Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 15:23
Behavioral task
behavioral1
Sample
NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe
-
Size
107KB
-
MD5
f3bfb0f163d3b88387df447485410f50
-
SHA1
178b85a3ed48b7397006eb732de3c6f757c3f5e8
-
SHA256
0d275d0f1822f9c89ab83eb77172c3155052dd20dc42fac95a7995c70f31fd9d
-
SHA512
eb87347cac92fbed38b7abc72ca41fcc75fdc045a7d7fb61ed41c64d44fecb6a3de234cddc4239b35a9729bc93897fb92857389d597ac6b0c250619fe177af52
-
SSDEEP
1536:6c0VVemPpL/KGzTJYrthLtzc0vIrrg12LLaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:0WWNCeJY5hLtzZgomLaMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohfdnil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjahchpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agnkck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohcmjic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkcgkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkboeobh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaoihfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljglnmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmjomlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhcmbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihpkkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjipmoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eliecc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnohnffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgmaqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clijablo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgijkgeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keghocao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobhqdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkedonpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcffnbee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icklhnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdipag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocbfjmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieagmcmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkodak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaemilci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egknji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glqkefff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomlek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnpqakp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donecfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebeapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcgnmml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onakco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqifo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akenij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajlje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmgmhgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mledmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfbgiij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcqgahoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhpajlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Janghmia.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2692-0-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/2692-1-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/2692-2-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdc-8.dat family_berbew behavioral2/memory/316-9-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdc-10.dat family_berbew behavioral2/files/0x0008000000022cde-16.dat family_berbew behavioral2/memory/3292-17-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0008000000022cde-18.dat family_berbew behavioral2/files/0x0008000000022cd3-24.dat family_berbew behavioral2/files/0x0008000000022cd3-26.dat family_berbew behavioral2/memory/1620-25-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0009000000022ce1-32.dat family_berbew behavioral2/files/0x0009000000022ce1-34.dat family_berbew behavioral2/memory/4808-33-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce2-40.dat family_berbew behavioral2/files/0x0007000000022ce2-42.dat family_berbew behavioral2/memory/1924-41-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce5-48.dat family_berbew behavioral2/memory/264-49-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce5-50.dat family_berbew behavioral2/files/0x0006000000022ce7-56.dat family_berbew behavioral2/memory/4288-57-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce7-58.dat family_berbew behavioral2/memory/4784-65-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-66.dat family_berbew behavioral2/files/0x0006000000022ce9-64.dat family_berbew behavioral2/files/0x0006000000022ceb-72.dat family_berbew behavioral2/memory/2692-73-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022ceb-75.dat family_berbew behavioral2/memory/3816-74-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/984-82-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-81.dat family_berbew behavioral2/files/0x0006000000022ced-83.dat family_berbew behavioral2/files/0x0006000000022cef-84.dat family_berbew behavioral2/files/0x0006000000022cef-89.dat family_berbew behavioral2/memory/316-90-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cef-91.dat family_berbew behavioral2/memory/2316-96-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf1-98.dat family_berbew behavioral2/memory/3292-99-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf1-100.dat family_berbew behavioral2/memory/5104-101-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf3-107.dat family_berbew behavioral2/memory/1620-108-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/4772-109-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf3-110.dat family_berbew behavioral2/files/0x0006000000022cf5-116.dat family_berbew behavioral2/files/0x0006000000022cf5-118.dat family_berbew behavioral2/memory/4808-117-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/224-122-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf7-125.dat family_berbew behavioral2/memory/1924-126-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/3844-127-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf7-128.dat family_berbew behavioral2/files/0x0006000000022cf9-134.dat family_berbew behavioral2/memory/264-135-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf9-136.dat family_berbew behavioral2/memory/1064-137-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-143.dat family_berbew behavioral2/memory/4288-144-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-146.dat family_berbew behavioral2/memory/4532-145-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-152.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 316 Gejhef32.exe 3292 Ieagmcmq.exe 1620 Ipihpkkd.exe 4808 Ilphdlqh.exe 1924 Jbagbebm.exe 264 Jeapcq32.exe 4288 Khbiello.exe 4784 Kakmna32.exe 3816 Kpqggh32.exe 984 Lhnhajba.exe 2316 Lhqefjpo.exe 5104 Lhcali32.exe 4772 Lfiokmkc.exe 224 Mledmg32.exe 3844 Mablfnne.exe 1064 Mlljnf32.exe 4532 Nhegig32.exe 5076 Nfldgk32.exe 4392 Nimmifgo.exe 2668 Niojoeel.exe 4708 Ookoaokf.exe 772 Ojcpdg32.exe 536 Oflmnh32.exe 2068 Pbekii32.exe 1716 Pfccogfc.exe 876 Pfhmjf32.exe 4492 Qapnmopa.exe 3968 Abcgjg32.exe 396 Apggckbf.exe 1200 Bbdpad32.exe 4888 Dcffnbee.exe 5084 Dkedonpo.exe 4936 Dcphdqmj.exe 4376 Enhifi32.exe 4224 Edaaccbj.exe 4336 Eqmlccdi.exe 4712 Famhmfkl.exe 3560 Fqbeoc32.exe 3224 Fnffhgon.exe 5072 Gnohnffc.exe 3488 Gclafmej.exe 1564 Gdknpp32.exe 3880 Gjhfif32.exe 2804 Gbbkocid.exe 668 Hgocgjgk.exe 4688 Hbfdjc32.exe 968 Hjaioe32.exe 3380 Hjdedepg.exe 4908 Hghfnioq.exe 1860 Iabglnco.exe 4836 Ibbcfa32.exe 5100 Ibgmaqfl.exe 2080 Jaljbmkd.exe 1328 Janghmia.exe 892 Jdalog32.exe 448 Jaemilci.exe 5012 Koimbpbc.exe 3456 Klmnkdal.exe 5092 Kdkoef32.exe 4764 Kdmlkfjb.exe 2912 Lhmafcnf.exe 2360 Logicn32.exe 2764 Lhpnlclc.exe 2716 Llpchaqg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Anhcpeon.exe Agnkck32.exe File created C:\Windows\SysWOW64\Hlibnkcm.dll Kbgafqla.exe File opened for modification C:\Windows\SysWOW64\Odbpij32.exe Noehac32.exe File created C:\Windows\SysWOW64\Iakllgni.dll Fgffka32.exe File created C:\Windows\SysWOW64\Bkadoo32.exe Bichcc32.exe File created C:\Windows\SysWOW64\Deagoa32.exe Dngobghg.exe File created C:\Windows\SysWOW64\Kalmid32.dll Flghognq.exe File created C:\Windows\SysWOW64\Fncjigbo.dll Gohapb32.exe File opened for modification C:\Windows\SysWOW64\Imhjlb32.exe Icpecm32.exe File created C:\Windows\SysWOW64\Igpkok32.exe Ijlkfg32.exe File created C:\Windows\SysWOW64\Jjfdfl32.exe Jclljaei.exe File created C:\Windows\SysWOW64\Noehac32.exe Ndpcdjho.exe File created C:\Windows\SysWOW64\Iaehfp32.dll Limpiomm.exe File opened for modification C:\Windows\SysWOW64\Lagepl32.exe Lccdghmc.exe File created C:\Windows\SysWOW64\Dbfabk32.dll Fgpplf32.exe File created C:\Windows\SysWOW64\Hhobjf32.exe Hpcmfchg.exe File created C:\Windows\SysWOW64\Okiefn32.exe Niihlkdm.exe File created C:\Windows\SysWOW64\Alihodif.dll Ghmbib32.exe File opened for modification C:\Windows\SysWOW64\Mledmg32.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Dkakfgoq.dll Clijablo.exe File created C:\Windows\SysWOW64\Fnkcdoia.dll Dijgjpip.exe File created C:\Windows\SysWOW64\Gjqgfmbl.dll Mphamg32.exe File created C:\Windows\SysWOW64\Bhcbdkfh.dll Eaenkj32.exe File opened for modification C:\Windows\SysWOW64\Mkocol32.exe Mohbjkgp.exe File opened for modification C:\Windows\SysWOW64\Pcdqhecd.exe Pmjhlklg.exe File created C:\Windows\SysWOW64\Gjfnca32.dll Elilmi32.exe File opened for modification C:\Windows\SysWOW64\Ihjafd32.exe Igieoleg.exe File opened for modification C:\Windows\SysWOW64\Mmdlflki.exe Mfkcibdl.exe File created C:\Windows\SysWOW64\Hepoddcc.exe Hkjjfkcm.exe File created C:\Windows\SysWOW64\Idhdlmdd.dll Logicn32.exe File opened for modification C:\Windows\SysWOW64\Ndpcdjho.exe Nnfkgp32.exe File opened for modification C:\Windows\SysWOW64\Gpjjpe32.exe Gojnfb32.exe File created C:\Windows\SysWOW64\Dqhckhgq.dll Jcpojk32.exe File created C:\Windows\SysWOW64\Dekibcga.dll Lcqgahoe.exe File created C:\Windows\SysWOW64\Hiinoc32.exe Hleneo32.exe File opened for modification C:\Windows\SysWOW64\Logicn32.exe Lhmafcnf.exe File created C:\Windows\SysWOW64\Debaqh32.dll Okfbgiij.exe File opened for modification C:\Windows\SysWOW64\Khonkogj.exe Jglaepim.exe File created C:\Windows\SysWOW64\Fpkpgaob.dll Jcnbekok.exe File created C:\Windows\SysWOW64\Jhkane32.dll Jmccnk32.exe File created C:\Windows\SysWOW64\Jdalog32.exe Janghmia.exe File created C:\Windows\SysWOW64\Ifcben32.exe Inhmqlmj.exe File created C:\Windows\SysWOW64\Dndlba32.exe Cgjcfgoa.exe File created C:\Windows\SysWOW64\Oleojm32.dll Fbggkl32.exe File opened for modification C:\Windows\SysWOW64\Mpkkgbmi.exe Lcdjba32.exe File created C:\Windows\SysWOW64\Aiqkmd32.exe Aohfdnil.exe File created C:\Windows\SysWOW64\Bkcjjhgp.exe Bhennm32.exe File created C:\Windows\SysWOW64\Gkcjcf32.dll Jelhcd32.exe File created C:\Windows\SysWOW64\Cehdib32.exe Cnnllhpa.exe File created C:\Windows\SysWOW64\Eoekde32.exe Ehkcgkdj.exe File opened for modification C:\Windows\SysWOW64\Lhmafcnf.exe Kdmlkfjb.exe File created C:\Windows\SysWOW64\Bboplo32.exe Bejobk32.exe File opened for modification C:\Windows\SysWOW64\Kffhakjp.exe Khonkogj.exe File opened for modification C:\Windows\SysWOW64\Dijgjpip.exe Cfjnhe32.exe File opened for modification C:\Windows\SysWOW64\Dmifkecb.exe Dbcbnlcl.exe File opened for modification C:\Windows\SysWOW64\Hfefdpfe.exe Hqimlihn.exe File opened for modification C:\Windows\SysWOW64\Ikhghi32.exe Iapbodql.exe File opened for modification C:\Windows\SysWOW64\Kbgafqla.exe Kfpqap32.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Ieagmcmq.exe File created C:\Windows\SysWOW64\Cjfclcpg.exe Cnkilbni.exe File opened for modification C:\Windows\SysWOW64\Jdalog32.exe Janghmia.exe File created C:\Windows\SysWOW64\Dcmedk32.exe Dlcmgqdd.exe File created C:\Windows\SysWOW64\Opedqiad.dll Jglaepim.exe File opened for modification C:\Windows\SysWOW64\Icklhnop.exe Hcipcnac.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5012 2208 WerFault.exe 523 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkhkced.dll" Fpmeimpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjahchpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkfdino.dll" Pdgckg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eainbfne.dll" Lkkekdhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmeii32.dll" Odbgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmqgd32.dll" Fpandm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkdccim.dll" Nmlhaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndlba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkkgbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdagbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeackh32.dll" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijedehgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijbhpbc.dll" Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll" Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laeoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpcdjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnqqq32.dll" Bkjpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhqefjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfabk32.dll" Fgpplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifcben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchkpa32.dll" Hebkid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bboplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfkgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll" Qkfkng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfhgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnmjomlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilcjbag.dll" Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkpgaob.dll" Jcnbekok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deenhilj.dll" Dehgejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhaop32.dll" Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll" Gnohnffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll" Amfhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjnlha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maommm32.dll" Gaoihfoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffcpnjo.dll" Hnokjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkmnne.dll" Gbhpajlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjjfkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpodkdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpbfhhi.dll" Hpcmfchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehgejep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcphdqmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabglnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejecf32.dll" Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfmpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkpigmd.dll" Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbecljnl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 316 2692 NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe 91 PID 2692 wrote to memory of 316 2692 NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe 91 PID 2692 wrote to memory of 316 2692 NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe 91 PID 316 wrote to memory of 3292 316 Gejhef32.exe 92 PID 316 wrote to memory of 3292 316 Gejhef32.exe 92 PID 316 wrote to memory of 3292 316 Gejhef32.exe 92 PID 3292 wrote to memory of 1620 3292 Ieagmcmq.exe 93 PID 3292 wrote to memory of 1620 3292 Ieagmcmq.exe 93 PID 3292 wrote to memory of 1620 3292 Ieagmcmq.exe 93 PID 1620 wrote to memory of 4808 1620 Ipihpkkd.exe 94 PID 1620 wrote to memory of 4808 1620 Ipihpkkd.exe 94 PID 1620 wrote to memory of 4808 1620 Ipihpkkd.exe 94 PID 4808 wrote to memory of 1924 4808 Ilphdlqh.exe 95 PID 4808 wrote to memory of 1924 4808 Ilphdlqh.exe 95 PID 4808 wrote to memory of 1924 4808 Ilphdlqh.exe 95 PID 1924 wrote to memory of 264 1924 Jbagbebm.exe 96 PID 1924 wrote to memory of 264 1924 Jbagbebm.exe 96 PID 1924 wrote to memory of 264 1924 Jbagbebm.exe 96 PID 264 wrote to memory of 4288 264 Jeapcq32.exe 97 PID 264 wrote to memory of 4288 264 Jeapcq32.exe 97 PID 264 wrote to memory of 4288 264 Jeapcq32.exe 97 PID 4288 wrote to memory of 4784 4288 Khbiello.exe 98 PID 4288 wrote to memory of 4784 4288 Khbiello.exe 98 PID 4288 wrote to memory of 4784 4288 Khbiello.exe 98 PID 4784 wrote to memory of 3816 4784 Kakmna32.exe 99 PID 4784 wrote to memory of 3816 4784 Kakmna32.exe 99 PID 4784 wrote to memory of 3816 4784 Kakmna32.exe 99 PID 3816 wrote to memory of 984 3816 Kpqggh32.exe 100 PID 3816 wrote to memory of 984 3816 Kpqggh32.exe 100 PID 3816 wrote to memory of 984 3816 Kpqggh32.exe 100 PID 984 wrote to memory of 2316 984 Lhnhajba.exe 101 PID 984 wrote to memory of 2316 984 Lhnhajba.exe 101 PID 984 wrote to memory of 2316 984 Lhnhajba.exe 101 PID 2316 wrote to memory of 5104 2316 Lhqefjpo.exe 102 PID 2316 wrote to memory of 5104 2316 Lhqefjpo.exe 102 PID 2316 wrote to memory of 5104 2316 Lhqefjpo.exe 102 PID 5104 wrote to memory of 4772 5104 Lhcali32.exe 103 PID 5104 wrote to memory of 4772 5104 Lhcali32.exe 103 PID 5104 wrote to memory of 4772 5104 Lhcali32.exe 103 PID 4772 wrote to memory of 224 4772 Lfiokmkc.exe 104 PID 4772 wrote to memory of 224 4772 Lfiokmkc.exe 104 PID 4772 wrote to memory of 224 4772 Lfiokmkc.exe 104 PID 224 wrote to memory of 3844 224 Mledmg32.exe 105 PID 224 wrote to memory of 3844 224 Mledmg32.exe 105 PID 224 wrote to memory of 3844 224 Mledmg32.exe 105 PID 3844 wrote to memory of 1064 3844 Mablfnne.exe 106 PID 3844 wrote to memory of 1064 3844 Mablfnne.exe 106 PID 3844 wrote to memory of 1064 3844 Mablfnne.exe 106 PID 1064 wrote to memory of 4532 1064 Mlljnf32.exe 107 PID 1064 wrote to memory of 4532 1064 Mlljnf32.exe 107 PID 1064 wrote to memory of 4532 1064 Mlljnf32.exe 107 PID 4532 wrote to memory of 5076 4532 Nhegig32.exe 108 PID 4532 wrote to memory of 5076 4532 Nhegig32.exe 108 PID 4532 wrote to memory of 5076 4532 Nhegig32.exe 108 PID 5076 wrote to memory of 4392 5076 Nfldgk32.exe 109 PID 5076 wrote to memory of 4392 5076 Nfldgk32.exe 109 PID 5076 wrote to memory of 4392 5076 Nfldgk32.exe 109 PID 4392 wrote to memory of 2668 4392 Nimmifgo.exe 110 PID 4392 wrote to memory of 2668 4392 Nimmifgo.exe 110 PID 4392 wrote to memory of 2668 4392 Nimmifgo.exe 110 PID 2668 wrote to memory of 4708 2668 Niojoeel.exe 111 PID 2668 wrote to memory of 4708 2668 Niojoeel.exe 111 PID 2668 wrote to memory of 4708 2668 Niojoeel.exe 111 PID 4708 wrote to memory of 772 4708 Ookoaokf.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f3bfb0f163d3b88387df447485410f50_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Ojcpdg32.exeC:\Windows\system32\Ojcpdg32.exe23⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe25⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe27⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe28⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe29⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe31⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe35⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe36⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe38⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe39⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe40⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5072 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe42⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe43⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe44⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe45⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe46⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe47⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe48⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe49⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe50⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe52⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe54⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe56⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe58⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe60⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe64⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe65⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mlbpma32.exeC:\Windows\system32\Mlbpma32.exe66⤵PID:408
-
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe67⤵PID:2512
-
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe68⤵PID:2708
-
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe69⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe70⤵PID:3412
-
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe72⤵PID:4396
-
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe73⤵PID:2580
-
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe75⤵PID:1936
-
C:\Windows\SysWOW64\Odbgdp32.exeC:\Windows\system32\Odbgdp32.exe76⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe77⤵PID:3996
-
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe78⤵PID:2172
-
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe79⤵PID:4208
-
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe81⤵PID:3580
-
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe83⤵PID:5168
-
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe84⤵PID:5224
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe85⤵PID:5316
-
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe86⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe87⤵PID:5432
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe88⤵PID:5480
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe89⤵PID:5520
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe90⤵PID:5564
-
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe91⤵PID:5604
-
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe92⤵PID:5652
-
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe93⤵PID:5700
-
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe94⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe95⤵PID:5772
-
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe96⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe97⤵PID:5876
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe99⤵PID:5972
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe100⤵PID:6016
-
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe101⤵PID:6064
-
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe102⤵PID:6116
-
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe103⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe104⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe105⤵PID:5324
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe106⤵PID:5464
-
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe107⤵PID:5500
-
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe108⤵PID:5556
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe109⤵PID:5640
-
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe110⤵PID:5692
-
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe111⤵PID:5768
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe112⤵PID:5844
-
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe117⤵
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe118⤵PID:5532
-
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe119⤵PID:5636
-
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe120⤵PID:5744
-
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe121⤵PID:5892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-