavioral2/memory/4476-144-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e29-143.dat family_berbew behavioral2/files/0x0007000000022e29-142.dat family_berbew behavioral2/files/0x0007000000022d48-150.dat family_berbew behavioral2/memory/4660-151-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d48-152.dat family_berbew behavioral2/files/0x0006000000022e2f-153.dat family_berbew behavioral2/files/0x0006000000022e2f-158.dat family_berbew behavioral2/files/0x0006000000022e2f-159.dat family_berbew behavioral2/memory/2948-160-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/940-172-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-167.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2436 Menjdbgj.exe 4064 Npcoakfp.exe 1572 Npfkgjdn.exe 3512 Njnpppkn.exe 4100 Ncfdie32.exe 2416 Npjebj32.exe 2860 Njciko32.exe 4376 Ocnjidkf.exe 4616 Nipekiep.exe 3224 Bcbohigp.exe 4000 Ddcqedkk.exe 1452 Jjdjoane.exe 1088 Nbefdijg.exe 4612 Nkqkhk32.exe 3272 Niakfbpa.exe 4912 Oehlkc32.exe 2960 Oaompd32.exe 4476 Oklkdi32.exe 4660 Oafcqcea.exe 2948 Pojcjh32.exe 940 Pkadoiip.exe 4900 Phedhmhi.exe 1920 Pamiaboj.exe 1768 Pekbga32.exe 3496 Pocfpf32.exe 4004 Qlggjk32.exe 2868 Qadoba32.exe 3384 Qaflgago.exe 1668 Ajndioga.exe 4736 Aojlaeei.exe 2200 Alnmjjdb.exe 5100 Aoofle32.exe 4856 Abponp32.exe 1940 Abbkcpma.exe 2844 Bkkple32.exe 4572 Bljlfh32.exe 3584 Bbgeno32.exe 2124 Bbiado32.exe 1952 Bblnindg.exe 4444 Bmabggdm.exe 4768 Cfigpm32.exe 4880 Cobkhb32.exe 4652 Cjgpfk32.exe 4772 Ckilmcgb.exe 736 Dpbdopck.exe 1700 Dflmlj32.exe 1844 Eciplm32.exe 4012 Flinkojm.exe 3456 Fimodc32.exe 4172 Ffaong32.exe 1856 Fmkgkapm.exe 4828 Ffclcgfn.exe 5016 Fdglmkeg.exe 796 Fmpqfq32.exe 4180 Gfheof32.exe 452 Gmbmkpie.exe 2296 Gbdoof32.exe 1428 Gkkgpc32.exe 1552 Gbfldf32.exe 4916 Gipdap32.exe 2740 Hgdejd32.exe 1868 Hlambk32.exe 388 Hkbmqb32.exe 932 Hlcjhkdp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bcodim32.dll Jjdjoane.exe File opened for modification C:\Windows\SysWOW64\Qlggjk32.exe Pocfpf32.exe File created C:\Windows\SysWOW64\Mhaimehd.dll Bmabggdm.exe File opened for modification C:\Windows\SysWOW64\Aeaanjkl.exe Aogiap32.exe File opened for modification C:\Windows\SysWOW64\Bljlfh32.exe Bkkple32.exe File created C:\Windows\SysWOW64\Klbnajqc.exe Kidben32.exe File opened for modification C:\Windows\SysWOW64\Ohcegi32.exe Najmjokc.exe File created C:\Windows\SysWOW64\Pddhbipj.exe Paelfmaf.exe File opened for modification C:\Windows\SysWOW64\Cjgpfk32.exe Cobkhb32.exe File created C:\Windows\SysWOW64\Gdgiklme.dll Hlcjhkdp.exe File opened for modification C:\Windows\SysWOW64\Mkjnfkma.exe Madjhb32.exe File opened for modification C:\Windows\SysWOW64\Odoogi32.exe Omegjomb.exe File created C:\Windows\SysWOW64\Iphioh32.exe Injmcmej.exe File created C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jjjpnlbd.exe File created C:\Windows\SysWOW64\Pcleml32.dll Jqknkedi.exe File created C:\Windows\SysWOW64\Omegjomb.exe Oldjcg32.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Domdjj32.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Ajndioga.exe Qaflgago.exe File created C:\Windows\SysWOW64\Lnohlgep.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Njkkbehl.exe Nhmofj32.exe File created C:\Windows\SysWOW64\Fkpiopih.dll Qmepam32.exe File opened for modification C:\Windows\SysWOW64\Ipihpkkd.exe Iiopca32.exe File created C:\Windows\SysWOW64\Pocfpf32.exe Pekbga32.exe File created C:\Windows\SysWOW64\Fimodc32.exe Flinkojm.exe File created C:\Windows\SysWOW64\Idfaefkd.exe Iknmla32.exe File created C:\Windows\SysWOW64\Bfdhdp32.dll Cjgpfk32.exe File created C:\Windows\SysWOW64\Bnfihkqm.exe Akglloai.exe File opened for modification C:\Windows\SysWOW64\Cdbfab32.exe Cnindhpg.exe File created C:\Windows\SysWOW64\Nbefdijg.exe Jjdjoane.exe File created C:\Windows\SysWOW64\Aeaanjkl.exe Aogiap32.exe File opened for modification C:\Windows\SysWOW64\Bdpaeehj.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Bhpfqcln.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Gmfplibd.exe Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Bnhenj32.exe Bkjiao32.exe File created C:\Windows\SysWOW64\Mfbhmo32.dll Bkjiao32.exe File created C:\Windows\SysWOW64\Lndagg32.exe Lkeekk32.exe File created C:\Windows\SysWOW64\Mjkblhfo.exe Mcqjon32.exe File opened for modification C:\Windows\SysWOW64\Bddjpd32.exe Bhnikc32.exe File opened for modification C:\Windows\SysWOW64\Ihdldn32.exe Iefphb32.exe File created C:\Windows\SysWOW64\Kckefh32.dll Pojcjh32.exe File created C:\Windows\SysWOW64\Kodoah32.dll Njkkbehl.exe File created C:\Windows\SysWOW64\Angdnk32.dll Ddgplado.exe File created C:\Windows\SysWOW64\Iiopca32.exe Iahgad32.exe File created C:\Windows\SysWOW64\Iahici32.dll Bdpaeehj.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Cihmlb32.dll Njnpppkn.exe File created C:\Windows\SysWOW64\Kqmfklog.dll Alkijdci.exe File created C:\Windows\SysWOW64\Nbalhp32.dll Bkobmnka.exe File opened for modification C:\Windows\SysWOW64\Clchbqoo.exe Cdlqqcnl.exe File created C:\Windows\SysWOW64\Iahgad32.exe Iojkeh32.exe File created C:\Windows\SysWOW64\Jppadk32.dll Niakfbpa.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fmkgkapm.exe File created C:\Windows\SysWOW64\Gmimai32.exe Geaepk32.exe File created C:\Windows\SysWOW64\Gefchq32.dll Hlambk32.exe File opened for modification C:\Windows\SysWOW64\Hkbmqb32.exe Hlambk32.exe File created C:\Windows\SysWOW64\Njmhhefi.exe Nhokljge.exe File opened for modification C:\Windows\SysWOW64\Dmennnni.exe Dflfac32.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Felbnn32.exe File opened for modification C:\Windows\SysWOW64\Menjdbgj.exe NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe File created C:\Windows\SysWOW64\Hleoiomo.dll Kdigadjo.exe File opened for modification C:\Windows\SysWOW64\Bnfihkqm.exe Akglloai.exe File created C:\Windows\SysWOW64\Ncfdie32.exe Njnpppkn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 556 7480 WerFault.exe 364 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlijb32.dll" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll" Kidben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbnajqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcelk32.dll" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdief32.dll" Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbjebjh.dll" Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eicedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoofle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhkgplb.dll" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eciplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamamcop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckefh32.dll" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfcalbj.dll" Qhmqdemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbalopbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geaepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll" Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqieiii.dll" Aojlaeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbpmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjepjkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkddhpn.dll" Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnhejgh.dll" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbplml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Maiccajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jahqiaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll" Ilkoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhgac32.dll" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikdcmpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll" Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcodihc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njkkbehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll" Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll" Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflahpe.dll" Bbgeno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2436 2152 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 91 PID 2152 wrote to memory of 2436 2152 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 91 PID 2152 wrote to memory of 2436 2152 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 91 PID 2436 wrote to memory of 4064 2436 Menjdbgj.exe 92 PID 2436 wrote to memory of 4064 2436 Menjdbgj.exe 92 PID 2436 wrote to memory of 4064 2436 Menjdbgj.exe 92 PID 4064 wrote to memory of 1572 4064 Npcoakfp.exe 93 PID 4064 wrote to memory of 1572 4064 Npcoakfp.exe 93 PID 4064 wrote to memory of 1572 4064 Npcoakfp.exe 93 PID 1572 wrote to memory of 3512 1572 Npfkgjdn.exe 94 PID 1572 wrote to memory of 3512 1572 Npfkgjdn.exe 94 PID 1572 wrote to memory of 3512 1572 Npfkgjdn.exe 94 PID 3512 wrote to memory of 4100 3512 Njnpppkn.exe 95 PID 3512 wrote to memory of 4100 3512 Njnpppkn.exe 95 PID 3512 wrote to memory of 4100 3512 Njnpppkn.exe 95 PID 4100 wrote to memory of 2416 4100 Ncfdie32.exe 96 PID 4100 wrote to memory of 2416 4100 Ncfdie32.exe 96 PID 4100 wrote to memory of 2416 4100 Ncfdie32.exe 96 PID 2416 wrote to memory of 2860 2416 Npjebj32.exe 97 PID 2416 wrote to memory of 2860 2416 Npjebj32.exe 97 PID 2416 wrote to memory of 2860 2416 Npjebj32.exe 97 PID 2860 wrote to memory of 4376 2860 Njciko32.exe 98 PID 2860 wrote to memory of 4376 2860 Njciko32.exe 98 PID 2860 wrote to memory of 4376 2860 Njciko32.exe 98 PID 4376 wrote to memory of 4616 4376 Ocnjidkf.exe 99 PID 4376 wrote to memory of 4616 4376 Ocnjidkf.exe 99 PID 4376 wrote to memory of 4616 4376 Ocnjidkf.exe 99 PID 4616 wrote to memory of 3224 4616 Nipekiep.exe 100 PID 4616 wrote to memory of 3224 4616 Nipekiep.exe 100 PID 4616 wrote to memory of 3224 4616 Nipekiep.exe 100 PID 3224 wrote to memory of 4000 3224 Bcbohigp.exe 101 PID 3224 wrote to memory of 4000 3224 Bcbohigp.exe 101 PID 3224 wrote to memory of 4000 3224 Bcbohigp.exe 101 PID 4000 wrote to memory of 1452 4000 Ddcqedkk.exe 102 PID 4000 wrote to memory of 1452 4000 Ddcqedkk.exe 102 PID 4000 wrote to memory of 1452 4000 Ddcqedkk.exe 102 PID 1452 wrote to memory of 1088 1452 Jjdjoane.exe 103 PID 1452 wrote to memory of 1088 1452 Jjdjoane.exe 103 PID 1452 wrote to memory of 1088 1452 Jjdjoane.exe 103 PID 1088 wrote to memory of 4612 1088 Nbefdijg.exe 104 PID 1088 wrote to memory of 4612 1088 Nbefdijg.exe 104 PID 1088 wrote to memory of 4612 1088 Nbefdijg.exe 104 PID 4612 wrote to memory of 3272 4612 Nkqkhk32.exe 105 PID 4612 wrote to memory of 3272 4612 Nkqkhk32.exe 105 PID 4612 wrote to memory of 3272 4612 Nkqkhk32.exe 105 PID 3272 wrote to memory of 4912 3272 Niakfbpa.exe 106 PID 3272 wrote to memory of 4912 3272 Niakfbpa.exe 106 PID 3272 wrote to memory of 4912 3272 Niakfbpa.exe 106 PID 4912 wrote to memory of 2960 4912 Oehlkc32.exe 107 PID 4912 wrote to memory of 2960 4912 Oehlkc32.exe 107 PID 4912 wrote to memory of 2960 4912 Oehlkc32.exe 107 PID 2960 wrote to memory of 4476 2960 Oaompd32.exe 108 PID 2960 wrote to memory of 4476 2960 Oaompd32.exe 108 PID 2960 wrote to memory of 4476 2960 Oaompd32.exe 108 PID 4476 wrote to memory of 4660 4476 Oklkdi32.exe 109 PID 4476 wrote to memory of 4660 4476 Oklkdi32.exe 109 PID 4476 wrote to memory of 4660 4476 Oklkdi32.exe 109 PID 4660 wrote to memory of 2948 4660 Oafcqcea.exe 110 PID 4660 wrote to memory of 2948 4660 Oafcqcea.exe 110 PID 4660 wrote to memory of 2948 4660 Oafcqcea.exe 110 PID 2948 wrote to memory of 940 2948 Pojcjh32.exe 111 PID 2948 wrote to memory of 940 2948 Pojcjh32.exe 111 PID 2948 wrote to memory of 940 2948 Pojcjh32.exe 111 PID 940 wrote to memory of 4900 940 Pkadoiip.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe23⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe24⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe28⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe30⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe32⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe35⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe37⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe39⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe40⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4880 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe45⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe46⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe50⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe53⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe55⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe57⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe59⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe60⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe61⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe62⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe64⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe66⤵PID:2312
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe67⤵PID:2644
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe68⤵PID:4744
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe69⤵PID:5032
-
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe70⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe72⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5204 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe75⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe76⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe77⤵PID:5400
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe78⤵PID:5456
-
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe79⤵PID:5496
-
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe81⤵PID:5580
-
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe82⤵
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe83⤵PID:5676
-
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe84⤵PID:5724
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe85⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe87⤵PID:5852
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe88⤵PID:5892
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe89⤵PID:5932
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe91⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe92⤵PID:6056
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe94⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe95⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe96⤵PID:5308
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe97⤵PID:5440
-
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe98⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe99⤵PID:5596
-
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe100⤵PID:5684
-
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe101⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe103⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe104⤵PID:5948
-
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe105⤵PID:6000
-
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6080 -
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe108⤵PID:5300
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe109⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe110⤵PID:5520
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe112⤵
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe114⤵PID:5748
-
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe115⤵PID:4788
-
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe116⤵
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe117⤵PID:6120
-
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe118⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe119⤵PID:5524
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe120⤵PID:2664
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-