Analysis
-
max time kernel
103s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 07:08
Behavioral task
behavioral1
Sample
NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe
-
Size
135KB
-
MD5
77ae8c4a6790fd4b3f1d4784b3ed4c40
-
SHA1
a4385d8241b8f8223b16c592420bfb6ba4571a06
-
SHA256
48050677f5c5d06fc7a23f3a1819d1e5b0218b18bf51e70e03af25aef895ce11
-
SHA512
0f505fc52aa304a15118d6a477b36d25b9dd8a09bd73c26aeb2c55d2d3682cc49882ce854c7d138e71bec9b08a3ff2e93cb1d3d7b4362bdefc97a34ec61f7858
-
SSDEEP
3072:cR/s9oaSYYd1yD2VSR1TpK8Qr5+ViKGe7Yfs0a0Uoi:gwoaSYYd1yJR1TpK9cViK4fs0l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmqiec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cejaobel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkpipaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgbon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbmlmmjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajaqjfbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqdodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmcmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfanflne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eieplhlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdihbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iencmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdbkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikjmbmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnpgdmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbejloe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iholohii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpefaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddqejni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feifgnki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbnbemf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgmkbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdjpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okailj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimlgnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjcgbbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpinac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjmekgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabmmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlhgpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddekmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmekm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnckooob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midfjnge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfqdid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfcjc32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4128-0-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/4128-1-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-7.dat family_berbew behavioral2/files/0x0006000000022cf2-9.dat family_berbew behavioral2/memory/3012-8-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf6-15.dat family_berbew behavioral2/files/0x0006000000022cf6-17.dat family_berbew behavioral2/memory/3556-16-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf9-23.dat family_berbew behavioral2/files/0x0006000000022cf9-25.dat family_berbew behavioral2/memory/116-24-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-31.dat family_berbew behavioral2/memory/2032-32-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-33.dat family_berbew behavioral2/files/0x0006000000022cfd-39.dat family_berbew behavioral2/memory/1304-40-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfd-41.dat family_berbew behavioral2/files/0x0006000000022d03-49.dat family_berbew behavioral2/memory/3500-48-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-47.dat family_berbew behavioral2/files/0x0006000000022d06-55.dat family_berbew behavioral2/files/0x0006000000022d06-57.dat family_berbew behavioral2/memory/2348-56-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d08-63.dat family_berbew behavioral2/memory/4936-64-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d08-65.dat family_berbew behavioral2/files/0x0006000000022d0a-71.dat family_berbew behavioral2/memory/4500-72-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-73.dat family_berbew behavioral2/files/0x0007000000022d0d-79.dat family_berbew behavioral2/files/0x0007000000022d0d-80.dat family_berbew behavioral2/memory/1796-86-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/4128-81-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d10-88.dat family_berbew behavioral2/files/0x0006000000022d10-89.dat family_berbew behavioral2/memory/2536-90-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/4256-98-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022cff-96.dat family_berbew behavioral2/files/0x0007000000022cff-97.dat family_berbew behavioral2/files/0x0007000000022d01-104.dat family_berbew behavioral2/memory/3964-106-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022d01-105.dat family_berbew behavioral2/files/0x0008000000022d05-112.dat family_berbew behavioral2/memory/4656-113-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022d05-114.dat family_berbew behavioral2/files/0x0008000000022d12-120.dat family_berbew behavioral2/files/0x0008000000022d12-121.dat family_berbew behavioral2/memory/3512-122-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d14-128.dat family_berbew behavioral2/memory/4528-129-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d14-130.dat family_berbew behavioral2/files/0x0006000000022d16-136.dat family_berbew behavioral2/memory/2272-137-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-138.dat family_berbew behavioral2/files/0x0006000000022d19-144.dat family_berbew behavioral2/memory/4576-145-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d19-146.dat family_berbew behavioral2/memory/1896-153-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1b-154.dat family_berbew behavioral2/files/0x0006000000022d1b-152.dat family_berbew behavioral2/files/0x0006000000022d1d-160.dat family_berbew behavioral2/memory/2240-162-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1d-161.dat family_berbew behavioral2/files/0x0006000000022d1f-170.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3012 Kjgeedch.exe 3556 Ljnlecmp.exe 116 Lgdidgjg.exe 2032 Lggejg32.exe 1304 Ljhnlb32.exe 3500 Mnhdgpii.exe 2348 Mjcngpjh.exe 4936 Njfkmphe.exe 4500 Ngndaccj.exe 1796 Nfcabp32.exe 2536 Omnjojpo.exe 4256 Onmfimga.exe 3964 Ogekbb32.exe 4656 Opqofe32.exe 3512 Ogjdmbil.exe 4528 Ocaebc32.exe 2272 Pccahbmn.exe 4576 Pnkbkk32.exe 1896 Pjbcplpe.exe 2240 Pnplfj32.exe 4864 Pdmdnadc.exe 3444 Qaqegecm.exe 3900 Qodeajbg.exe 2184 Akkffkhk.exe 1116 Apjkcadp.exe 5068 Aokkahlo.exe 216 Aonhghjl.exe 3312 Akdilipp.exe 4704 Bobabg32.exe 3648 Bhmbqm32.exe 1016 Bhpofl32.exe 4908 Bdfpkm32.exe 4312 Cggimh32.exe 1312 Cdkifmjq.exe 2724 Cdpcal32.exe 764 Cdbpgl32.exe 4404 Cogddd32.exe 3340 Dgcihgaj.exe 2696 Ddgibkpc.exe 1508 Ddifgk32.exe 704 Dbocfo32.exe 1100 Egohdegl.exe 1020 Ebdlangb.exe 3380 Eohmkb32.exe 1396 Ehpadhll.exe 4308 Ebifmm32.exe 5028 Eqncnj32.exe 2580 Eghkjdoa.exe 2920 Figgdg32.exe 4768 Fbplml32.exe 3548 Fijdjfdb.exe 1720 Fbbicl32.exe 2308 Fecadghc.exe 3772 Fnkfmm32.exe 4668 Gokbgpeg.exe 4028 Gbkkik32.exe 4912 Gaqhjggp.exe 780 Gijmad32.exe 3068 Hecjke32.exe 1348 Hnlodjpa.exe 4588 Halhfe32.exe 2556 Hejqldci.exe 1808 Hldiinke.exe 3356 Hihibbjo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chbfoaba.dll Giljfddl.exe File created C:\Windows\SysWOW64\Jcihjl32.exe Jjqdafmp.exe File created C:\Windows\SysWOW64\Mjehok32.exe Mppdbb32.exe File created C:\Windows\SysWOW64\Maaekg32.exe Mkgmoncl.exe File created C:\Windows\SysWOW64\Ephlnn32.exe Edakimoo.exe File opened for modification C:\Windows\SysWOW64\Jgcooaah.exe Iaifbg32.exe File created C:\Windows\SysWOW64\Pphbql32.dll Mdokmm32.exe File opened for modification C:\Windows\SysWOW64\Dpihbjmg.exe Dfqdid32.exe File opened for modification C:\Windows\SysWOW64\Hahlnefd.exe Hkodak32.exe File created C:\Windows\SysWOW64\Fbplml32.exe Figgdg32.exe File opened for modification C:\Windows\SysWOW64\Oqhoeb32.exe Ofckhj32.exe File created C:\Windows\SysWOW64\Pmmlla32.exe Pbhgoh32.exe File opened for modification C:\Windows\SysWOW64\Dahfkimd.exe Dknnoofg.exe File opened for modification C:\Windows\SysWOW64\Lbebilli.exe Llkjmb32.exe File created C:\Windows\SysWOW64\Ghjhofjg.exe Ggilgn32.exe File created C:\Windows\SysWOW64\Glpdjpbj.exe Geflne32.exe File opened for modification C:\Windows\SysWOW64\Pjjfdfbb.exe Pcpnhl32.exe File opened for modification C:\Windows\SysWOW64\Hqdkkp32.exe Gbpnjdkg.exe File created C:\Windows\SysWOW64\Kdkoef32.exe Kbjbnnfg.exe File created C:\Windows\SysWOW64\Ofijnbkb.exe Omaeem32.exe File created C:\Windows\SysWOW64\Iqoddlib.dll Egmjpi32.exe File created C:\Windows\SysWOW64\Hghhgh32.dll Cemndbci.exe File created C:\Windows\SysWOW64\Amfemoei.dll Eohhie32.exe File created C:\Windows\SysWOW64\Gmdkgn32.dll Ihndgmdd.exe File opened for modification C:\Windows\SysWOW64\Ilcjgm32.exe Iameid32.exe File created C:\Windows\SysWOW64\Lhgdmb32.exe Lcjldk32.exe File opened for modification C:\Windows\SysWOW64\Aijeme32.exe Andqol32.exe File created C:\Windows\SysWOW64\Jjcqffkm.exe Jcihjl32.exe File opened for modification C:\Windows\SysWOW64\Kbbhka32.exe Jhjcbljf.exe File opened for modification C:\Windows\SysWOW64\Nfcabp32.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Kehmcnda.dll Kfaglf32.exe File opened for modification C:\Windows\SysWOW64\Apgqie32.exe Afnlpohj.exe File created C:\Windows\SysWOW64\Bjcmpepm.exe Bhbahm32.exe File opened for modification C:\Windows\SysWOW64\Apnndj32.exe Ajaelc32.exe File opened for modification C:\Windows\SysWOW64\Cemndbci.exe Cnbfgh32.exe File opened for modification C:\Windows\SysWOW64\Nleaha32.exe Nifele32.exe File opened for modification C:\Windows\SysWOW64\Halhfe32.exe Hnlodjpa.exe File opened for modification C:\Windows\SysWOW64\Indkpcdk.exe Icogcjde.exe File created C:\Windows\SysWOW64\Jqofippg.exe Jjemle32.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jginej32.exe File created C:\Windows\SysWOW64\Lcfidb32.exe Lhqefjpo.exe File opened for modification C:\Windows\SysWOW64\Akihcfid.exe Aflpkpjm.exe File created C:\Windows\SysWOW64\Dipffc32.dll Gomkkagl.exe File opened for modification C:\Windows\SysWOW64\Jmccnk32.exe Jbnopbdl.exe File created C:\Windows\SysWOW64\Lndkebgi.dll Ihceigec.exe File created C:\Windows\SysWOW64\Ifcben32.exe Iebfmfdg.exe File opened for modification C:\Windows\SysWOW64\Cpbbak32.exe Cemndbci.exe File created C:\Windows\SysWOW64\Fpmfmgnc.dll Ebifmm32.exe File created C:\Windows\SysWOW64\Ebokodfc.exe Dpnbmi32.exe File created C:\Windows\SysWOW64\Bqnemp32.exe Bjcmpepm.exe File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Halhfe32.exe File created C:\Windows\SysWOW64\Iojghflb.dll Cdnelpod.exe File created C:\Windows\SysWOW64\Gedfblql.exe Gojnfb32.exe File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe File opened for modification C:\Windows\SysWOW64\Bbdpad32.exe Bjhkmbho.exe File created C:\Windows\SysWOW64\Jgekdq32.exe Jnmglk32.exe File opened for modification C:\Windows\SysWOW64\Ginenk32.exe Gccmaack.exe File opened for modification C:\Windows\SysWOW64\Nidhffef.exe Nffljjfc.exe File opened for modification C:\Windows\SysWOW64\Nlcidopb.exe Nooikj32.exe File opened for modification C:\Windows\SysWOW64\Gojgkl32.exe Geabbfoc.exe File opened for modification C:\Windows\SysWOW64\Mbcjimda.exe Mikepg32.exe File created C:\Windows\SysWOW64\Icpjna32.dll Cmedjl32.exe File created C:\Windows\SysWOW64\Jepplk32.dll Hmmakk32.exe File created C:\Windows\SysWOW64\Ojonli32.dll Dpnbmi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8176 6804 WerFault.exe 763 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepplk32.dll" Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjjj32.dll" Dgaiffii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjplibp.dll" Jbnopbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll" Noblkqca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcidopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmkad32.dll" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglmllpq.dll" Ilkoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdogjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggilgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajohfcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciofjflg.dll" Aocmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbdmdlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll" Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igghffab.dll" Mdkabmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll" Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll" Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmpddfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqnemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmncc32.dll" Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiocnbpm.dll" Ibgmaqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqkdjmm.dll" Gojnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodqlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqkefo32.dll" Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hailjldc.dll" Ioicnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfgjcqc.dll" Mppdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqgnfcmm.dll" Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgkab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aioebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Painhneh.dll" Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amoknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfgahikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacdmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjopbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leoejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll" Pblajhje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadklae.dll" Iabodcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmcke32.dll" Jopiom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldaec32.dll" Afockelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfhpilbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll" Bmbnnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llimgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciknefmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmifkecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gedohfmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 3012 4128 NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe 87 PID 4128 wrote to memory of 3012 4128 NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe 87 PID 4128 wrote to memory of 3012 4128 NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe 87 PID 3012 wrote to memory of 3556 3012 Kjgeedch.exe 89 PID 3012 wrote to memory of 3556 3012 Kjgeedch.exe 89 PID 3012 wrote to memory of 3556 3012 Kjgeedch.exe 89 PID 3556 wrote to memory of 116 3556 Ljnlecmp.exe 90 PID 3556 wrote to memory of 116 3556 Ljnlecmp.exe 90 PID 3556 wrote to memory of 116 3556 Ljnlecmp.exe 90 PID 116 wrote to memory of 2032 116 Lgdidgjg.exe 91 PID 116 wrote to memory of 2032 116 Lgdidgjg.exe 91 PID 116 wrote to memory of 2032 116 Lgdidgjg.exe 91 PID 2032 wrote to memory of 1304 2032 Lggejg32.exe 92 PID 2032 wrote to memory of 1304 2032 Lggejg32.exe 92 PID 2032 wrote to memory of 1304 2032 Lggejg32.exe 92 PID 1304 wrote to memory of 3500 1304 Ljhnlb32.exe 93 PID 1304 wrote to memory of 3500 1304 Ljhnlb32.exe 93 PID 1304 wrote to memory of 3500 1304 Ljhnlb32.exe 93 PID 3500 wrote to memory of 2348 3500 Mnhdgpii.exe 95 PID 3500 wrote to memory of 2348 3500 Mnhdgpii.exe 95 PID 3500 wrote to memory of 2348 3500 Mnhdgpii.exe 95 PID 2348 wrote to memory of 4936 2348 Mjcngpjh.exe 97 PID 2348 wrote to memory of 4936 2348 Mjcngpjh.exe 97 PID 2348 wrote to memory of 4936 2348 Mjcngpjh.exe 97 PID 4936 wrote to memory of 4500 4936 Njfkmphe.exe 98 PID 4936 wrote to memory of 4500 4936 Njfkmphe.exe 98 PID 4936 wrote to memory of 4500 4936 Njfkmphe.exe 98 PID 4500 wrote to memory of 1796 4500 Ngndaccj.exe 99 PID 4500 wrote to memory of 1796 4500 Ngndaccj.exe 99 PID 4500 wrote to memory of 1796 4500 Ngndaccj.exe 99 PID 1796 wrote to memory of 2536 1796 Nfcabp32.exe 100 PID 1796 wrote to memory of 2536 1796 Nfcabp32.exe 100 PID 1796 wrote to memory of 2536 1796 Nfcabp32.exe 100 PID 2536 wrote to memory of 4256 2536 Omnjojpo.exe 101 PID 2536 wrote to memory of 4256 2536 Omnjojpo.exe 101 PID 2536 wrote to memory of 4256 2536 Omnjojpo.exe 101 PID 4256 wrote to memory of 3964 4256 Onmfimga.exe 102 PID 4256 wrote to memory of 3964 4256 Onmfimga.exe 102 PID 4256 wrote to memory of 3964 4256 Onmfimga.exe 102 PID 3964 wrote to memory of 4656 3964 Ogekbb32.exe 103 PID 3964 wrote to memory of 4656 3964 Ogekbb32.exe 103 PID 3964 wrote to memory of 4656 3964 Ogekbb32.exe 103 PID 4656 wrote to memory of 3512 4656 Opqofe32.exe 104 PID 4656 wrote to memory of 3512 4656 Opqofe32.exe 104 PID 4656 wrote to memory of 3512 4656 Opqofe32.exe 104 PID 3512 wrote to memory of 4528 3512 Ogjdmbil.exe 105 PID 3512 wrote to memory of 4528 3512 Ogjdmbil.exe 105 PID 3512 wrote to memory of 4528 3512 Ogjdmbil.exe 105 PID 4528 wrote to memory of 2272 4528 Ocaebc32.exe 106 PID 4528 wrote to memory of 2272 4528 Ocaebc32.exe 106 PID 4528 wrote to memory of 2272 4528 Ocaebc32.exe 106 PID 2272 wrote to memory of 4576 2272 Pccahbmn.exe 107 PID 2272 wrote to memory of 4576 2272 Pccahbmn.exe 107 PID 2272 wrote to memory of 4576 2272 Pccahbmn.exe 107 PID 4576 wrote to memory of 1896 4576 Pnkbkk32.exe 108 PID 4576 wrote to memory of 1896 4576 Pnkbkk32.exe 108 PID 4576 wrote to memory of 1896 4576 Pnkbkk32.exe 108 PID 1896 wrote to memory of 2240 1896 Pjbcplpe.exe 109 PID 1896 wrote to memory of 2240 1896 Pjbcplpe.exe 109 PID 1896 wrote to memory of 2240 1896 Pjbcplpe.exe 109 PID 2240 wrote to memory of 4864 2240 Pnplfj32.exe 110 PID 2240 wrote to memory of 4864 2240 Pnplfj32.exe 110 PID 2240 wrote to memory of 4864 2240 Pnplfj32.exe 110 PID 4864 wrote to memory of 3444 4864 Pdmdnadc.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.77ae8c4a6790fd4b3f1d4784b3ed4c40_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe23⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe25⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe26⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe27⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe28⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe29⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe30⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe31⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe33⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe35⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe36⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe37⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe41⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe42⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe43⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe44⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe45⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe48⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe49⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe51⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe52⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe54⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe57⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe59⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe60⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe61⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe64⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe65⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe66⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe67⤵PID:4816
-
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe68⤵PID:3128
-
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe69⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe70⤵PID:2220
-
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe71⤵PID:3780
-
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3276 -
C:\Windows\SysWOW64\Jekjcaef.exeC:\Windows\system32\Jekjcaef.exe73⤵PID:1288
-
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe74⤵PID:648
-
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe75⤵PID:3232
-
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe76⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe77⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe78⤵PID:5168
-
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe79⤵PID:5224
-
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe80⤵PID:5284
-
C:\Windows\SysWOW64\Koonge32.exeC:\Windows\system32\Koonge32.exe81⤵PID:5324
-
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe82⤵PID:5364
-
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe83⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe85⤵PID:5492
-
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe86⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe87⤵PID:5584
-
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe88⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe89⤵PID:5684
-
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe90⤵PID:5728
-
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe91⤵PID:5784
-
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe92⤵PID:5840
-
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe93⤵PID:5892
-
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe94⤵PID:5932
-
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe95⤵PID:5984
-
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe97⤵PID:6104
-
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe98⤵PID:1488
-
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe100⤵PID:5336
-
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe101⤵PID:5396
-
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe102⤵PID:5476
-
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe103⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe104⤵PID:5624
-
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe105⤵PID:5712
-
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe106⤵PID:5792
-
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe107⤵PID:5868
-
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Ofckhj32.exeC:\Windows\system32\Ofckhj32.exe109⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe110⤵
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe111⤵PID:5312
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe112⤵PID:5440
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe114⤵PID:5672
-
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe116⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe117⤵PID:6124
-
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe118⤵PID:5356
-
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe119⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe120⤵PID:5776
-
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe121⤵PID:5920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-