Analysis
-
max time kernel
148s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 18:07
Behavioral task
behavioral1
Sample
NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe
-
Size
235KB
-
MD5
c0ebe06faaf07fee4a6f20b7d4cef691
-
SHA1
76e1f1bfe0dbe96b1e1909ade8be7be7c98bbfdf
-
SHA256
da813ca37b224e8ab8f3cf4c9d69bc3b2c8a477b38b09f9bb14f22ec012d76f4
-
SHA512
060bf8ad666183bec96b315c2a21eb0fa0a810d8824eeee820a2aa7d8ac9690c6658b3deaafebb0d6e9232dc18d56d45b9f9ff0ea4b0c39b2532bb052a0e12e9
-
SSDEEP
3072:+V0woZeAnFYDKvAzHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJaW4q:GJWFYDhzulrtMsQB+vn87L5A5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgcjpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpojpic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfepa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjgddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djelqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmficce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femndhgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabpiocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkgmho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmoabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqmlbfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchhamcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdclbopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjole32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkdpnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbghnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjnnoldm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggcgeop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghkdjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbahgbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgbpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekemap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbpbnlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmnlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennqpkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haclio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhehlhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beomhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijdbofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafbhkhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqbmadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loigap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohfkemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbhqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbjpmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhklgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkgjekai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjgmdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olaeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Benijhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpcel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcejpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmmjnkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femndhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehappnjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknqhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjole32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neafdjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kggcgeop.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cde-7.dat family_berbew behavioral2/files/0x0007000000022cde-9.dat family_berbew behavioral2/files/0x0007000000022ce0-15.dat family_berbew behavioral2/files/0x0007000000022ce0-16.dat family_berbew behavioral2/files/0x0008000000022ce3-23.dat family_berbew behavioral2/files/0x0008000000022ce3-25.dat family_berbew behavioral2/files/0x0007000000022ce9-31.dat family_berbew behavioral2/files/0x0007000000022ce9-33.dat family_berbew behavioral2/files/0x0007000000022ceb-39.dat family_berbew behavioral2/files/0x0007000000022ceb-41.dat family_berbew behavioral2/files/0x0009000000022cf0-47.dat family_berbew behavioral2/files/0x0009000000022cf0-49.dat family_berbew behavioral2/files/0x0006000000022cf2-50.dat family_berbew behavioral2/files/0x0006000000022cf2-55.dat family_berbew behavioral2/files/0x0006000000022cf2-57.dat family_berbew behavioral2/files/0x0006000000022cf4-63.dat family_berbew behavioral2/files/0x0006000000022cf4-65.dat family_berbew behavioral2/files/0x0006000000022cf6-72.dat family_berbew behavioral2/files/0x0006000000022cf6-74.dat family_berbew behavioral2/files/0x0006000000022cf8-80.dat family_berbew behavioral2/files/0x0006000000022cf8-82.dat family_berbew behavioral2/files/0x0006000000022cfa-88.dat family_berbew behavioral2/files/0x0006000000022cfa-90.dat family_berbew behavioral2/files/0x0006000000022cfc-91.dat family_berbew behavioral2/files/0x0006000000022cfc-96.dat family_berbew behavioral2/files/0x0006000000022cfc-98.dat family_berbew behavioral2/files/0x0006000000022cfe-104.dat family_berbew behavioral2/files/0x0006000000022cfe-106.dat family_berbew behavioral2/files/0x0006000000022d00-112.dat family_berbew behavioral2/files/0x0006000000022d00-114.dat family_berbew behavioral2/files/0x0006000000022d02-120.dat family_berbew behavioral2/files/0x0006000000022d02-122.dat family_berbew behavioral2/files/0x0006000000022d04-128.dat family_berbew behavioral2/files/0x0006000000022d04-130.dat family_berbew behavioral2/files/0x0006000000022d06-136.dat family_berbew behavioral2/files/0x0006000000022d06-138.dat family_berbew behavioral2/files/0x0006000000022d09-144.dat family_berbew behavioral2/files/0x0006000000022d09-146.dat family_berbew behavioral2/files/0x0006000000022d0b-148.dat family_berbew behavioral2/files/0x0006000000022d0b-152.dat family_berbew behavioral2/files/0x0006000000022d0b-154.dat family_berbew behavioral2/files/0x0006000000022d0d-160.dat family_berbew behavioral2/files/0x0006000000022d0d-162.dat family_berbew behavioral2/files/0x0006000000022d0f-163.dat family_berbew behavioral2/files/0x0006000000022d0f-168.dat family_berbew behavioral2/files/0x0006000000022d0f-170.dat family_berbew behavioral2/files/0x0006000000022d11-176.dat family_berbew behavioral2/files/0x0006000000022d11-178.dat family_berbew behavioral2/files/0x0006000000022d13-184.dat family_berbew behavioral2/files/0x0006000000022d13-186.dat family_berbew behavioral2/files/0x0006000000022d15-191.dat family_berbew behavioral2/files/0x0006000000022d15-194.dat family_berbew behavioral2/files/0x0006000000022d17-195.dat family_berbew behavioral2/files/0x0006000000022d17-200.dat family_berbew behavioral2/files/0x0006000000022d17-202.dat family_berbew behavioral2/files/0x0006000000022d19-208.dat family_berbew behavioral2/files/0x0006000000022d19-210.dat family_berbew behavioral2/files/0x0006000000022d1b-216.dat family_berbew behavioral2/files/0x0006000000022d1b-218.dat family_berbew behavioral2/files/0x0006000000022d1d-224.dat family_berbew behavioral2/files/0x0006000000022d1d-226.dat family_berbew behavioral2/files/0x0006000000022d1f-232.dat family_berbew behavioral2/files/0x0006000000022d1f-234.dat family_berbew behavioral2/files/0x0006000000022d21-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3976 Bjjmfn32.exe 4892 Gaccbaeq.exe 3860 Gehbio32.exe 1332 Haclio32.exe 4704 Ihkpgg32.exe 3904 Jookjpam.exe 4360 Kbfjljhf.exe 4984 Lnfngj32.exe 2252 Miqlpbap.exe 852 Mbpfig32.exe 3836 Nlmdml32.exe 3540 Nbiioe32.exe 1020 Obnbjdfi.exe 496 Opbcdieb.exe 2288 Ofnhfbjl.exe 3804 Olnmdi32.exe 4232 Pfenga32.exe 4888 Pbahgbfc.exe 4784 Amibqhed.exe 4140 Cofndo32.exe 816 Ccdgjm32.exe 3964 Djgbmffn.exe 216 Dmhkoaco.exe 2820 Eqmjen32.exe 3088 Eqdpfm32.exe 2224 Fnacfp32.exe 944 Hnfehm32.exe 3344 Jdkmgali.exe 4864 Kaonaekb.exe 2648 Knenffqf.exe 1744 Lhdeinhb.exe 4956 Lncjgddf.exe 4936 Lglopjkg.exe 4568 Mbfmha32.exe 2036 Oghgbe32.exe 1144 Ongijo32.exe 976 Obdbqm32.exe 4220 Olmficce.exe 4112 Phfcdcfg.exe 4320 Panhmi32.exe 3508 Pbndgl32.exe 4548 Aoqegk32.exe 4384 Bafgdfim.exe 2344 Blnhgn32.exe 1732 Bplammmf.exe 1652 Bhgeao32.exe 1920 Cikkga32.exe 2868 Clqncl32.exe 64 Dlckik32.exe 1896 Dhjknljl.exe 4432 Dadlmanj.exe 3076 Ebifha32.exe 4284 Ffbnin32.exe 784 Fmmffhnk.exe 1152 Fqmlbfbo.exe 2496 Fihqfh32.exe 1136 Himche32.exe 1780 Hcbgen32.exe 4268 Iapjeq32.exe 2976 Lkpnec32.exe 2216 Lgfojd32.exe 1092 Lcmopeae.exe 1712 Lijdbofo.exe 3396 Lkiqla32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Neafdjak.exe Nliakd32.exe File created C:\Windows\SysWOW64\Coqnmkpd.exe Chfepa32.exe File opened for modification C:\Windows\SysWOW64\Pbpjbe32.exe Pgjfdm32.exe File created C:\Windows\SysWOW64\Kpgfhddn.exe Jlpklg32.exe File created C:\Windows\SysWOW64\Kabmhiem.dll Hkdjph32.exe File created C:\Windows\SysWOW64\Jiokpfee.exe Jnifbmfo.exe File created C:\Windows\SysWOW64\Phlenm32.dll Flngpc32.exe File opened for modification C:\Windows\SysWOW64\Nliakd32.exe Nacmnlkd.exe File opened for modification C:\Windows\SysWOW64\Dpbdiehi.exe Djelqo32.exe File created C:\Windows\SysWOW64\Bhalcnag.dll Blnhgn32.exe File opened for modification C:\Windows\SysWOW64\Eedkniob.exe Eojcao32.exe File created C:\Windows\SysWOW64\Fihqfh32.exe Fqmlbfbo.exe File opened for modification C:\Windows\SysWOW64\Ngnnbq32.exe Nqaipgal.exe File opened for modification C:\Windows\SysWOW64\Jlpklg32.exe Hkhkdjkl.exe File opened for modification C:\Windows\SysWOW64\Cdoegcfl.exe Bmkjdj32.exe File created C:\Windows\SysWOW64\Lianhf32.dll Dacohegc.exe File opened for modification C:\Windows\SysWOW64\Obdbqm32.exe Ongijo32.exe File opened for modification C:\Windows\SysWOW64\Ebifha32.exe Dadlmanj.exe File opened for modification C:\Windows\SysWOW64\Cbnpja32.exe Chhkmh32.exe File opened for modification C:\Windows\SysWOW64\Pgdodq32.exe Ocjgcd32.exe File opened for modification C:\Windows\SysWOW64\Dmakgj32.exe Dfgcjpdk.exe File created C:\Windows\SysWOW64\Cihhpm32.dll Aamkgpbi.exe File created C:\Windows\SysWOW64\Figgnm32.exe Fbmoabde.exe File created C:\Windows\SysWOW64\Olnmdi32.exe Ofnhfbjl.exe File created C:\Windows\SysWOW64\Jfpfabjm.dll Ngnnbq32.exe File created C:\Windows\SysWOW64\Mgidgakk.exe Mknjgajl.exe File created C:\Windows\SysWOW64\Femndhgh.exe Ehimkd32.exe File created C:\Windows\SysWOW64\Pbpjbe32.exe Pgjfdm32.exe File created C:\Windows\SysWOW64\Hmicee32.exe Gfhehlhe.exe File created C:\Windows\SysWOW64\Cofndo32.exe Amibqhed.exe File opened for modification C:\Windows\SysWOW64\Pcjaio32.exe Pkoldl32.exe File opened for modification C:\Windows\SysWOW64\Gghdkg32.exe Gohfkemf.exe File created C:\Windows\SysWOW64\Gbnhhp32.exe Gghdkg32.exe File created C:\Windows\SysWOW64\Pmklqblp.dll Gkffhmka.exe File opened for modification C:\Windows\SysWOW64\Poaqocgl.exe Pjehflie.exe File opened for modification C:\Windows\SysWOW64\Anadho32.exe Aclpkffa.exe File opened for modification C:\Windows\SysWOW64\Lfcdph32.exe Lhbdbpnm.exe File created C:\Windows\SysWOW64\Dcijke32.dll Nliakd32.exe File opened for modification C:\Windows\SysWOW64\Fbecgned.exe Fjjnblhi.exe File created C:\Windows\SysWOW64\Pmjpod32.exe Ojpdgjid.exe File opened for modification C:\Windows\SysWOW64\Chlffghn.exe Cfdgcmqd.exe File opened for modification C:\Windows\SysWOW64\Gaccbaeq.exe Bjjmfn32.exe File opened for modification C:\Windows\SysWOW64\Ofnhfbjl.exe Opbcdieb.exe File created C:\Windows\SysWOW64\Onicbi32.exe Kkgicccd.exe File opened for modification C:\Windows\SysWOW64\Aaianaoo.exe Qlmhfj32.exe File opened for modification C:\Windows\SysWOW64\Adockl32.exe Anbkbe32.exe File created C:\Windows\SysWOW64\Bgpggm32.exe Aqoijcbo.exe File created C:\Windows\SysWOW64\Kjejiiif.dll Njhglelp.exe File created C:\Windows\SysWOW64\Mpelljmd.dll Kaonaekb.exe File created C:\Windows\SysWOW64\Ogjmnomi.exe Okcmingd.exe File created C:\Windows\SysWOW64\Bdkbgj32.exe Bjbnndgl.exe File created C:\Windows\SysWOW64\Lmkmilfb.dll Inbpbnlg.exe File created C:\Windows\SysWOW64\Hdclbopg.exe Hmicee32.exe File created C:\Windows\SysWOW64\Ojigbcoh.dll Blgiphni.exe File created C:\Windows\SysWOW64\Hcbgen32.exe Himche32.exe File opened for modification C:\Windows\SysWOW64\Bjnece32.exe Bjkhme32.exe File created C:\Windows\SysWOW64\Dckdddcd.exe Dmakgj32.exe File created C:\Windows\SysWOW64\Njhglelp.exe Nfhbpghl.exe File created C:\Windows\SysWOW64\Blnhgn32.exe Bafgdfim.exe File created C:\Windows\SysWOW64\Mknjgajl.exe Mjnnmn32.exe File created C:\Windows\SysWOW64\Fglalp32.dll Bogkgmho.exe File created C:\Windows\SysWOW64\Nkdodffe.dll Fnofkdno.exe File created C:\Windows\SysWOW64\Lcmopeae.exe Lgfojd32.exe File opened for modification C:\Windows\SysWOW64\Hkmdoi32.exe Hdclbopg.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4368 1128 WerFault.exe 444 4068 1128 WerFault.exe 444 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oboakhmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anadho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cipppc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidoefag.dll" Iiigqdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnbjdfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehappnjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbgda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgdodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiijemd.dll" Fpdckm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbiioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dceplm32.dll" Cogmdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnadddj.dll" Fbpcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohfkemf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqmjen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgjfdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcpakgd.dll" Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdaai32.dll" Cipppc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idoknmfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaccbaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaonaekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmlng32.dll" Jiokpfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfmnkmn.dll" Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmjfpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbbbj32.dll" Aqoijcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogkgmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhldi32.dll" Jookjpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkecd32.dll" Ocjgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhojahae.dll" Hhagaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhpfleg.dll" Gmcdolbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpbdiehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebanm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnnjedj.dll" Lnfngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpfabjm.dll" Ngnnbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elbhde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojcao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqoijcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcedcl32.dll" Eagahnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghdkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnheh32.dll" Ccdgjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjnece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfcdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahnghafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdeinhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlckik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhimdmi.dll" Dlckik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimedokp.dll" Dffdjmme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfglpjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfcdcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoqegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bciddihj.dll" Fajnoabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpenoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecfjhpp.dll" Hkmdoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfnkjji.dll" Gbpenpdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmfbjni.dll" Chhkmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpqjmea.dll" Ekemap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4580 wrote to memory of 3976 4580 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 93 PID 4580 wrote to memory of 3976 4580 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 93 PID 4580 wrote to memory of 3976 4580 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 93 PID 3976 wrote to memory of 4892 3976 Bjjmfn32.exe 94 PID 3976 wrote to memory of 4892 3976 Bjjmfn32.exe 94 PID 3976 wrote to memory of 4892 3976 Bjjmfn32.exe 94 PID 4892 wrote to memory of 3860 4892 Gaccbaeq.exe 95 PID 4892 wrote to memory of 3860 4892 Gaccbaeq.exe 95 PID 4892 wrote to memory of 3860 4892 Gaccbaeq.exe 95 PID 3860 wrote to memory of 1332 3860 Gehbio32.exe 96 PID 3860 wrote to memory of 1332 3860 Gehbio32.exe 96 PID 3860 wrote to memory of 1332 3860 Gehbio32.exe 96 PID 1332 wrote to memory of 4704 1332 Haclio32.exe 97 PID 1332 wrote to memory of 4704 1332 Haclio32.exe 97 PID 1332 wrote to memory of 4704 1332 Haclio32.exe 97 PID 4704 wrote to memory of 3904 4704 Ihkpgg32.exe 98 PID 4704 wrote to memory of 3904 4704 Ihkpgg32.exe 98 PID 4704 wrote to memory of 3904 4704 Ihkpgg32.exe 98 PID 3904 wrote to memory of 4360 3904 Jookjpam.exe 99 PID 3904 wrote to memory of 4360 3904 Jookjpam.exe 99 PID 3904 wrote to memory of 4360 3904 Jookjpam.exe 99 PID 4360 wrote to memory of 4984 4360 Kbfjljhf.exe 100 PID 4360 wrote to memory of 4984 4360 Kbfjljhf.exe 100 PID 4360 wrote to memory of 4984 4360 Kbfjljhf.exe 100 PID 4984 wrote to memory of 2252 4984 Lnfngj32.exe 101 PID 4984 wrote to memory of 2252 4984 Lnfngj32.exe 101 PID 4984 wrote to memory of 2252 4984 Lnfngj32.exe 101 PID 2252 wrote to memory of 852 2252 Miqlpbap.exe 102 PID 2252 wrote to memory of 852 2252 Miqlpbap.exe 102 PID 2252 wrote to memory of 852 2252 Miqlpbap.exe 102 PID 852 wrote to memory of 3836 852 Mbpfig32.exe 103 PID 852 wrote to memory of 3836 852 Mbpfig32.exe 103 PID 852 wrote to memory of 3836 852 Mbpfig32.exe 103 PID 3836 wrote to memory of 3540 3836 Nlmdml32.exe 104 PID 3836 wrote to memory of 3540 3836 Nlmdml32.exe 104 PID 3836 wrote to memory of 3540 3836 Nlmdml32.exe 104 PID 3540 wrote to memory of 1020 3540 Nbiioe32.exe 105 PID 3540 wrote to memory of 1020 3540 Nbiioe32.exe 105 PID 3540 wrote to memory of 1020 3540 Nbiioe32.exe 105 PID 1020 wrote to memory of 496 1020 Obnbjdfi.exe 106 PID 1020 wrote to memory of 496 1020 Obnbjdfi.exe 106 PID 1020 wrote to memory of 496 1020 Obnbjdfi.exe 106 PID 496 wrote to memory of 2288 496 Opbcdieb.exe 107 PID 496 wrote to memory of 2288 496 Opbcdieb.exe 107 PID 496 wrote to memory of 2288 496 Opbcdieb.exe 107 PID 2288 wrote to memory of 3804 2288 Ofnhfbjl.exe 108 PID 2288 wrote to memory of 3804 2288 Ofnhfbjl.exe 108 PID 2288 wrote to memory of 3804 2288 Ofnhfbjl.exe 108 PID 3804 wrote to memory of 4232 3804 Olnmdi32.exe 109 PID 3804 wrote to memory of 4232 3804 Olnmdi32.exe 109 PID 3804 wrote to memory of 4232 3804 Olnmdi32.exe 109 PID 4232 wrote to memory of 4888 4232 Pfenga32.exe 110 PID 4232 wrote to memory of 4888 4232 Pfenga32.exe 110 PID 4232 wrote to memory of 4888 4232 Pfenga32.exe 110 PID 4888 wrote to memory of 4784 4888 Pbahgbfc.exe 111 PID 4888 wrote to memory of 4784 4888 Pbahgbfc.exe 111 PID 4888 wrote to memory of 4784 4888 Pbahgbfc.exe 111 PID 4784 wrote to memory of 4140 4784 Amibqhed.exe 112 PID 4784 wrote to memory of 4140 4784 Amibqhed.exe 112 PID 4784 wrote to memory of 4140 4784 Amibqhed.exe 112 PID 4140 wrote to memory of 816 4140 Cofndo32.exe 113 PID 4140 wrote to memory of 816 4140 Cofndo32.exe 113 PID 4140 wrote to memory of 816 4140 Cofndo32.exe 113 PID 816 wrote to memory of 3964 816 Ccdgjm32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Bjjmfn32.exeC:\Windows\system32\Bjjmfn32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Gaccbaeq.exeC:\Windows\system32\Gaccbaeq.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Jookjpam.exeC:\Windows\system32\Jookjpam.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Mbpfig32.exeC:\Windows\system32\Mbpfig32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Opbcdieb.exeC:\Windows\system32\Opbcdieb.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Ofnhfbjl.exeC:\Windows\system32\Ofnhfbjl.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Olnmdi32.exeC:\Windows\system32\Olnmdi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Cofndo32.exeC:\Windows\system32\Cofndo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Ccdgjm32.exeC:\Windows\system32\Ccdgjm32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe23⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Dmhkoaco.exeC:\Windows\system32\Dmhkoaco.exe24⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Eqmjen32.exeC:\Windows\system32\Eqmjen32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe26⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Fnacfp32.exeC:\Windows\system32\Fnacfp32.exe27⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe28⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Jdkmgali.exeC:\Windows\system32\Jdkmgali.exe29⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Kaonaekb.exeC:\Windows\system32\Kaonaekb.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Knenffqf.exeC:\Windows\system32\Knenffqf.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Lhdeinhb.exeC:\Windows\system32\Lhdeinhb.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Lncjgddf.exeC:\Windows\system32\Lncjgddf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe34⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe35⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Oghgbe32.exeC:\Windows\system32\Oghgbe32.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Phfcdcfg.exeC:\Windows\system32\Phfcdcfg.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Panhmi32.exeC:\Windows\system32\Panhmi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe42⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Aoqegk32.exeC:\Windows\system32\Aoqegk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4548 -
C:\Windows\SysWOW64\Bafgdfim.exeC:\Windows\system32\Bafgdfim.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Blnhgn32.exeC:\Windows\system32\Blnhgn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Bplammmf.exeC:\Windows\system32\Bplammmf.exe46⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Bhgeao32.exeC:\Windows\system32\Bhgeao32.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Cikkga32.exeC:\Windows\system32\Cikkga32.exe48⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Clqncl32.exeC:\Windows\system32\Clqncl32.exe49⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Dlckik32.exeC:\Windows\system32\Dlckik32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Dhjknljl.exeC:\Windows\system32\Dhjknljl.exe51⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Dadlmanj.exeC:\Windows\system32\Dadlmanj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Ebifha32.exeC:\Windows\system32\Ebifha32.exe53⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe54⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Fmmffhnk.exeC:\Windows\system32\Fmmffhnk.exe55⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Fqmlbfbo.exeC:\Windows\system32\Fqmlbfbo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Fihqfh32.exeC:\Windows\system32\Fihqfh32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Himche32.exeC:\Windows\system32\Himche32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Hcbgen32.exeC:\Windows\system32\Hcbgen32.exe59⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Iapjeq32.exeC:\Windows\system32\Iapjeq32.exe60⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Lkpnec32.exeC:\Windows\system32\Lkpnec32.exe61⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lgfojd32.exeC:\Windows\system32\Lgfojd32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Lcmopeae.exeC:\Windows\system32\Lcmopeae.exe63⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Lijdbofo.exeC:\Windows\system32\Lijdbofo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Lkiqla32.exeC:\Windows\system32\Lkiqla32.exe65⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Mjnnmn32.exeC:\Windows\system32\Mjnnmn32.exe66⤵
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Mknjgajl.exeC:\Windows\system32\Mknjgajl.exe67⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Mgidgakk.exeC:\Windows\system32\Mgidgakk.exe68⤵PID:1228
-
C:\Windows\SysWOW64\Nqaipgal.exeC:\Windows\system32\Nqaipgal.exe69⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Ngnnbq32.exeC:\Windows\system32\Ngnnbq32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\Njacikbd.exeC:\Windows\system32\Njacikbd.exe71⤵PID:4724
-
C:\Windows\SysWOW64\Ngedbp32.exeC:\Windows\system32\Ngedbp32.exe72⤵PID:1276
-
C:\Windows\SysWOW64\Okcmingd.exeC:\Windows\system32\Okcmingd.exe73⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Ogjmnomi.exeC:\Windows\system32\Ogjmnomi.exe74⤵PID:3464
-
C:\Windows\SysWOW64\Oboakhmo.exeC:\Windows\system32\Oboakhmo.exe75⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Ogljcokf.exeC:\Windows\system32\Ogljcokf.exe76⤵PID:1288
-
C:\Windows\SysWOW64\Onhoehpp.exeC:\Windows\system32\Onhoehpp.exe77⤵PID:3884
-
C:\Windows\SysWOW64\Pqihgcma.exeC:\Windows\system32\Pqihgcma.exe78⤵PID:4700
-
C:\Windows\SysWOW64\Pkoldl32.exeC:\Windows\system32\Pkoldl32.exe79⤵
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Pcjaio32.exeC:\Windows\system32\Pcjaio32.exe80⤵PID:2384
-
C:\Windows\SysWOW64\Pgjfdm32.exeC:\Windows\system32\Pgjfdm32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Pbpjbe32.exeC:\Windows\system32\Pbpjbe32.exe82⤵PID:4640
-
C:\Windows\SysWOW64\Qlmhfj32.exeC:\Windows\system32\Qlmhfj32.exe83⤵
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Aaianaoo.exeC:\Windows\system32\Aaianaoo.exe84⤵PID:4240
-
C:\Windows\SysWOW64\Aanjiqki.exeC:\Windows\system32\Aanjiqki.exe85⤵PID:468
-
C:\Windows\SysWOW64\Anbkbe32.exeC:\Windows\system32\Anbkbe32.exe86⤵
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Adockl32.exeC:\Windows\system32\Adockl32.exe87⤵PID:1836
-
C:\Windows\SysWOW64\Bjkhme32.exeC:\Windows\system32\Bjkhme32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Bjnece32.exeC:\Windows\system32\Bjnece32.exe89⤵
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Bjbnndgl.exeC:\Windows\system32\Bjbnndgl.exe90⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Bdkbgj32.exeC:\Windows\system32\Bdkbgj32.exe91⤵PID:2484
-
C:\Windows\SysWOW64\Chhkmh32.exeC:\Windows\system32\Chhkmh32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Cbnpja32.exeC:\Windows\system32\Cbnpja32.exe93⤵PID:2596
-
C:\Windows\SysWOW64\Cogmdb32.exeC:\Windows\system32\Cogmdb32.exe94⤵
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe95⤵PID:4228
-
C:\Windows\SysWOW64\Chbncg32.exeC:\Windows\system32\Chbncg32.exe96⤵
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Cbgbpp32.exeC:\Windows\system32\Cbgbpp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Daaiml32.exeC:\Windows\system32\Daaiml32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Dhnnoe32.exeC:\Windows\system32\Dhnnoe32.exe99⤵PID:5220
-
C:\Windows\SysWOW64\Dafbhkhl.exeC:\Windows\system32\Dafbhkhl.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Eojcao32.exeC:\Windows\system32\Eojcao32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Eedkniob.exeC:\Windows\system32\Eedkniob.exe102⤵PID:5344
-
C:\Windows\SysWOW64\Eefhcimp.exeC:\Windows\system32\Eefhcimp.exe103⤵PID:5404
-
C:\Windows\SysWOW64\Ekemap32.exeC:\Windows\system32\Ekemap32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Ehimkd32.exeC:\Windows\system32\Ehimkd32.exe105⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Femndhgh.exeC:\Windows\system32\Femndhgh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Fcfhhk32.exeC:\Windows\system32\Fcfhhk32.exe107⤵PID:5684
-
C:\Windows\SysWOW64\Gbmaog32.exeC:\Windows\system32\Gbmaog32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Gkffhmka.exeC:\Windows\system32\Gkffhmka.exe109⤵
- Drops file in System32 directory
PID:5776 -
C:\Windows\SysWOW64\Gdnjabab.exeC:\Windows\system32\Gdnjabab.exe110⤵PID:5844
-
C:\Windows\SysWOW64\Hbknqeha.exeC:\Windows\system32\Hbknqeha.exe111⤵PID:5992
-
C:\Windows\SysWOW64\Hkhkdjkl.exeC:\Windows\system32\Hkhkdjkl.exe112⤵
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\Jlpklg32.exeC:\Windows\system32\Jlpklg32.exe113⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Kpgfhddn.exeC:\Windows\system32\Kpgfhddn.exe114⤵PID:5152
-
C:\Windows\SysWOW64\Kedoqkbe.exeC:\Windows\system32\Kedoqkbe.exe115⤵PID:5240
-
C:\Windows\SysWOW64\Llngmeja.exeC:\Windows\system32\Llngmeja.exe116⤵PID:5324
-
C:\Windows\SysWOW64\Lifqbi32.exeC:\Windows\system32\Lifqbi32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Mchhamcl.exeC:\Windows\system32\Mchhamcl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Nconal32.exeC:\Windows\system32\Nconal32.exe119⤵PID:5720
-
C:\Windows\SysWOW64\Olaeqp32.exeC:\Windows\system32\Olaeqp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5948 -
C:\Windows\SysWOW64\Acgfpf32.exeC:\Windows\system32\Acgfpf32.exe121⤵PID:6036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-