Analysis
-
max time kernel
177s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 08:29
Behavioral task
behavioral1
Sample
NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe
-
Size
79KB
-
MD5
f755066bde3d7a3a3aca800595ea0e6e
-
SHA1
1b93dde2f7d5cbf823fa85f14bf053e7856ef375
-
SHA256
1d4229c66eba6a55389e478ab9f8ef8a7650097bbb3504e4b869507ef5364008
-
SHA512
e923f0f92b268d69c09ec1c9bc0329872e4901473829e4251a3fca88e5f08af66bfb81f839ca13de46e2b1742e76b4c2c4aeb2af19867e1eeaafb9f58652e9ef
-
SSDEEP
768:UEHPR8OGPPmT2kt/7OblkBOw+uRwwNusCBNEryihDkJLAvd2a/1H5UMXdnhgdwQV:YOw5bIOw+uREsCvquLQ/NZrI1jHJZrR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baegibae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okodlgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmnlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgjbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halhfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhoefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhigbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddifaqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkekdhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egnhcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjlep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilhcmpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgbob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olnkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feenjgfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjlolpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piknfgmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoiko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gloejmld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgopbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbcnjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppdbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponfdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaajkfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfjmlhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhalkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbiede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lankloml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnqfanb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfmdgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhcglil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiakpheo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflfiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhifnho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llofnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnnkaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmflkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejchbmna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefphb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfnqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfldob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbndoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbkfjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdbdgjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljmhflh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkenkhec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4876-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4876-4-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x00090000000222f4-9.dat family_berbew behavioral2/memory/1204-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d20-15.dat family_berbew behavioral2/files/0x0007000000022d20-17.dat family_berbew behavioral2/memory/2200-16-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d39-23.dat family_berbew behavioral2/memory/1796-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2104-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d3b-31.dat family_berbew behavioral2/files/0x0007000000022d39-24.dat family_berbew behavioral2/files/0x0007000000022d3b-33.dat family_berbew behavioral2/files/0x0008000000022d45-39.dat family_berbew behavioral2/files/0x0008000000022d45-41.dat family_berbew behavioral2/memory/2576-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/836-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e08-49.dat family_berbew behavioral2/files/0x0007000000022e08-47.dat family_berbew behavioral2/files/0x0007000000022e0a-55.dat family_berbew behavioral2/files/0x0007000000022e0a-56.dat family_berbew behavioral2/memory/1556-57-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022d1a-63.dat family_berbew behavioral2/files/0x0008000000022d1a-65.dat family_berbew behavioral2/memory/4880-64-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e0e-71.dat family_berbew behavioral2/files/0x0007000000022e0e-73.dat family_berbew behavioral2/memory/4356-72-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4876-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e10-81.dat family_berbew behavioral2/memory/220-82-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e10-79.dat family_berbew behavioral2/files/0x0007000000022e12-88.dat family_berbew behavioral2/memory/468-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e12-90.dat family_berbew behavioral2/files/0x0007000000022e14-96.dat family_berbew behavioral2/files/0x0007000000022e14-98.dat family_berbew behavioral2/memory/2752-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e16-104.dat family_berbew behavioral2/memory/4156-105-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e16-106.dat family_berbew behavioral2/files/0x0007000000022e18-114.dat family_berbew behavioral2/files/0x0007000000022e18-112.dat family_berbew behavioral2/memory/4896-113-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e1a-120.dat family_berbew behavioral2/memory/4696-121-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e1a-122.dat family_berbew behavioral2/files/0x0007000000022e1f-123.dat family_berbew behavioral2/files/0x0007000000022e1f-128.dat family_berbew behavioral2/files/0x0007000000022e1f-130.dat family_berbew behavioral2/memory/2864-129-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4580-137-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e21-138.dat family_berbew behavioral2/files/0x0007000000022e21-136.dat family_berbew behavioral2/files/0x0006000000022e24-144.dat family_berbew behavioral2/memory/2916-146-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-145.dat family_berbew behavioral2/files/0x0006000000022e26-152.dat family_berbew behavioral2/memory/1396-153-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e26-154.dat family_berbew behavioral2/files/0x0006000000022e28-155.dat family_berbew behavioral2/files/0x0006000000022e28-160.dat family_berbew behavioral2/files/0x0006000000022e28-162.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1204 Njmqnobn.exe 2200 Omnjojpo.exe 1796 Ompfej32.exe 2104 Ofkgcobj.exe 2576 Ocohmc32.exe 836 Ondljl32.exe 1556 Ohlqcagj.exe 4880 Pccahbmn.exe 4356 Pagbaglh.exe 220 Pjpfjl32.exe 468 Phcgcqab.exe 2752 Pdjgha32.exe 4156 Qjfmkk32.exe 4896 Qdoacabq.exe 4696 Qodeajbg.exe 2864 Afbgkl32.exe 4580 Apjkcadp.exe 2916 Aokkahlo.exe 1396 Apmhiq32.exe 1040 Aonhghjl.exe 3652 Agimkk32.exe 1440 Aaoaic32.exe 4240 Bgkiaj32.exe 4264 Bkibgh32.exe 3512 Bgpcliao.exe 4988 Baegibae.exe 5060 Bknlbhhe.exe 2420 Bhblllfo.exe 3016 Cpmapodj.exe 2424 Cammjakm.exe 232 Cgifbhid.exe 2984 Cpbjkn32.exe 1192 Caageq32.exe 4740 Coegoe32.exe 4032 Chnlgjlb.exe 1344 Dhphmj32.exe 3956 Ddgibkpc.exe 4656 Dakikoom.exe 4804 Dhdbhifj.exe 4660 Dnajppda.exe 2260 Dkekjdck.exe 2788 Dkhgod32.exe 2256 Ehlhih32.exe 464 Enhpao32.exe 3136 Ehndnh32.exe 1132 Fdlkdhnk.exe 1588 Fbplml32.exe 1636 Fkhpfbce.exe 4392 Fqeioiam.exe 2972 Fkjmlaac.exe 4340 Finnef32.exe 1476 Feenjgfq.exe 3616 Galoohke.exe 772 Gnpphljo.exe 2032 Ggmmlamj.exe 3984 Geanfelc.exe 1232 Hpfbcn32.exe 4720 Hioflcbj.exe 3868 Hnlodjpa.exe 3700 Hhdcmp32.exe 4452 Halhfe32.exe 1984 Hpmhdmea.exe 4432 Hifmmb32.exe 2320 Hnbeeiji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkdoje32.exe Kjcccm32.exe File created C:\Windows\SysWOW64\Ldnbdnlc.exe Lkenkhec.exe File created C:\Windows\SysWOW64\Obphenpj.exe Nnmfdpni.exe File opened for modification C:\Windows\SysWOW64\Ljephmgl.exe Lckglc32.exe File created C:\Windows\SysWOW64\Mcicma32.exe Mmokpglb.exe File opened for modification C:\Windows\SysWOW64\Mefmbbod.exe Mojhphij.exe File created C:\Windows\SysWOW64\Hknnckao.dll Dpmknf32.exe File created C:\Windows\SysWOW64\Hlfolq32.dll Djhifnho.exe File created C:\Windows\SysWOW64\Coppbe32.dll Hpfbcn32.exe File created C:\Windows\SysWOW64\Gjebiq32.exe Gdhjpjjd.exe File opened for modification C:\Windows\SysWOW64\Jmbdmg32.exe Jgekdq32.exe File created C:\Windows\SysWOW64\Fmikoggm.exe Fbcfan32.exe File created C:\Windows\SysWOW64\Pohcgj32.dll Halmaiog.exe File created C:\Windows\SysWOW64\Bdglhadi.dll Hdehho32.exe File created C:\Windows\SysWOW64\Mceccbpj.exe Mmkkgh32.exe File opened for modification C:\Windows\SysWOW64\Odqbdnod.exe Oljkcpnb.exe File created C:\Windows\SysWOW64\Kiadbknf.dll Gjkqpa32.exe File created C:\Windows\SysWOW64\Jgbccm32.exe Jphkfc32.exe File created C:\Windows\SysWOW64\Abjfqpji.exe Aiabhj32.exe File opened for modification C:\Windows\SysWOW64\Gjebiq32.exe Gdhjpjjd.exe File created C:\Windows\SysWOW64\Kengqo32.exe Kndodehf.exe File created C:\Windows\SysWOW64\Dmehffhc.dll Nflkkf32.exe File created C:\Windows\SysWOW64\Bhblllfo.exe Bknlbhhe.exe File opened for modification C:\Windows\SysWOW64\Lkenkhec.exe Ldiiio32.exe File created C:\Windows\SysWOW64\Kgjggkqi.exe Kqpoja32.exe File created C:\Windows\SysWOW64\Hpbaccfe.dll Mjhepnno.exe File created C:\Windows\SysWOW64\Flhkeljp.dll Nhheepbk.exe File created C:\Windows\SysWOW64\Jefbcdik.dll Alnmdojp.exe File opened for modification C:\Windows\SysWOW64\Hibape32.exe Hdehho32.exe File opened for modification C:\Windows\SysWOW64\Iafkld32.exe Ilibdmgp.exe File opened for modification C:\Windows\SysWOW64\Lcbmlbig.exe Lkkekdhe.exe File created C:\Windows\SysWOW64\Haajpgna.dll Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Ojmqgd32.exe Nnfpbcbf.exe File created C:\Windows\SysWOW64\Pmdgahkj.dll Dggbmlba.exe File opened for modification C:\Windows\SysWOW64\Jmpgghoo.exe Icgbob32.exe File opened for modification C:\Windows\SysWOW64\Onneeceo.exe Ngdmhimb.exe File created C:\Windows\SysWOW64\Kjnjip32.dll Mggecl32.exe File created C:\Windows\SysWOW64\Onneeceo.exe Ngdmhimb.exe File opened for modification C:\Windows\SysWOW64\Cdabmcdi.exe Onneeceo.exe File created C:\Windows\SysWOW64\Menpgmap.exe Mndhkc32.exe File created C:\Windows\SysWOW64\Ggpenegb.dll Pagbaglh.exe File opened for modification C:\Windows\SysWOW64\Geanfelc.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Jjfdfl32.exe Jghhjq32.exe File opened for modification C:\Windows\SysWOW64\Lhcali32.exe Lcfidb32.exe File created C:\Windows\SysWOW64\Pghiomqi.exe Jjmhie32.exe File opened for modification C:\Windows\SysWOW64\Pkdngf32.exe Ppoijn32.exe File created C:\Windows\SysWOW64\Kahpgcch.exe Kknhjj32.exe File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe Coegoe32.exe File opened for modification C:\Windows\SysWOW64\Dhphmj32.exe Chnlgjlb.exe File created C:\Windows\SysWOW64\Kaadhg32.dll Ponfdf32.exe File created C:\Windows\SysWOW64\Knofif32.exe Kgenlldo.exe File opened for modification C:\Windows\SysWOW64\Peahpa32.exe Pmjpod32.exe File created C:\Windows\SysWOW64\Eoeoqoni.dll Gkqhpmkg.exe File opened for modification C:\Windows\SysWOW64\Mjjbjjdd.exe Mcpjnp32.exe File created C:\Windows\SysWOW64\Jnaighhk.exe Iggakn32.exe File opened for modification C:\Windows\SysWOW64\Ipjenn32.exe Igbaeh32.exe File opened for modification C:\Windows\SysWOW64\Knabne32.exe Kiejfo32.exe File created C:\Windows\SysWOW64\Kegboa32.dll Gmdjjemp.exe File opened for modification C:\Windows\SysWOW64\Hnlodjpa.exe Hioflcbj.exe File created C:\Windows\SysWOW64\Icncngca.dll Hfhbipdb.exe File opened for modification C:\Windows\SysWOW64\Mhdjonng.exe Mefmbbod.exe File opened for modification C:\Windows\SysWOW64\Ikqqfm32.exe Ibhlmgdj.exe File opened for modification C:\Windows\SysWOW64\Mndhkc32.exe Mhjpnibf.exe File opened for modification C:\Windows\SysWOW64\Oaajoj32.exe Okgabpgg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5580 3460 WerFault.exe 761 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpkkmk.dll" Phddbbnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfeandd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccahbmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbklkdg.dll" Lkflpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liofdigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdjonng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haoighmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famhhb32.dll" Offeahhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmflkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhkdjh.dll" Mceccbpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcaoahio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldiiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnmdboi.dll" Bkoiqjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keifdpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmjlpnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggpd32.dll" Mhdbdgjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkgddkp.dll" Gmggpekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpch32.dll" Pkpmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apmhbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnglia32.dll" Bglgdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndliin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmaja32.dll" Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphihnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadmoig.dll" Bhfmic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehekgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnanpfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkffhmka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halmaiog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjlep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdjjemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llofnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majjgmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogkcmh32.dll" Kkomgkoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkjgomgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddegdohc.dll" Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbijq32.dll" Ljglnmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifcnpch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhhlog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocohmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfoclflo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mehcnlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkomgkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjnmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idahcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nifele32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnmjkahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiakpheo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doiabgqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifadggi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkadnj32.dll" Nifcnpch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampfba32.dll" Hhiacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipohpdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakegg32.dll" Ahnghafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hladecfn.dll" Dbndoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcnmccfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaoaic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 1204 4876 NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe 89 PID 4876 wrote to memory of 1204 4876 NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe 89 PID 4876 wrote to memory of 1204 4876 NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe 89 PID 1204 wrote to memory of 2200 1204 Njmqnobn.exe 90 PID 1204 wrote to memory of 2200 1204 Njmqnobn.exe 90 PID 1204 wrote to memory of 2200 1204 Njmqnobn.exe 90 PID 2200 wrote to memory of 1796 2200 Omnjojpo.exe 91 PID 2200 wrote to memory of 1796 2200 Omnjojpo.exe 91 PID 2200 wrote to memory of 1796 2200 Omnjojpo.exe 91 PID 1796 wrote to memory of 2104 1796 Ompfej32.exe 92 PID 1796 wrote to memory of 2104 1796 Ompfej32.exe 92 PID 1796 wrote to memory of 2104 1796 Ompfej32.exe 92 PID 2104 wrote to memory of 2576 2104 Ofkgcobj.exe 93 PID 2104 wrote to memory of 2576 2104 Ofkgcobj.exe 93 PID 2104 wrote to memory of 2576 2104 Ofkgcobj.exe 93 PID 2576 wrote to memory of 836 2576 Ocohmc32.exe 94 PID 2576 wrote to memory of 836 2576 Ocohmc32.exe 94 PID 2576 wrote to memory of 836 2576 Ocohmc32.exe 94 PID 836 wrote to memory of 1556 836 Ondljl32.exe 95 PID 836 wrote to memory of 1556 836 Ondljl32.exe 95 PID 836 wrote to memory of 1556 836 Ondljl32.exe 95 PID 1556 wrote to memory of 4880 1556 Ohlqcagj.exe 96 PID 1556 wrote to memory of 4880 1556 Ohlqcagj.exe 96 PID 1556 wrote to memory of 4880 1556 Ohlqcagj.exe 96 PID 4880 wrote to memory of 4356 4880 Pccahbmn.exe 97 PID 4880 wrote to memory of 4356 4880 Pccahbmn.exe 97 PID 4880 wrote to memory of 4356 4880 Pccahbmn.exe 97 PID 4356 wrote to memory of 220 4356 Pagbaglh.exe 98 PID 4356 wrote to memory of 220 4356 Pagbaglh.exe 98 PID 4356 wrote to memory of 220 4356 Pagbaglh.exe 98 PID 220 wrote to memory of 468 220 Pjpfjl32.exe 99 PID 220 wrote to memory of 468 220 Pjpfjl32.exe 99 PID 220 wrote to memory of 468 220 Pjpfjl32.exe 99 PID 468 wrote to memory of 2752 468 Phcgcqab.exe 100 PID 468 wrote to memory of 2752 468 Phcgcqab.exe 100 PID 468 wrote to memory of 2752 468 Phcgcqab.exe 100 PID 2752 wrote to memory of 4156 2752 Pdjgha32.exe 101 PID 2752 wrote to memory of 4156 2752 Pdjgha32.exe 101 PID 2752 wrote to memory of 4156 2752 Pdjgha32.exe 101 PID 4156 wrote to memory of 4896 4156 Qjfmkk32.exe 102 PID 4156 wrote to memory of 4896 4156 Qjfmkk32.exe 102 PID 4156 wrote to memory of 4896 4156 Qjfmkk32.exe 102 PID 4896 wrote to memory of 4696 4896 Qdoacabq.exe 103 PID 4896 wrote to memory of 4696 4896 Qdoacabq.exe 103 PID 4896 wrote to memory of 4696 4896 Qdoacabq.exe 103 PID 4696 wrote to memory of 2864 4696 Qodeajbg.exe 104 PID 4696 wrote to memory of 2864 4696 Qodeajbg.exe 104 PID 4696 wrote to memory of 2864 4696 Qodeajbg.exe 104 PID 2864 wrote to memory of 4580 2864 Afbgkl32.exe 105 PID 2864 wrote to memory of 4580 2864 Afbgkl32.exe 105 PID 2864 wrote to memory of 4580 2864 Afbgkl32.exe 105 PID 4580 wrote to memory of 2916 4580 Apjkcadp.exe 106 PID 4580 wrote to memory of 2916 4580 Apjkcadp.exe 106 PID 4580 wrote to memory of 2916 4580 Apjkcadp.exe 106 PID 2916 wrote to memory of 1396 2916 Aokkahlo.exe 107 PID 2916 wrote to memory of 1396 2916 Aokkahlo.exe 107 PID 2916 wrote to memory of 1396 2916 Aokkahlo.exe 107 PID 1396 wrote to memory of 1040 1396 Apmhiq32.exe 108 PID 1396 wrote to memory of 1040 1396 Apmhiq32.exe 108 PID 1396 wrote to memory of 1040 1396 Apmhiq32.exe 108 PID 1040 wrote to memory of 3652 1040 Aonhghjl.exe 109 PID 1040 wrote to memory of 3652 1040 Aonhghjl.exe 109 PID 1040 wrote to memory of 3652 1040 Aonhghjl.exe 109 PID 3652 wrote to memory of 1440 3652 Agimkk32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f755066bde3d7a3a3aca800595ea0e6e.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe24⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe25⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe26⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe29⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe30⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe31⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe32⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe34⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4740 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe37⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe38⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe39⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe40⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe41⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe43⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe44⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe45⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe46⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe47⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe48⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe49⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe51⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe52⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe54⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe55⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe57⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe60⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe61⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe64⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe65⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe66⤵PID:4280
-
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe67⤵PID:376
-
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe68⤵
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe69⤵PID:4520
-
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe70⤵
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe71⤵PID:404
-
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4360 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe73⤵PID:5132
-
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe74⤵PID:5172
-
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe75⤵PID:5212
-
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe76⤵PID:5252
-
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe78⤵PID:5340
-
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe79⤵PID:5384
-
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe80⤵PID:5428
-
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe81⤵PID:5468
-
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe82⤵PID:5508
-
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe83⤵PID:5556
-
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe84⤵PID:5612
-
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe85⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe86⤵PID:5724
-
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe87⤵PID:5792
-
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe88⤵PID:5836
-
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe89⤵PID:5888
-
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe90⤵PID:5936
-
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe91⤵PID:5980
-
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe92⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe93⤵PID:6068
-
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe94⤵PID:6116
-
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe95⤵PID:5124
-
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe96⤵PID:5204
-
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe97⤵PID:5276
-
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe98⤵PID:5368
-
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe100⤵PID:5496
-
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe101⤵PID:3196
-
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe103⤵PID:5704
-
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe104⤵PID:5772
-
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe105⤵PID:5880
-
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe106⤵PID:5944
-
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe107⤵PID:6012
-
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe108⤵PID:4836
-
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe109⤵PID:5224
-
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe111⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe112⤵PID:5720
-
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe113⤵PID:5816
-
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe114⤵PID:6020
-
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe116⤵PID:1172
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe117⤵PID:5268
-
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe118⤵PID:5504
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe119⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe120⤵PID:5864
-
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe121⤵PID:6076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-