Analysis
-
max time kernel
68s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 20:58
Behavioral task
behavioral1
Sample
NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe
-
Size
236KB
-
MD5
ba125407b9c158c98938bc5da775a2d0
-
SHA1
675efc7bf25b31979e7544def8a74ef26ac1678e
-
SHA256
3dc6935be7f03299294a11655e8ee1a92b5c93a01a8a650477fc0dfeb431b384
-
SHA512
5423ef0194c8a71cd6368672dfb155fad05c3452a4c990ac90a1e7d6bbd967840ad883f9e68d8145773d8068544e76c4de88f4ebf898e0da8a6e0ad3e6a7eb80
-
SSDEEP
3072:wxhShgxJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:TgxsDshsrtMsQB4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkqccbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glchjedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbdko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcngddao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgkdbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbklli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpdkabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbbngjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmbbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcmfchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjgddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmoclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekpljgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlipfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdhja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhqdhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcfch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojboa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcjgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpmfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbdpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddkbbfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogefqeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehienn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijedehgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifdqhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimach32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedmlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgafqla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adbkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpikao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpjjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agfnhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehifak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eedmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohlcg32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cd1-7.dat family_berbew behavioral2/files/0x0007000000022cd1-9.dat family_berbew behavioral2/files/0x0008000000022cd4-15.dat family_berbew behavioral2/files/0x0008000000022cd4-17.dat family_berbew behavioral2/files/0x0009000000022cdb-23.dat family_berbew behavioral2/files/0x0009000000022cdb-25.dat family_berbew behavioral2/files/0x0006000000022cdd-31.dat family_berbew behavioral2/files/0x0006000000022cdd-33.dat family_berbew behavioral2/files/0x0006000000022cdf-39.dat family_berbew behavioral2/files/0x0006000000022cdf-41.dat family_berbew behavioral2/files/0x0006000000022ce1-47.dat family_berbew behavioral2/files/0x0006000000022ce1-49.dat family_berbew behavioral2/files/0x0007000000022ce2-55.dat family_berbew behavioral2/files/0x0007000000022ce2-57.dat family_berbew behavioral2/files/0x0006000000022ce5-63.dat family_berbew behavioral2/files/0x0006000000022ce5-65.dat family_berbew behavioral2/files/0x0006000000022ce7-66.dat family_berbew behavioral2/files/0x0006000000022ce7-72.dat family_berbew behavioral2/files/0x0006000000022ce7-71.dat family_berbew behavioral2/files/0x0007000000022ce4-80.dat family_berbew behavioral2/files/0x0007000000022ce4-82.dat family_berbew behavioral2/files/0x0006000000022cea-88.dat family_berbew behavioral2/files/0x0006000000022cea-89.dat family_berbew behavioral2/files/0x0006000000022cec-96.dat family_berbew behavioral2/files/0x0006000000022cec-98.dat family_berbew behavioral2/files/0x0006000000022cee-103.dat family_berbew behavioral2/files/0x0006000000022cee-106.dat family_berbew behavioral2/files/0x0006000000022cf0-107.dat family_berbew behavioral2/files/0x0006000000022cf0-112.dat family_berbew behavioral2/files/0x0006000000022cf0-114.dat family_berbew behavioral2/files/0x0006000000022cf2-120.dat family_berbew behavioral2/files/0x0006000000022cf2-122.dat family_berbew behavioral2/files/0x0006000000022cf4-128.dat family_berbew behavioral2/files/0x0006000000022cf4-130.dat family_berbew behavioral2/files/0x0006000000022cf6-136.dat family_berbew behavioral2/files/0x0006000000022cf6-138.dat family_berbew behavioral2/files/0x0006000000022cf8-144.dat family_berbew behavioral2/files/0x0006000000022cf8-146.dat family_berbew behavioral2/files/0x0006000000022cfa-152.dat family_berbew behavioral2/files/0x0006000000022cfa-154.dat family_berbew behavioral2/files/0x0006000000022cfc-160.dat family_berbew behavioral2/files/0x0006000000022cfc-162.dat family_berbew behavioral2/files/0x0006000000022cfe-168.dat family_berbew behavioral2/files/0x0006000000022cfe-170.dat family_berbew behavioral2/files/0x0006000000022d00-176.dat family_berbew behavioral2/files/0x0006000000022d00-178.dat family_berbew behavioral2/files/0x0006000000022d02-179.dat family_berbew behavioral2/files/0x0006000000022d02-184.dat family_berbew behavioral2/files/0x0006000000022d02-186.dat family_berbew behavioral2/files/0x0006000000022d04-192.dat family_berbew behavioral2/files/0x0006000000022d04-194.dat family_berbew behavioral2/files/0x0006000000022d06-195.dat family_berbew behavioral2/files/0x0006000000022d06-200.dat family_berbew behavioral2/files/0x0006000000022d06-201.dat family_berbew behavioral2/files/0x0006000000022d08-210.dat family_berbew behavioral2/files/0x0006000000022d08-208.dat family_berbew behavioral2/files/0x0006000000022d0a-218.dat family_berbew behavioral2/files/0x0006000000022d0a-216.dat family_berbew behavioral2/files/0x0006000000022d0c-224.dat family_berbew behavioral2/files/0x0006000000022d0c-225.dat family_berbew behavioral2/files/0x0006000000022d0e-234.dat family_berbew behavioral2/files/0x0006000000022d0e-232.dat family_berbew behavioral2/files/0x0006000000022d10-235.dat family_berbew behavioral2/files/0x0006000000022d10-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3564 Fkofga32.exe 3540 Iefphb32.exe 1412 Jldbpl32.exe 3464 Khbiello.exe 2380 Keifdpif.exe 3332 Kemooo32.exe 1968 Lhgkgijg.exe 3416 Mhanngbl.exe 4120 Nmfmde32.exe 4808 Oifppdpd.exe 4540 Ppgomnai.exe 5084 Pidlqb32.exe 2288 Qjhbfd32.exe 2704 Acccdj32.exe 1040 Abjmkf32.exe 2452 Biiobo32.exe 2244 Bfaigclq.exe 3964 Cpacqg32.exe 436 Ccdihbgg.exe 4696 Dknnoofg.exe 2148 Dnngpj32.exe 3348 Dcnlnaom.exe 4520 Ejjaqk32.exe 1692 Ekngemhd.exe 1684 Fkgillpj.exe 4516 Fqfojblo.exe 1364 Gcghkm32.exe 2824 Gnohnffc.exe 1172 Gbpnjdkg.exe 1904 Hkjohi32.exe 3152 Hegmlnbp.exe 5100 Ilhkigcd.exe 4608 Ijpepcfj.exe 3392 Ijbbfc32.exe 3356 Jnpjlajn.exe 4336 Jldkeeig.exe 4056 Jeolckne.exe 1596 Jbbmmo32.exe 4628 Kahinkaf.exe 3716 Kajfdk32.exe 3472 Khfkfedn.exe 3688 Klddlckd.exe 2752 Llkjmb32.exe 3624 Lbhool32.exe 1780 Lcjldk32.exe 4656 Mkepineo.exe 228 Mhiabbdi.exe 3496 Mddkbbfg.exe 4796 Namegfql.exe 2820 Nkeipk32.exe 4684 Nconfh32.exe 980 Ohhfknjf.exe 4312 Pkholi32.exe 4660 Pcbdcf32.exe 2348 Peempn32.exe 5108 Pfeijqqe.exe 4424 Pbljoafi.exe 4748 Qkdohg32.exe 1320 Qpbgnecp.exe 2412 Abcppq32.exe 1500 Aioebj32.exe 4664 Aiabhj32.exe 4980 Bblcfo32.exe 412 Bppcpc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iopgjjag.dll Mlgegcng.exe File created C:\Windows\SysWOW64\Hmpolhlc.dll Njahki32.exe File created C:\Windows\SysWOW64\Llebel32.dll Jekpljgg.exe File created C:\Windows\SysWOW64\Jjqkpgdc.dll Egmjpi32.exe File opened for modification C:\Windows\SysWOW64\Ljoiibbm.exe Lmkipncc.exe File opened for modification C:\Windows\SysWOW64\Hcdfho32.exe Hjlaoioh.exe File created C:\Windows\SysWOW64\Cjipnbpb.dll Ioicnn32.exe File opened for modification C:\Windows\SysWOW64\Mpqklh32.exe Mfhgcbfo.exe File created C:\Windows\SysWOW64\Odmqgd32.dll Fpandm32.exe File created C:\Windows\SysWOW64\Econlc32.dll Fcodfa32.exe File opened for modification C:\Windows\SysWOW64\Eeaqfo32.exe Epbkhhel.exe File created C:\Windows\SysWOW64\Fnbjpf32.exe Fmbnfcam.exe File opened for modification C:\Windows\SysWOW64\Ijpepcfj.exe Ilhkigcd.exe File created C:\Windows\SysWOW64\Lmlpjdgo.exe Lmjcdd32.exe File created C:\Windows\SysWOW64\Bcnehb32.dll Oggllnkl.exe File created C:\Windows\SysWOW64\Gdclbd32.dll Cchikf32.exe File opened for modification C:\Windows\SysWOW64\Nkeipk32.exe Namegfql.exe File created C:\Windows\SysWOW64\Oidfpeba.dll Pfpidk32.exe File created C:\Windows\SysWOW64\Anfimpdb.dll Hhehkepj.exe File created C:\Windows\SysWOW64\Ajodef32.exe Adbkmo32.exe File created C:\Windows\SysWOW64\Laeojd32.dll Godehbed.exe File opened for modification C:\Windows\SysWOW64\Nmbamdkm.exe Njahki32.exe File opened for modification C:\Windows\SysWOW64\Gdhjpjjd.exe Ggbmafnm.exe File opened for modification C:\Windows\SysWOW64\Ogefqeaj.exe Onmahojj.exe File created C:\Windows\SysWOW64\Dqpjdj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Infqklol.exe Incdem32.exe File opened for modification C:\Windows\SysWOW64\Lkiiee32.exe Lobhqdec.exe File created C:\Windows\SysWOW64\Iqgjmg32.exe Ifaepolg.exe File opened for modification C:\Windows\SysWOW64\Igkadlcd.exe Imfmgcdn.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jobfdl32.exe File created C:\Windows\SysWOW64\Lhgkgijg.exe Kemooo32.exe File created C:\Windows\SysWOW64\Ceohefin.dll Lhgkgijg.exe File opened for modification C:\Windows\SysWOW64\Ppffec32.exe Pgnblm32.exe File created C:\Windows\SysWOW64\Eijigg32.exe Ehklmd32.exe File created C:\Windows\SysWOW64\Plhppp32.dll Nbefolao.exe File created C:\Windows\SysWOW64\Omgjhc32.exe Cbgbpp32.exe File created C:\Windows\SysWOW64\Haaamjgi.dll Process not Found File created C:\Windows\SysWOW64\Bgdjicmn.exe Bloflk32.exe File opened for modification C:\Windows\SysWOW64\Agckiqgg.exe Akmjdpac.exe File created C:\Windows\SysWOW64\Ggaoeo32.dll Ogmaneoa.exe File created C:\Windows\SysWOW64\Nbaefacb.dll Nlnkgbhp.exe File created C:\Windows\SysWOW64\Acccdj32.exe Qjhbfd32.exe File created C:\Windows\SysWOW64\Opfqgkgc.dll Hjlaoioh.exe File opened for modification C:\Windows\SysWOW64\Ahpdcn32.exe Ajodef32.exe File opened for modification C:\Windows\SysWOW64\Femigg32.exe Mjqjbn32.exe File opened for modification C:\Windows\SysWOW64\Agkgceeh.exe Alfcflfb.exe File created C:\Windows\SysWOW64\Hpcmfchg.exe Hgkimn32.exe File created C:\Windows\SysWOW64\Qkamof32.dll Jfokff32.exe File created C:\Windows\SysWOW64\Cgpjebcp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdogjk32.exe Ffnglc32.exe File created C:\Windows\SysWOW64\Dfcqod32.exe Dhbqalle.exe File created C:\Windows\SysWOW64\Cjejmk32.dll Hoefgj32.exe File opened for modification C:\Windows\SysWOW64\Kmjinjnj.exe Kfpqap32.exe File created C:\Windows\SysWOW64\Fmdbil32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mhanngbl.exe Lhgkgijg.exe File created C:\Windows\SysWOW64\Dknnoofg.exe Ccdihbgg.exe File created C:\Windows\SysWOW64\Iekijfnm.dll Ncgkma32.exe File created C:\Windows\SysWOW64\Hbacoioc.dll Mjaodkmo.exe File created C:\Windows\SysWOW64\Lfcjfjoi.dll Ffnglc32.exe File opened for modification C:\Windows\SysWOW64\Necqbo32.exe Mklpof32.exe File created C:\Windows\SysWOW64\Lhgdahgp.dll Pgnblm32.exe File created C:\Windows\SysWOW64\Bbdkmelh.dll Pignccea.exe File created C:\Windows\SysWOW64\Iefphb32.exe Fkofga32.exe File created C:\Windows\SysWOW64\Pdpmkhjl.exe Pkhhbbck.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1260 6260 Process not Found 1394 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oecnmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eieplhlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhidcffq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfakon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgend32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmdbooik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll" Pbljoafi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onccdj32.dll" Djpfbahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmeilpn.dll" Pmgcoaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeqinf.dll" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll" Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folkjnbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haeino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfabk32.dll" Fdadpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fifdqhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjqfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npognfpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplhopqe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohgopgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfpidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelhljaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgcjpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbaefacb.dll" Nlnkgbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmjcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeaqfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaipdbpa.dll" Odcfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjodgeeo.dll" Npldnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefipm32.dll" Iehkpmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchhia32.dll" Bimach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqnog32.dll" Dfgcjpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifphkbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlgegcng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lccdghmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkmgl32.dll" Nibbklke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqklnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apejofaj.dll" Cgpjebcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpopekeb.dll" Epeohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkcgj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adbkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihjjln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfhgcbfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opopdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faiplcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijedehgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddmqp32.dll" Mklpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkaqh32.dll" Chfaenfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geklckkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgbpp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 3564 3156 NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe 90 PID 3156 wrote to memory of 3564 3156 NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe 90 PID 3156 wrote to memory of 3564 3156 NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe 90 PID 3564 wrote to memory of 3540 3564 Fkofga32.exe 91 PID 3564 wrote to memory of 3540 3564 Fkofga32.exe 91 PID 3564 wrote to memory of 3540 3564 Fkofga32.exe 91 PID 3540 wrote to memory of 1412 3540 Iefphb32.exe 92 PID 3540 wrote to memory of 1412 3540 Iefphb32.exe 92 PID 3540 wrote to memory of 1412 3540 Iefphb32.exe 92 PID 1412 wrote to memory of 3464 1412 Jldbpl32.exe 93 PID 1412 wrote to memory of 3464 1412 Jldbpl32.exe 93 PID 1412 wrote to memory of 3464 1412 Jldbpl32.exe 93 PID 3464 wrote to memory of 2380 3464 Khbiello.exe 94 PID 3464 wrote to memory of 2380 3464 Khbiello.exe 94 PID 3464 wrote to memory of 2380 3464 Khbiello.exe 94 PID 2380 wrote to memory of 3332 2380 Keifdpif.exe 95 PID 2380 wrote to memory of 3332 2380 Keifdpif.exe 95 PID 2380 wrote to memory of 3332 2380 Keifdpif.exe 95 PID 3332 wrote to memory of 1968 3332 Kemooo32.exe 96 PID 3332 wrote to memory of 1968 3332 Kemooo32.exe 96 PID 3332 wrote to memory of 1968 3332 Kemooo32.exe 96 PID 1968 wrote to memory of 3416 1968 Lhgkgijg.exe 97 PID 1968 wrote to memory of 3416 1968 Lhgkgijg.exe 97 PID 1968 wrote to memory of 3416 1968 Lhgkgijg.exe 97 PID 3416 wrote to memory of 4120 3416 Mhanngbl.exe 98 PID 3416 wrote to memory of 4120 3416 Mhanngbl.exe 98 PID 3416 wrote to memory of 4120 3416 Mhanngbl.exe 98 PID 4120 wrote to memory of 4808 4120 Nmfmde32.exe 99 PID 4120 wrote to memory of 4808 4120 Nmfmde32.exe 99 PID 4120 wrote to memory of 4808 4120 Nmfmde32.exe 99 PID 4808 wrote to memory of 4540 4808 Oifppdpd.exe 100 PID 4808 wrote to memory of 4540 4808 Oifppdpd.exe 100 PID 4808 wrote to memory of 4540 4808 Oifppdpd.exe 100 PID 4540 wrote to memory of 5084 4540 Ppgomnai.exe 101 PID 4540 wrote to memory of 5084 4540 Ppgomnai.exe 101 PID 4540 wrote to memory of 5084 4540 Ppgomnai.exe 101 PID 5084 wrote to memory of 2288 5084 Pidlqb32.exe 102 PID 5084 wrote to memory of 2288 5084 Pidlqb32.exe 102 PID 5084 wrote to memory of 2288 5084 Pidlqb32.exe 102 PID 2288 wrote to memory of 2704 2288 Qjhbfd32.exe 103 PID 2288 wrote to memory of 2704 2288 Qjhbfd32.exe 103 PID 2288 wrote to memory of 2704 2288 Qjhbfd32.exe 103 PID 2704 wrote to memory of 1040 2704 Acccdj32.exe 104 PID 2704 wrote to memory of 1040 2704 Acccdj32.exe 104 PID 2704 wrote to memory of 1040 2704 Acccdj32.exe 104 PID 1040 wrote to memory of 2452 1040 Abjmkf32.exe 105 PID 1040 wrote to memory of 2452 1040 Abjmkf32.exe 105 PID 1040 wrote to memory of 2452 1040 Abjmkf32.exe 105 PID 2452 wrote to memory of 2244 2452 Biiobo32.exe 106 PID 2452 wrote to memory of 2244 2452 Biiobo32.exe 106 PID 2452 wrote to memory of 2244 2452 Biiobo32.exe 106 PID 2244 wrote to memory of 3964 2244 Bfaigclq.exe 107 PID 2244 wrote to memory of 3964 2244 Bfaigclq.exe 107 PID 2244 wrote to memory of 3964 2244 Bfaigclq.exe 107 PID 3964 wrote to memory of 436 3964 Cpacqg32.exe 108 PID 3964 wrote to memory of 436 3964 Cpacqg32.exe 108 PID 3964 wrote to memory of 436 3964 Cpacqg32.exe 108 PID 436 wrote to memory of 4696 436 Ccdihbgg.exe 109 PID 436 wrote to memory of 4696 436 Ccdihbgg.exe 109 PID 436 wrote to memory of 4696 436 Ccdihbgg.exe 109 PID 4696 wrote to memory of 2148 4696 Dknnoofg.exe 110 PID 4696 wrote to memory of 2148 4696 Dknnoofg.exe 110 PID 4696 wrote to memory of 2148 4696 Dknnoofg.exe 110 PID 2148 wrote to memory of 3348 2148 Dnngpj32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ba125407b9c158c98938bc5da775a2d0_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Kemooo32.exeC:\Windows\system32\Kemooo32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe23⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe25⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe26⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fqfojblo.exeC:\Windows\system32\Fqfojblo.exe27⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe28⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe29⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe30⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe31⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe32⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe34⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe36⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe37⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe38⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe39⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe40⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe41⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe43⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe44⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe45⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe46⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe47⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe48⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe52⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe53⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe55⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe56⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe57⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe59⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe60⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe61⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe62⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe63⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe64⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe65⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe66⤵PID:884
-
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4360 -
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe69⤵PID:3712
-
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe71⤵PID:4816
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe72⤵PID:1576
-
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe73⤵PID:4404
-
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe74⤵PID:3924
-
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe75⤵PID:3228
-
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe76⤵PID:4288
-
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe78⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe79⤵PID:2180
-
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe80⤵PID:4292
-
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe82⤵PID:5184
-
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe83⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe84⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe85⤵PID:5320
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe86⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe87⤵PID:5408
-
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe88⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe89⤵PID:5512
-
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe90⤵PID:5584
-
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe91⤵PID:5628
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe92⤵PID:5672
-
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe93⤵PID:5716
-
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe94⤵PID:5760
-
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe95⤵PID:5800
-
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe96⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe97⤵PID:5908
-
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe98⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe99⤵PID:5988
-
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe100⤵PID:6036
-
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe101⤵PID:6084
-
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe102⤵PID:6128
-
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe103⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe104⤵PID:5180
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe105⤵PID:5232
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe107⤵PID:5388
-
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe109⤵PID:5620
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe110⤵PID:5680
-
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe111⤵PID:5744
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe112⤵PID:5836
-
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe113⤵PID:5916
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe114⤵PID:5996
-
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe116⤵PID:5128
-
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe117⤵PID:4512
-
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe118⤵PID:5300
-
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe119⤵PID:5348
-
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe120⤵PID:5592
-
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe121⤵PID:5728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-