Analysis
-
max time kernel
80s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 03:20
Behavioral task
behavioral1
Sample
NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe
-
Size
165KB
-
MD5
8c045ddc5ea25219c131258e66156ba0
-
SHA1
a1384b99f037244c8fbc28101013e5645dba2bf1
-
SHA256
71c9eecaf8c4038e8d05404d4cea17e46e62658eb5275e72fd59d613236c9aa0
-
SHA512
36405e301cc961abcd8e075822d804a997df123549463fa514b99ea374517d437f91cf53bb31c593239429c898463618cc67b222bc120bb3e76fef639b4da60c
-
SSDEEP
3072:EQWbD9g+4sRN4ZChQbGxI8opFWehLrCimBaH8UH300UqrJ:iD++4sRN4ZeQbGxI8oPWHpaH8m3pUqN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hommhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjbgooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egoomnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfcflfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcggga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldccid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlofhca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafcofcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfgfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnljine.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Googaaej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfcflfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeneidji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbcdieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggocbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkbkbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joobdfei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjbfclk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqpjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdmpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbphcpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifkcioc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgekdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agckiqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlncn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjgddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhadgmge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmiealgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcmpepm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldjnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfkfedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnknim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjefao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfmgcdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefamoma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqbcbkab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknbkpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fegiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aochga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkkik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcdaehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hommhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmifcjif.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4940-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/4940-1-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd0-7.dat family_berbew behavioral2/files/0x0006000000022cd0-9.dat family_berbew behavioral2/memory/1860-8-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/400-16-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd2-15.dat family_berbew behavioral2/files/0x0006000000022cd2-17.dat family_berbew behavioral2/files/0x0006000000022cd4-23.dat family_berbew behavioral2/memory/3344-24-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd4-25.dat family_berbew behavioral2/files/0x0006000000022cd6-31.dat family_berbew behavioral2/memory/5024-32-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd6-33.dat family_berbew behavioral2/files/0x0006000000022cd8-39.dat family_berbew behavioral2/files/0x0006000000022cd8-41.dat family_berbew behavioral2/memory/4472-40-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cda-47.dat family_berbew behavioral2/files/0x0006000000022cdc-55.dat family_berbew behavioral2/files/0x0006000000022cda-49.dat family_berbew behavioral2/memory/3292-48-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/3380-57-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cde-63.dat family_berbew behavioral2/files/0x0006000000022cdc-56.dat family_berbew behavioral2/files/0x0006000000022cde-64.dat family_berbew behavioral2/memory/4800-65-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce0-71.dat family_berbew behavioral2/memory/4996-73-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce0-72.dat family_berbew behavioral2/files/0x0006000000022ce2-79.dat family_berbew behavioral2/memory/4940-80-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce2-81.dat family_berbew behavioral2/memory/3008-82-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce6-88.dat family_berbew behavioral2/files/0x0006000000022ce6-90.dat family_berbew behavioral2/memory/312-89-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-96.dat family_berbew behavioral2/files/0x0006000000022ce9-98.dat family_berbew behavioral2/memory/4784-97-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ceb-104.dat family_berbew behavioral2/files/0x0006000000022ceb-106.dat family_berbew behavioral2/memory/3816-105-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/1936-113-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-114.dat family_berbew behavioral2/files/0x0006000000022ced-112.dat family_berbew behavioral2/memory/892-121-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-122.dat family_berbew behavioral2/files/0x0006000000022cf0-120.dat family_berbew behavioral2/files/0x0006000000022cf4-128.dat family_berbew behavioral2/memory/224-129-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-130.dat family_berbew behavioral2/files/0x0006000000022cf6-136.dat family_berbew behavioral2/files/0x0006000000022cf6-138.dat family_berbew behavioral2/memory/2176-137-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-144.dat family_berbew behavioral2/memory/3532-146-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-145.dat family_berbew behavioral2/files/0x0006000000022cfa-152.dat family_berbew behavioral2/files/0x0006000000022cfa-154.dat family_berbew behavioral2/memory/1740-153-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfd-160.dat family_berbew behavioral2/files/0x0006000000022cfd-162.dat family_berbew behavioral2/memory/4956-161-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-163.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1860 Dfdpad32.exe 400 Digehphc.exe 3344 Ddnfmqng.exe 5024 Dfnbgc32.exe 4472 Eiokinbk.exe 3292 Enkdaepb.exe 3380 Ekodjiol.exe 4800 Eehicoel.exe 4996 Eblimcdf.exe 3008 Ebnfbcbc.exe 312 Feoodn32.exe 4784 Fechomko.exe 3816 Ffceip32.exe 1936 Lpfgmnfp.exe 892 Ljeafb32.exe 224 Lcnfohmi.exe 2176 Modgdicm.exe 3532 Mmhgmmbf.exe 1740 Mjlhgaqp.exe 4956 Mnjqmpgg.exe 2376 Mfhbga32.exe 4548 Nggnadib.exe 556 Ngjkfd32.exe 3476 Nglhld32.exe 2012 Npgmpf32.exe 3484 Npiiffqe.exe 4876 Omnjojpo.exe 4588 Ocjoadei.exe 4332 Onapdl32.exe 4744 Omgmeigd.exe 4528 Pjkmomfn.exe 3128 Phajna32.exe 1084 Paiogf32.exe 3924 Pfiddm32.exe 3236 Pmblagmf.exe 3568 Qhhpop32.exe 1276 Qjiipk32.exe 2536 Qdaniq32.exe 3136 Akkffkhk.exe 1560 Adcjop32.exe 4852 Amlogfel.exe 996 Ahaceo32.exe 4236 Amnlme32.exe 1692 Akblfj32.exe 4524 Apaadpng.exe 2560 Bdagpnbk.exe 3348 Bogkmgba.exe 4660 Bphgeo32.exe 1396 Bkphhgfc.exe 408 Cpmapodj.exe 4820 Ckbemgcp.exe 4640 Cgifbhid.exe 4224 Caojpaij.exe 4532 Cpdgqmnb.exe 1556 Coegoe32.exe 4092 Cklhcfle.exe 1568 Dpiplm32.exe 4228 Dkndie32.exe 348 Dpkmal32.exe 624 Dnonkq32.exe 4724 Dnajppda.exe 368 Ddkbmj32.exe 4904 Dkekjdck.exe 2856 Dqbcbkab.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fgencf32.exe Fakfglhm.exe File created C:\Windows\SysWOW64\Phajna32.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Mojopk32.exe Mhpgca32.exe File created C:\Windows\SysWOW64\Fhchhm32.exe Faiplcmk.exe File created C:\Windows\SysWOW64\Nlikicki.dll Lnbdlkje.exe File opened for modification C:\Windows\SysWOW64\Nglhld32.exe Ngjkfd32.exe File opened for modification C:\Windows\SysWOW64\Opjgidfa.exe Oiqomj32.exe File created C:\Windows\SysWOW64\Hnqmpo32.dll Ljjicl32.exe File created C:\Windows\SysWOW64\Fbcldbpf.dll Opgloh32.exe File opened for modification C:\Windows\SysWOW64\Eblimcdf.exe Eehicoel.exe File opened for modification C:\Windows\SysWOW64\Eibmlc32.exe Edfddl32.exe File created C:\Windows\SysWOW64\Ppifci32.dll Hoglbc32.exe File created C:\Windows\SysWOW64\Kfejmobh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Adohmidb.exe Aneppo32.exe File created C:\Windows\SysWOW64\Dohjem32.dll Ffceip32.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Edgbii32.exe File created C:\Windows\SysWOW64\Bkefphem.exe Bdlncn32.exe File created C:\Windows\SysWOW64\Gehice32.exe Ghdhja32.exe File created C:\Windows\SysWOW64\Dannpknl.dll Nglhld32.exe File created C:\Windows\SysWOW64\Adgmoigj.exe Amnebo32.exe File created C:\Windows\SysWOW64\Njceqili.exe Njahki32.exe File created C:\Windows\SysWOW64\Ebnfbcbc.exe Eblimcdf.exe File created C:\Windows\SysWOW64\Polcjq32.dll Abfdpfaj.exe File created C:\Windows\SysWOW64\Iholohii.exe Ijkled32.exe File created C:\Windows\SysWOW64\Emjfif32.dll Cicqja32.exe File created C:\Windows\SysWOW64\Hjeodp32.dll Qajlje32.exe File created C:\Windows\SysWOW64\Ekbage32.dll Embdofop.exe File created C:\Windows\SysWOW64\Apeagd32.exe Aikijjon.exe File opened for modification C:\Windows\SysWOW64\Knjhae32.exe Kdbchp32.exe File created C:\Windows\SysWOW64\Almanf32.exe Aecialmb.exe File created C:\Windows\SysWOW64\Bipdih32.dll Eibmlc32.exe File created C:\Windows\SysWOW64\Mankaked.exe Mmpbkm32.exe File opened for modification C:\Windows\SysWOW64\Qpkppbho.exe Pknghk32.exe File created C:\Windows\SysWOW64\Dohnnkjk.dll Qmdblp32.exe File opened for modification C:\Windows\SysWOW64\Jnfjbj32.exe Jeneidji.exe File created C:\Windows\SysWOW64\Iplkje32.exe Ifdgaond.exe File created C:\Windows\SysWOW64\Kkofofbb.exe Kfbmgo32.exe File opened for modification C:\Windows\SysWOW64\Joqafgni.exe Iialhaad.exe File created C:\Windows\SysWOW64\Ilfodgeg.exe Hjfbjdnd.exe File opened for modification C:\Windows\SysWOW64\Gloejmld.exe Gddqejni.exe File opened for modification C:\Windows\SysWOW64\Iapbodql.exe Ilcjgm32.exe File opened for modification C:\Windows\SysWOW64\Pjjaci32.exe Process not Found File created C:\Windows\SysWOW64\Mjehok32.exe Mclpbqal.exe File opened for modification C:\Windows\SysWOW64\Khlinedh.exe Kaaaak32.exe File opened for modification C:\Windows\SysWOW64\Dnonkq32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Cmmdfp32.dll Dkekjdck.exe File created C:\Windows\SysWOW64\Oflfdbip.exe Omcbkl32.exe File opened for modification C:\Windows\SysWOW64\Niglfl32.exe Process not Found File created C:\Windows\SysWOW64\Eghimo32.exe Embdofop.exe File created C:\Windows\SysWOW64\Dbghhd32.dll Dgnolj32.exe File opened for modification C:\Windows\SysWOW64\Iabglnco.exe Ilfodgeg.exe File opened for modification C:\Windows\SysWOW64\Gohapb32.exe Fepmgm32.exe File created C:\Windows\SysWOW64\Mjaodkmo.exe Mcggga32.exe File opened for modification C:\Windows\SysWOW64\Bldogjib.exe Bgggockk.exe File created C:\Windows\SysWOW64\Okkjkh32.dll Fdmjdkda.exe File opened for modification C:\Windows\SysWOW64\Hcifmdeo.exe Hnmnengg.exe File created C:\Windows\SysWOW64\Kncpqlhj.dll Ofhcdlgg.exe File created C:\Windows\SysWOW64\Bhcdcbcl.dll Ciefek32.exe File created C:\Windows\SysWOW64\Amnlme32.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Dkekjdck.exe Ddkbmj32.exe File created C:\Windows\SysWOW64\Lgidjfjk.dll Qppaclio.exe File created C:\Windows\SysWOW64\Ejioqkck.dll Halaloif.exe File created C:\Windows\SysWOW64\Nloebh32.dll Qlajkm32.exe File created C:\Windows\SysWOW64\Bkifnm32.dll Egoomnin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7664 6948 Process not Found 1265 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll" Fgnjqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfilkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfgloiqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfohjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmplkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpgnpee.dll" Phkmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnifp32.dll" Qgehml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiijig32.dll" Jlkfbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncmdhlq.dll" Hccggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll" Akihcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laacmbkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggempll.dll" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefjnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polnbakm.dll" Aglnnkid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njceqili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcggga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlajkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfogbjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdkmgali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodqlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdoadlje.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fanbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilflj32.dll" Dlobmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlddal32.dll" Jmqekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll" Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcomonkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfilkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaakbkm.dll" Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogadadh.dll" Liabjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqjbanf.dll" Ejkndijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjfif32.dll" Cicqja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhopgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Galfhpmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqajjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhjig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mndjhhjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enopghee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnfooe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agobna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anijjkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbnhkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjkqpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppphkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocafeff.dll" Ndmpddfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqnemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npqmipjq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1860 4940 NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe 89 PID 4940 wrote to memory of 1860 4940 NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe 89 PID 4940 wrote to memory of 1860 4940 NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe 89 PID 1860 wrote to memory of 400 1860 Dfdpad32.exe 90 PID 1860 wrote to memory of 400 1860 Dfdpad32.exe 90 PID 1860 wrote to memory of 400 1860 Dfdpad32.exe 90 PID 400 wrote to memory of 3344 400 Digehphc.exe 92 PID 400 wrote to memory of 3344 400 Digehphc.exe 92 PID 400 wrote to memory of 3344 400 Digehphc.exe 92 PID 3344 wrote to memory of 5024 3344 Ddnfmqng.exe 93 PID 3344 wrote to memory of 5024 3344 Ddnfmqng.exe 93 PID 3344 wrote to memory of 5024 3344 Ddnfmqng.exe 93 PID 5024 wrote to memory of 4472 5024 Dfnbgc32.exe 94 PID 5024 wrote to memory of 4472 5024 Dfnbgc32.exe 94 PID 5024 wrote to memory of 4472 5024 Dfnbgc32.exe 94 PID 4472 wrote to memory of 3292 4472 Eiokinbk.exe 95 PID 4472 wrote to memory of 3292 4472 Eiokinbk.exe 95 PID 4472 wrote to memory of 3292 4472 Eiokinbk.exe 95 PID 3292 wrote to memory of 3380 3292 Enkdaepb.exe 96 PID 3292 wrote to memory of 3380 3292 Enkdaepb.exe 96 PID 3292 wrote to memory of 3380 3292 Enkdaepb.exe 96 PID 3380 wrote to memory of 4800 3380 Ekodjiol.exe 97 PID 3380 wrote to memory of 4800 3380 Ekodjiol.exe 97 PID 3380 wrote to memory of 4800 3380 Ekodjiol.exe 97 PID 4800 wrote to memory of 4996 4800 Eehicoel.exe 98 PID 4800 wrote to memory of 4996 4800 Eehicoel.exe 98 PID 4800 wrote to memory of 4996 4800 Eehicoel.exe 98 PID 4996 wrote to memory of 3008 4996 Eblimcdf.exe 99 PID 4996 wrote to memory of 3008 4996 Eblimcdf.exe 99 PID 4996 wrote to memory of 3008 4996 Eblimcdf.exe 99 PID 3008 wrote to memory of 312 3008 Ebnfbcbc.exe 100 PID 3008 wrote to memory of 312 3008 Ebnfbcbc.exe 100 PID 3008 wrote to memory of 312 3008 Ebnfbcbc.exe 100 PID 312 wrote to memory of 4784 312 Feoodn32.exe 101 PID 312 wrote to memory of 4784 312 Feoodn32.exe 101 PID 312 wrote to memory of 4784 312 Feoodn32.exe 101 PID 4784 wrote to memory of 3816 4784 Fechomko.exe 102 PID 4784 wrote to memory of 3816 4784 Fechomko.exe 102 PID 4784 wrote to memory of 3816 4784 Fechomko.exe 102 PID 3816 wrote to memory of 1936 3816 Ffceip32.exe 105 PID 3816 wrote to memory of 1936 3816 Ffceip32.exe 105 PID 3816 wrote to memory of 1936 3816 Ffceip32.exe 105 PID 1936 wrote to memory of 892 1936 Lpfgmnfp.exe 106 PID 1936 wrote to memory of 892 1936 Lpfgmnfp.exe 106 PID 1936 wrote to memory of 892 1936 Lpfgmnfp.exe 106 PID 892 wrote to memory of 224 892 Ljeafb32.exe 107 PID 892 wrote to memory of 224 892 Ljeafb32.exe 107 PID 892 wrote to memory of 224 892 Ljeafb32.exe 107 PID 224 wrote to memory of 2176 224 Lcnfohmi.exe 108 PID 224 wrote to memory of 2176 224 Lcnfohmi.exe 108 PID 224 wrote to memory of 2176 224 Lcnfohmi.exe 108 PID 2176 wrote to memory of 3532 2176 Modgdicm.exe 109 PID 2176 wrote to memory of 3532 2176 Modgdicm.exe 109 PID 2176 wrote to memory of 3532 2176 Modgdicm.exe 109 PID 3532 wrote to memory of 1740 3532 Mmhgmmbf.exe 110 PID 3532 wrote to memory of 1740 3532 Mmhgmmbf.exe 110 PID 3532 wrote to memory of 1740 3532 Mmhgmmbf.exe 110 PID 1740 wrote to memory of 4956 1740 Mjlhgaqp.exe 111 PID 1740 wrote to memory of 4956 1740 Mjlhgaqp.exe 111 PID 1740 wrote to memory of 4956 1740 Mjlhgaqp.exe 111 PID 4956 wrote to memory of 2376 4956 Mnjqmpgg.exe 112 PID 4956 wrote to memory of 2376 4956 Mnjqmpgg.exe 112 PID 4956 wrote to memory of 2376 4956 Mnjqmpgg.exe 112 PID 2376 wrote to memory of 4548 2376 Mfhbga32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8c045ddc5ea25219c131258e66156ba0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe23⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe27⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe28⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe29⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe30⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe31⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe33⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe34⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe36⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe37⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe38⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe39⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe40⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe41⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe42⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe44⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe45⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe46⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe47⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe48⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe49⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe50⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe51⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe52⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe53⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe54⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe55⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe56⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe57⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe59⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe61⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe62⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe66⤵PID:1380
-
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe67⤵PID:4816
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe68⤵PID:2916
-
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe69⤵PID:2316
-
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe70⤵PID:1460
-
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe71⤵PID:4364
-
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe73⤵PID:4304
-
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe74⤵PID:680
-
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe75⤵PID:2476
-
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe76⤵PID:3224
-
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe77⤵PID:3464
-
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe78⤵
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4824 -
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe80⤵PID:4356
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe81⤵PID:5132
-
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe83⤵PID:5260
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe84⤵PID:5304
-
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe85⤵PID:5348
-
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe86⤵PID:5396
-
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe87⤵PID:5436
-
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe88⤵PID:5484
-
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe89⤵PID:5528
-
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe90⤵PID:5568
-
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe91⤵PID:5616
-
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe92⤵PID:5672
-
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe94⤵PID:5752
-
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe95⤵PID:5792
-
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe96⤵PID:5844
-
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe97⤵PID:5884
-
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe98⤵PID:5948
-
C:\Windows\SysWOW64\Iialhaad.exeC:\Windows\system32\Iialhaad.exe99⤵
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe100⤵PID:6032
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe101⤵PID:6080
-
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe102⤵PID:6124
-
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe103⤵PID:5148
-
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe104⤵PID:5272
-
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe105⤵PID:5336
-
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe107⤵PID:5520
-
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe108⤵PID:5596
-
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe109⤵PID:5692
-
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe110⤵PID:5824
-
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe111⤵PID:5936
-
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe112⤵PID:6020
-
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe113⤵PID:6088
-
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe114⤵PID:1324
-
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe115⤵PID:5316
-
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe116⤵PID:5456
-
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe117⤵PID:5600
-
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe118⤵PID:5764
-
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe119⤵PID:5876
-
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe120⤵PID:6012
-
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe121⤵PID:5180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-