Analysis
-
max time kernel
172s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 14:17
Behavioral task
behavioral1
Sample
NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe
-
Size
100KB
-
MD5
b0befb0b92aa85a1726d08ceaae8f9c0
-
SHA1
1c7e02b8f577dec691c5d3b963b8ab31b8ab3e5d
-
SHA256
20cdaba3b5e36019e66643776de835a51573ff5d8ce5727f6e0a56c0ff873162
-
SHA512
cf4a372beebad5219061ff006eafddd4c29fe07ee50bd6e448d52955016339af205e749b641b957aab88a1d2cde4ae4e7e823dc2bd77e0832a4f2a65666f5271
-
SSDEEP
1536:Mft7Gle8qVB8eDMUJbD8/ObXEUauavoU88kOkQ3KifYb+VHtR/6WOREN7DVrF8nD:MKehNo/ObYgbUHtR/bOMFR8n5j8YD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqcilgji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpideje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojajbdde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaomobj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Podcnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapnbhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehddpdlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhngfcdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaighhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglkfmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpdlajfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilglbjbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogklob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhehlhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkkdigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaibcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Galonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfaiabnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapdomgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eidlhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjgjefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmhbplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqnknld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfjodgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peaokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcanmlea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkihbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnbkeclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmbkolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Headjael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igomeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ignndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blecdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gplpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaoofaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhgiic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdbmalja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noehlgol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffobbmpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpjoaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfikaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jflgfpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obafjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeoei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlcehhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehddpdlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbpbnlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnkmjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbgnobpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioafchai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbibeo32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1284-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce4-6.dat family_berbew behavioral2/files/0x0008000000022ce4-8.dat family_berbew behavioral2/memory/928-7-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-14.dat family_berbew behavioral2/memory/780-15-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-16.dat family_berbew behavioral2/files/0x0007000000022ceb-17.dat family_berbew behavioral2/files/0x0007000000022ceb-22.dat family_berbew behavioral2/files/0x0007000000022ceb-24.dat family_berbew behavioral2/memory/2028-23-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022ced-30.dat family_berbew behavioral2/files/0x0007000000022ced-32.dat family_berbew behavioral2/memory/3484-31-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf3-38.dat family_berbew behavioral2/files/0x0006000000022cf3-39.dat family_berbew behavioral2/memory/4944-40-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf6-46.dat family_berbew behavioral2/files/0x0006000000022cf6-48.dat family_berbew behavioral2/files/0x0006000000022cf8-54.dat family_berbew behavioral2/memory/3960-47-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/4524-56-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-55.dat family_berbew behavioral2/files/0x0006000000022cfa-62.dat family_berbew behavioral2/files/0x0006000000022cfa-64.dat family_berbew behavioral2/memory/1008-63-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-70.dat family_berbew behavioral2/memory/1916-71-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-72.dat family_berbew behavioral2/files/0x0006000000022cfe-78.dat family_berbew behavioral2/files/0x0006000000022cfe-80.dat family_berbew behavioral2/memory/4348-79-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-81.dat family_berbew behavioral2/files/0x0006000000022d00-86.dat family_berbew behavioral2/files/0x0006000000022d00-88.dat family_berbew behavioral2/memory/3496-87-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d02-93.dat family_berbew behavioral2/files/0x0006000000022d02-96.dat family_berbew behavioral2/memory/3076-95-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d04-97.dat family_berbew behavioral2/files/0x0006000000022d04-102.dat family_berbew behavioral2/memory/2324-104-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d04-103.dat family_berbew behavioral2/files/0x0006000000022d06-110.dat family_berbew behavioral2/memory/4480-111-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d06-112.dat family_berbew behavioral2/files/0x0006000000022d08-118.dat family_berbew behavioral2/memory/3128-119-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d08-120.dat family_berbew behavioral2/files/0x0006000000022d0a-121.dat family_berbew behavioral2/memory/1892-127-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-126.dat family_berbew behavioral2/files/0x0006000000022d0a-128.dat family_berbew behavioral2/files/0x0006000000022d0c-134.dat family_berbew behavioral2/memory/4560-135-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-136.dat family_berbew behavioral2/files/0x0006000000022d0e-142.dat family_berbew behavioral2/memory/3924-144-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0e-143.dat family_berbew behavioral2/files/0x0006000000022d10-145.dat family_berbew behavioral2/files/0x0006000000022d10-150.dat family_berbew behavioral2/files/0x0006000000022d10-152.dat family_berbew behavioral2/memory/4188-151-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d12-158.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 928 Fkiapn32.exe 780 Ioafchai.exe 2028 Jflgfpkc.exe 3484 Lcndab32.exe 4944 Mmokpglb.exe 3960 Nipokfil.exe 4524 Olgnnqpe.exe 1008 Obafjk32.exe 1916 Oibdhd32.exe 4348 Ppepkmhi.exe 3496 Qciebg32.exe 3076 Bdfnmhnj.exe 2324 Bkepeaaa.exe 4480 Ccigpbga.exe 3128 Cggpfa32.exe 1892 Debfpd32.exe 4560 Ecjpfp32.exe 3924 Ecafgo32.exe 4188 Fhfenmbe.exe 1612 Gmnmbbgp.exe 772 Hobcgdjm.exe 1396 Haeino32.exe 4068 Jlkfbe32.exe 3576 Jaodkk32.exe 4264 Kklbop32.exe 768 Lhgiic32.exe 3396 Omkmhlpf.exe 1100 Abmhbplf.exe 1736 Aljefena.exe 468 Dokqfl32.exe 2472 Fplimi32.exe 5084 Gnhifonl.exe 1760 Galonj32.exe 464 Hhhdpd32.exe 4412 Hmlbij32.exe 956 Ipcakd32.exe 3788 Khkbcopl.exe 3712 Lnoalehl.exe 4328 Ldpoinjq.exe 3132 Mojmbf32.exe 2288 Mbpoop32.exe 1792 Nbibeo32.exe 1820 Ogajid32.exe 964 Onkbenbi.exe 3624 Pelacg32.exe 3988 Pneelmjo.exe 1164 Pbbnbkpe.exe 4312 Aiapjecl.exe 1104 Appaangd.exe 1884 Abcgii32.exe 4512 Blpemn32.exe 4876 Bocjdiol.exe 2280 Caimachg.exe 3404 Clnanlhn.exe 1116 Dpcpei32.exe 3092 Dljqjjnp.exe 4880 Ehhgpj32.exe 1776 Fqcilgji.exe 4268 Gqfohdjd.exe 232 Hfjmajbc.exe 2888 Ipqnknld.exe 4712 Jjklcf32.exe 1604 Kpagbk32.exe 4416 Kapclned.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ccbqnakn.dll Gamjea32.exe File opened for modification C:\Windows\SysWOW64\Hncmfj32.exe Hgieipmo.exe File created C:\Windows\SysWOW64\Lnldeg32.exe Lfnfck32.exe File created C:\Windows\SysWOW64\Iiicin32.dll Ddfikaeq.exe File opened for modification C:\Windows\SysWOW64\Jaodkk32.exe Jlkfbe32.exe File created C:\Windows\SysWOW64\Fdlcehhn.exe Dmglmpkn.exe File opened for modification C:\Windows\SysWOW64\Ajdjcc32.exe Ackbfioj.exe File created C:\Windows\SysWOW64\Fihecici.exe Elbhde32.exe File opened for modification C:\Windows\SysWOW64\Oplfekdp.exe Ofcale32.exe File opened for modification C:\Windows\SysWOW64\Ibkpmm32.exe Igfkpd32.exe File created C:\Windows\SysWOW64\Gfhehlhe.exe Gpnmka32.exe File created C:\Windows\SysWOW64\Hfhgdc32.exe Hplbbipm.exe File created C:\Windows\SysWOW64\Bmpdbd32.dll Eoaianan.exe File created C:\Windows\SysWOW64\Bddpfi32.dll Hpomme32.exe File created C:\Windows\SysWOW64\Igkkdigp.exe Hlefgphj.exe File created C:\Windows\SysWOW64\Kphkee32.exe Igcgpalj.exe File opened for modification C:\Windows\SysWOW64\Nipokfil.exe Mmokpglb.exe File created C:\Windows\SysWOW64\Gplpfb32.exe Ffclml32.exe File created C:\Windows\SysWOW64\Jhhnbpgb.dll Hiajeoip.exe File opened for modification C:\Windows\SysWOW64\Ogajid32.exe Nbibeo32.exe File created C:\Windows\SysWOW64\Aggean32.exe Ajnkmjqj.exe File created C:\Windows\SysWOW64\Kkcfbj32.exe Kjdjhgdb.exe File opened for modification C:\Windows\SysWOW64\Olgnnqpe.exe Nipokfil.exe File opened for modification C:\Windows\SysWOW64\Debfpd32.exe Cggpfa32.exe File created C:\Windows\SysWOW64\Jhjnik32.dll Khkbcopl.exe File created C:\Windows\SysWOW64\Nekgna32.exe Mlbbel32.exe File created C:\Windows\SysWOW64\Qpoifplb.dll Ngjcgdba.exe File created C:\Windows\SysWOW64\Cenngoej.dll Hgghdp32.exe File opened for modification C:\Windows\SysWOW64\Ecjpfp32.exe Debfpd32.exe File created C:\Windows\SysWOW64\Hfjmajbc.exe Gqfohdjd.exe File created C:\Windows\SysWOW64\Ehddpdlc.exe Dlgmjdlg.exe File opened for modification C:\Windows\SysWOW64\Agiagn32.exe Aihaifam.exe File opened for modification C:\Windows\SysWOW64\Ackbfioj.exe Aaflag32.exe File created C:\Windows\SysWOW64\Bmomecoi.exe Bcpblo32.exe File created C:\Windows\SysWOW64\Ebcmjqej.exe Emfebjgb.exe File opened for modification C:\Windows\SysWOW64\Dkcnnk32.exe Dnondf32.exe File created C:\Windows\SysWOW64\Olgnnqpe.exe Nipokfil.exe File created C:\Windows\SysWOW64\Fpjgej32.dll Pgemimck.exe File created C:\Windows\SysWOW64\Cfopki32.dll Ngombd32.exe File created C:\Windows\SysWOW64\Pchljlpo.exe Peaokh32.exe File created C:\Windows\SysWOW64\Nbibeo32.exe Mbpoop32.exe File created C:\Windows\SysWOW64\Pldccf32.dll Kpmlhoil.exe File created C:\Windows\SysWOW64\Gnjmmfin.dll Dlgmjdlg.exe File opened for modification C:\Windows\SysWOW64\Jpffgp32.exe Inbpbnlg.exe File created C:\Windows\SysWOW64\Aihaifam.exe Aggean32.exe File created C:\Windows\SysWOW64\Hdglka32.dll Gqfohdjd.exe File created C:\Windows\SysWOW64\Gddigk32.exe Gafmkp32.exe File opened for modification C:\Windows\SysWOW64\Hpomme32.exe Hgghdp32.exe File opened for modification C:\Windows\SysWOW64\Peaokh32.exe Oajcnkdl.exe File opened for modification C:\Windows\SysWOW64\Kdmqfi32.exe Kkelmc32.exe File created C:\Windows\SysWOW64\Cldojg32.dll Appaangd.exe File created C:\Windows\SysWOW64\Aehbkica.dll Kapclned.exe File created C:\Windows\SysWOW64\Oagnib32.dll Blhpjnbe.exe File created C:\Windows\SysWOW64\Hpdlajfe.exe Geohdago.exe File created C:\Windows\SysWOW64\Oplfekdp.exe Ofcale32.exe File created C:\Windows\SysWOW64\Gicgjk32.exe Gbiomqjh.exe File created C:\Windows\SysWOW64\Ekqgenqi.dll Jecoog32.exe File created C:\Windows\SysWOW64\Kkbhkj32.dll Agiagn32.exe File created C:\Windows\SysWOW64\Iiigqdfd.exe Igkkdigp.exe File opened for modification C:\Windows\SysWOW64\Abcgii32.exe Appaangd.exe File created C:\Windows\SysWOW64\Leomnbbm.dll Nddkaddm.exe File created C:\Windows\SysWOW64\Cpnmok32.dll Hhbbmjne.exe File created C:\Windows\SysWOW64\Hpmpgfhd.exe Gkkndp32.exe File created C:\Windows\SysWOW64\Ncbcjefh.dll Nlknqd32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4212 6128 WerFault.exe 484 7968 6128 WerFault.exe 484 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nipokfil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melibq32.dll" Ecjpfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhkn32.dll" Blpemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcalb32.dll" Nhmejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgemimck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfopki32.dll" Ngombd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpdlajfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eopbghnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflbhm32.dll" Gebanm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfjmajbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcnhi32.dll" Bmfjodgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhgiic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omkmhlpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fplimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgjno32.dll" Pneelmjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nohdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clafagah.dll" Lfnfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgonal32.dll" Galonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdimglke.dll" Peaokh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipplmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fffqjfom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnldeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppclej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajbofac.dll" Chmnnamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbqebono.dll" Kngcdkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjfdqha.dll" Bekdmnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjhoebc.dll" Kgdpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alimnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedfgcg.dll" Ilglbjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccigpbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckpjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanja32.dll" Ealanc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlcehhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjkbj32.dll" Jnhphg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpnmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckbegmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpogkd32.dll" Gfhehlhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpjlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohkkanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfmidbh.dll" Eoepohml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgbleck.dll" Ljpideje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpljo32.dll" Neafdjak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhdpq32.dll" Oanodnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfnkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoodog.dll" Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgacaopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begcmg32.dll" Ghjfaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpomme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnbkeclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpbmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amibklml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbgdelpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldpoinjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmomecoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkchoaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankfplap.dll" Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bopefnnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhpanjp.dll" Inejlibi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1284 wrote to memory of 928 1284 NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe 93 PID 1284 wrote to memory of 928 1284 NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe 93 PID 1284 wrote to memory of 928 1284 NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe 93 PID 928 wrote to memory of 780 928 Fkiapn32.exe 94 PID 928 wrote to memory of 780 928 Fkiapn32.exe 94 PID 928 wrote to memory of 780 928 Fkiapn32.exe 94 PID 780 wrote to memory of 2028 780 Ioafchai.exe 95 PID 780 wrote to memory of 2028 780 Ioafchai.exe 95 PID 780 wrote to memory of 2028 780 Ioafchai.exe 95 PID 2028 wrote to memory of 3484 2028 Jflgfpkc.exe 96 PID 2028 wrote to memory of 3484 2028 Jflgfpkc.exe 96 PID 2028 wrote to memory of 3484 2028 Jflgfpkc.exe 96 PID 3484 wrote to memory of 4944 3484 Lcndab32.exe 97 PID 3484 wrote to memory of 4944 3484 Lcndab32.exe 97 PID 3484 wrote to memory of 4944 3484 Lcndab32.exe 97 PID 4944 wrote to memory of 3960 4944 Mmokpglb.exe 98 PID 4944 wrote to memory of 3960 4944 Mmokpglb.exe 98 PID 4944 wrote to memory of 3960 4944 Mmokpglb.exe 98 PID 3960 wrote to memory of 4524 3960 Nipokfil.exe 99 PID 3960 wrote to memory of 4524 3960 Nipokfil.exe 99 PID 3960 wrote to memory of 4524 3960 Nipokfil.exe 99 PID 4524 wrote to memory of 1008 4524 Olgnnqpe.exe 100 PID 4524 wrote to memory of 1008 4524 Olgnnqpe.exe 100 PID 4524 wrote to memory of 1008 4524 Olgnnqpe.exe 100 PID 1008 wrote to memory of 1916 1008 Obafjk32.exe 101 PID 1008 wrote to memory of 1916 1008 Obafjk32.exe 101 PID 1008 wrote to memory of 1916 1008 Obafjk32.exe 101 PID 1916 wrote to memory of 4348 1916 Oibdhd32.exe 102 PID 1916 wrote to memory of 4348 1916 Oibdhd32.exe 102 PID 1916 wrote to memory of 4348 1916 Oibdhd32.exe 102 PID 4348 wrote to memory of 3496 4348 Ppepkmhi.exe 103 PID 4348 wrote to memory of 3496 4348 Ppepkmhi.exe 103 PID 4348 wrote to memory of 3496 4348 Ppepkmhi.exe 103 PID 3496 wrote to memory of 3076 3496 Qciebg32.exe 104 PID 3496 wrote to memory of 3076 3496 Qciebg32.exe 104 PID 3496 wrote to memory of 3076 3496 Qciebg32.exe 104 PID 3076 wrote to memory of 2324 3076 Bdfnmhnj.exe 105 PID 3076 wrote to memory of 2324 3076 Bdfnmhnj.exe 105 PID 3076 wrote to memory of 2324 3076 Bdfnmhnj.exe 105 PID 2324 wrote to memory of 4480 2324 Bkepeaaa.exe 106 PID 2324 wrote to memory of 4480 2324 Bkepeaaa.exe 106 PID 2324 wrote to memory of 4480 2324 Bkepeaaa.exe 106 PID 4480 wrote to memory of 3128 4480 Ccigpbga.exe 107 PID 4480 wrote to memory of 3128 4480 Ccigpbga.exe 107 PID 4480 wrote to memory of 3128 4480 Ccigpbga.exe 107 PID 3128 wrote to memory of 1892 3128 Cggpfa32.exe 108 PID 3128 wrote to memory of 1892 3128 Cggpfa32.exe 108 PID 3128 wrote to memory of 1892 3128 Cggpfa32.exe 108 PID 1892 wrote to memory of 4560 1892 Debfpd32.exe 109 PID 1892 wrote to memory of 4560 1892 Debfpd32.exe 109 PID 1892 wrote to memory of 4560 1892 Debfpd32.exe 109 PID 4560 wrote to memory of 3924 4560 Ecjpfp32.exe 110 PID 4560 wrote to memory of 3924 4560 Ecjpfp32.exe 110 PID 4560 wrote to memory of 3924 4560 Ecjpfp32.exe 110 PID 3924 wrote to memory of 4188 3924 Ecafgo32.exe 111 PID 3924 wrote to memory of 4188 3924 Ecafgo32.exe 111 PID 3924 wrote to memory of 4188 3924 Ecafgo32.exe 111 PID 4188 wrote to memory of 1612 4188 Fhfenmbe.exe 112 PID 4188 wrote to memory of 1612 4188 Fhfenmbe.exe 112 PID 4188 wrote to memory of 1612 4188 Fhfenmbe.exe 112 PID 1612 wrote to memory of 772 1612 Gmnmbbgp.exe 113 PID 1612 wrote to memory of 772 1612 Gmnmbbgp.exe 113 PID 1612 wrote to memory of 772 1612 Gmnmbbgp.exe 113 PID 772 wrote to memory of 1396 772 Hobcgdjm.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b0befb0b92aa85a1726d08ceaae8f9c0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Obafjk32.exeC:\Windows\system32\Obafjk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Ecjpfp32.exeC:\Windows\system32\Ecjpfp32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Gmnmbbgp.exeC:\Windows\system32\Gmnmbbgp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Hobcgdjm.exeC:\Windows\system32\Hobcgdjm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe23⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Jaodkk32.exeC:\Windows\system32\Jaodkk32.exe25⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Kklbop32.exeC:\Windows\system32\Kklbop32.exe26⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe30⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Dokqfl32.exeC:\Windows\system32\Dokqfl32.exe31⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Gnhifonl.exeC:\Windows\system32\Gnhifonl.exe33⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Galonj32.exeC:\Windows\system32\Galonj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Hhhdpd32.exeC:\Windows\system32\Hhhdpd32.exe35⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Hmlbij32.exeC:\Windows\system32\Hmlbij32.exe36⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe37⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Khkbcopl.exeC:\Windows\system32\Khkbcopl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Lnoalehl.exeC:\Windows\system32\Lnoalehl.exe39⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Ldpoinjq.exeC:\Windows\system32\Ldpoinjq.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Mojmbf32.exeC:\Windows\system32\Mojmbf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Mbpoop32.exeC:\Windows\system32\Mbpoop32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Nbibeo32.exeC:\Windows\system32\Nbibeo32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe45⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Pelacg32.exeC:\Windows\system32\Pelacg32.exe46⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Pneelmjo.exeC:\Windows\system32\Pneelmjo.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe48⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Aiapjecl.exeC:\Windows\system32\Aiapjecl.exe49⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe51⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Bocjdiol.exeC:\Windows\system32\Bocjdiol.exe53⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Caimachg.exeC:\Windows\system32\Caimachg.exe54⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Clnanlhn.exeC:\Windows\system32\Clnanlhn.exe55⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe56⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Dljqjjnp.exeC:\Windows\system32\Dljqjjnp.exe57⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Ehhgpj32.exeC:\Windows\system32\Ehhgpj32.exe58⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Fqcilgji.exeC:\Windows\system32\Fqcilgji.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Gqfohdjd.exeC:\Windows\system32\Gqfohdjd.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4268 -
C:\Windows\SysWOW64\Hfjmajbc.exeC:\Windows\system32\Hfjmajbc.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Ipqnknld.exeC:\Windows\system32\Ipqnknld.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jjklcf32.exeC:\Windows\system32\Jjklcf32.exe63⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Kpagbk32.exeC:\Windows\system32\Kpagbk32.exe64⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Kapclned.exeC:\Windows\system32\Kapclned.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Lpmfnj32.exeC:\Windows\system32\Lpmfnj32.exe66⤵PID:4676
-
C:\Windows\SysWOW64\Lgnekcei.exeC:\Windows\system32\Lgnekcei.exe67⤵PID:5048
-
C:\Windows\SysWOW64\Nddkaddm.exeC:\Windows\system32\Nddkaddm.exe68⤵
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Ogqcon32.exeC:\Windows\system32\Ogqcon32.exe69⤵PID:2928
-
C:\Windows\SysWOW64\Pgemimck.exeC:\Windows\system32\Pgemimck.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Pjffkhpl.exeC:\Windows\system32\Pjffkhpl.exe71⤵PID:4868
-
C:\Windows\SysWOW64\Ajphagha.exeC:\Windows\system32\Ajphagha.exe72⤵PID:4080
-
C:\Windows\SysWOW64\Bjpaheio.exeC:\Windows\system32\Bjpaheio.exe73⤵PID:448
-
C:\Windows\SysWOW64\Coepob32.exeC:\Windows\system32\Coepob32.exe74⤵PID:4204
-
C:\Windows\SysWOW64\Ckpjob32.exeC:\Windows\system32\Ckpjob32.exe75⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Dlgmjdlg.exeC:\Windows\system32\Dlgmjdlg.exe76⤵
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Ehddpdlc.exeC:\Windows\system32\Ehddpdlc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3692 -
C:\Windows\SysWOW64\Eoollocp.exeC:\Windows\system32\Eoollocp.exe78⤵PID:4944
-
C:\Windows\SysWOW64\Edkddeag.exeC:\Windows\system32\Edkddeag.exe79⤵PID:2816
-
C:\Windows\SysWOW64\Eoaianan.exeC:\Windows\system32\Eoaianan.exe80⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Fcanmlea.exeC:\Windows\system32\Fcanmlea.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4736 -
C:\Windows\SysWOW64\Fhngfcdi.exeC:\Windows\system32\Fhngfcdi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Fcckcl32.exeC:\Windows\system32\Fcckcl32.exe83⤵PID:1916
-
C:\Windows\SysWOW64\Ffdddg32.exeC:\Windows\system32\Ffdddg32.exe84⤵PID:1384
-
C:\Windows\SysWOW64\Fffqjfom.exeC:\Windows\system32\Fffqjfom.exe85⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Gbpnegbo.exeC:\Windows\system32\Gbpnegbo.exe86⤵PID:3516
-
C:\Windows\SysWOW64\Ghjfaa32.exeC:\Windows\system32\Ghjfaa32.exe87⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Gbbkjgpl.exeC:\Windows\system32\Gbbkjgpl.exe88⤵PID:4600
-
C:\Windows\SysWOW64\Hejjmage.exeC:\Windows\system32\Hejjmage.exe89⤵PID:3564
-
C:\Windows\SysWOW64\Kimnlj32.exeC:\Windows\system32\Kimnlj32.exe90⤵PID:4292
-
C:\Windows\SysWOW64\Olhlaoea.exeC:\Windows\system32\Olhlaoea.exe91⤵PID:4524
-
C:\Windows\SysWOW64\Pfeiedhm.exeC:\Windows\system32\Pfeiedhm.exe92⤵
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Qfaiabnp.exeC:\Windows\system32\Qfaiabnp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Cabfagee.exeC:\Windows\system32\Cabfagee.exe94⤵PID:2216
-
C:\Windows\SysWOW64\Chmnnamb.exeC:\Windows\system32\Chmnnamb.exe95⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Cnffjl32.exeC:\Windows\system32\Cnffjl32.exe96⤵PID:1056
-
C:\Windows\SysWOW64\Ealanc32.exeC:\Windows\system32\Ealanc32.exe97⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Eopbghnb.exeC:\Windows\system32\Eopbghnb.exe98⤵
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Fafddb32.exeC:\Windows\system32\Fafddb32.exe99⤵PID:1572
-
C:\Windows\SysWOW64\Fhpmql32.exeC:\Windows\system32\Fhpmql32.exe100⤵PID:3480
-
C:\Windows\SysWOW64\Fojenfeg.exeC:\Windows\system32\Fojenfeg.exe101⤵PID:184
-
C:\Windows\SysWOW64\Gamjea32.exeC:\Windows\system32\Gamjea32.exe102⤵
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Ggicmh32.exeC:\Windows\system32\Ggicmh32.exe103⤵PID:2140
-
C:\Windows\SysWOW64\Gaogja32.exeC:\Windows\system32\Gaogja32.exe104⤵PID:1240
-
C:\Windows\SysWOW64\Gdbmalja.exeC:\Windows\system32\Gdbmalja.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Gklenf32.exeC:\Windows\system32\Gklenf32.exe106⤵PID:820
-
C:\Windows\SysWOW64\Gafmkp32.exeC:\Windows\system32\Gafmkp32.exe107⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Gddigk32.exeC:\Windows\system32\Gddigk32.exe108⤵PID:5196
-
C:\Windows\SysWOW64\Hnmnpano.exeC:\Windows\system32\Hnmnpano.exe109⤵PID:5236
-
C:\Windows\SysWOW64\Hhbbmjne.exeC:\Windows\system32\Hhbbmjne.exe110⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Hnokeqll.exeC:\Windows\system32\Hnokeqll.exe111⤵PID:5324
-
C:\Windows\SysWOW64\Hggonfbm.exeC:\Windows\system32\Hggonfbm.exe112⤵PID:5372
-
C:\Windows\SysWOW64\Hnagkp32.exeC:\Windows\system32\Hnagkp32.exe113⤵PID:5444
-
C:\Windows\SysWOW64\Idgocigi.exeC:\Windows\system32\Idgocigi.exe114⤵PID:5484
-
C:\Windows\SysWOW64\Igfkpd32.exeC:\Windows\system32\Igfkpd32.exe115⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Ibkpmm32.exeC:\Windows\system32\Ibkpmm32.exe116⤵PID:5568
-
C:\Windows\SysWOW64\Inbpbnlg.exeC:\Windows\system32\Inbpbnlg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Jpffgp32.exeC:\Windows\system32\Jpffgp32.exe118⤵PID:5672
-
C:\Windows\SysWOW64\Jecoog32.exeC:\Windows\system32\Jecoog32.exe119⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Jnnpnl32.exeC:\Windows\system32\Jnnpnl32.exe120⤵PID:5752
-
C:\Windows\SysWOW64\Kehhjfif.exeC:\Windows\system32\Kehhjfif.exe121⤵PID:5800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-