Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 22:10
Behavioral task
behavioral1
Sample
NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe
-
Size
106KB
-
MD5
3998bf5ca3a4976064d9341bdb4e5270
-
SHA1
ba78d1d1d31d5f8d1e82f95d70a8526877811dad
-
SHA256
d7c4069691899624df2c45cf72c7673b8b5ea32d4c4de93019810a5c8343c2bf
-
SHA512
6c0aac0694e1acde411feaca6c4827a4a9a1d20b2db02043f240fbfd8ec7024c0d29984bb9980a7189ad4e9be4ec96268efca7820eb5357c124d7ee9c12e3640
-
SSDEEP
3072:h2lF/Q4Mt6E/4TP1Vk6rXX1WdTCn93OGey/ZhC:IDQftrCVrXoTCndOGeKY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llipehgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ploknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnjmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhldpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhgmmbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfkoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leoghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmieae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llipehgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbjkngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkcogno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glcaambb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebbafoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmlnjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcqjon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nelfeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdjin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addaif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoideh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3616-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfd-6.dat family_berbew behavioral2/memory/4612-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfd-7.dat family_berbew behavioral2/memory/4940-16-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022dff-15.dat family_berbew behavioral2/files/0x0006000000022dff-14.dat family_berbew behavioral2/files/0x0006000000022e01-22.dat family_berbew behavioral2/files/0x0006000000022e01-24.dat family_berbew behavioral2/memory/4476-23-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e03-30.dat family_berbew behavioral2/memory/3508-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e05-39.dat family_berbew behavioral2/files/0x0006000000022e05-38.dat family_berbew behavioral2/memory/3032-43-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e03-31.dat family_berbew behavioral2/files/0x0006000000022e07-46.dat family_berbew behavioral2/memory/4148-47-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e07-48.dat family_berbew behavioral2/memory/3352-55-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e09-54.dat family_berbew behavioral2/files/0x0006000000022e09-56.dat family_berbew behavioral2/files/0x0006000000022e0b-57.dat family_berbew behavioral2/files/0x0006000000022e0b-62.dat family_berbew behavioral2/memory/4316-63-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0b-64.dat family_berbew behavioral2/files/0x0006000000022e0d-70.dat family_berbew behavioral2/memory/2804-71-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0d-72.dat family_berbew behavioral2/files/0x0006000000022e0f-78.dat family_berbew behavioral2/memory/3768-79-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0f-80.dat family_berbew behavioral2/memory/4036-87-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022de4-86.dat family_berbew behavioral2/files/0x0008000000022de4-88.dat family_berbew behavioral2/files/0x0006000000022e12-94.dat family_berbew behavioral2/memory/3268-96-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e12-95.dat family_berbew behavioral2/files/0x0006000000022e14-102.dat family_berbew behavioral2/memory/2404-103-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e14-104.dat family_berbew behavioral2/files/0x0006000000022e16-110.dat family_berbew behavioral2/files/0x0006000000022e16-111.dat family_berbew behavioral2/memory/860-112-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e19-118.dat family_berbew behavioral2/files/0x0006000000022e19-119.dat family_berbew behavioral2/memory/1272-120-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e18-126.dat family_berbew behavioral2/memory/5036-128-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e18-127.dat family_berbew behavioral2/memory/4836-136-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1d-134.dat family_berbew behavioral2/files/0x0006000000022e1d-135.dat family_berbew behavioral2/files/0x0006000000022e1f-142.dat family_berbew behavioral2/memory/3840-143-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-144.dat family_berbew behavioral2/files/0x0008000000022d06-150.dat family_berbew behavioral2/memory/3588-151-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022d06-152.dat family_berbew behavioral2/files/0x0006000000022e22-158.dat family_berbew behavioral2/memory/4460-159-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e22-160.dat family_berbew behavioral2/files/0x0006000000022e24-166.dat family_berbew behavioral2/memory/2332-167-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4612 Hbnjmp32.exe 4940 Hihbijhn.exe 4476 Hcmgfbhd.exe 3508 Hmfkoh32.exe 3032 Hcpclbfa.exe 4148 Heapdjlp.exe 3352 Hfqlnm32.exe 4316 Hkmefd32.exe 2804 Iiaephpc.exe 3768 Iehfdi32.exe 4036 Iblfnn32.exe 3268 Ippggbck.exe 2404 Iemppiab.exe 860 Ilghlc32.exe 1272 Ifllil32.exe 5036 Icplcpgo.exe 4836 Jlkagbej.exe 3840 Jmknaell.exe 3588 Jefbfgig.exe 4460 Jbjcolha.exe 2332 Jpnchp32.exe 3872 Jmbdbd32.exe 1944 Kboljk32.exe 2780 Kbaipkbi.exe 1184 Kikame32.exe 2832 Kebbafoj.exe 3900 Kpgfooop.exe 4108 Kpjcdn32.exe 4560 Kefkme32.exe 1460 Liddbc32.exe 1832 Lmbmibhb.exe 2852 Lmgfda32.exe 488 Lllcen32.exe 208 Mlopkm32.exe 632 Mibpda32.exe 1224 Meiaib32.exe 980 Mcmabg32.exe 3552 Mgkjhe32.exe 4220 Miifeq32.exe 3400 Npcoakfp.exe 4240 Nnjlpo32.exe 4744 Nphhmj32.exe 3676 Nnlhfn32.exe 2248 Ndfqbhia.exe 4428 Oponmilc.exe 3928 Ogifjcdp.exe 4624 Olfobjbg.exe 4076 Ofnckp32.exe 3232 Olhlhjpd.exe 4488 Ognpebpj.exe 2456 Ojoign32.exe 2364 Ocgmpccl.exe 2580 Pnlaml32.exe 4136 Pcijeb32.exe 2020 Pggbkagp.exe 1412 Pdkcde32.exe 3488 Pqbdjfln.exe 1976 Pcppfaka.exe 4352 Bnhjohkb.exe 772 Beglgani.exe 2132 Bfhhoi32.exe 3792 Bnpppgdj.exe 4988 Beihma32.exe 3944 Bhhdil32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjqkei32.dll Iehfdi32.exe File created C:\Windows\SysWOW64\Madccamk.dll Eopbnbhd.exe File created C:\Windows\SysWOW64\Lacibgbo.dll Nhbfff32.exe File created C:\Windows\SysWOW64\Olealnbk.dll Djelgied.exe File created C:\Windows\SysWOW64\Poigcbng.dll Dfglfdkb.exe File created C:\Windows\SysWOW64\Moaogand.exe Mpnnle32.exe File created C:\Windows\SysWOW64\Gahcmd32.exe Gknkpjfb.exe File created C:\Windows\SysWOW64\Pdkjmfeo.dll Ajdjin32.exe File opened for modification C:\Windows\SysWOW64\Napjdpcn.exe Njfagf32.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kjeiodek.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Opqofe32.exe File created C:\Windows\SysWOW64\Oafcqcea.exe Ohnohn32.exe File created C:\Windows\SysWOW64\Plpqil32.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Dkceokii.exe Dheibpje.exe File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Enbjad32.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Heapdjlp.exe File created C:\Windows\SysWOW64\Belebq32.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Kgknhl32.exe Kelalp32.exe File opened for modification C:\Windows\SysWOW64\Mfhfhong.exe Moaogand.exe File created C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Njinmf32.exe File opened for modification C:\Windows\SysWOW64\Qeodhjmo.exe Qhkdof32.exe File created C:\Windows\SysWOW64\Gncchb32.exe Gppcmeem.exe File opened for modification C:\Windows\SysWOW64\Jilfifme.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Olcjhi32.dll Mgkjhe32.exe File opened for modification C:\Windows\SysWOW64\Neffpj32.exe Nlnbgddc.exe File opened for modification C:\Windows\SysWOW64\Fjadje32.exe Fffhifdk.exe File created C:\Windows\SysWOW64\Ijdabh32.dll Kgninn32.exe File created C:\Windows\SysWOW64\Mnfnlf32.exe Mjkblhfo.exe File opened for modification C:\Windows\SysWOW64\Hidgai32.exe Hmmfmhll.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Hemdlj32.exe File created C:\Windows\SysWOW64\Mcbpjg32.exe Mmhgmmbf.exe File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Amcehdod.exe File created C:\Windows\SysWOW64\Hnnpaa32.dll Ohpkmn32.exe File created C:\Windows\SysWOW64\Plejdkmm.exe Pcmeke32.exe File opened for modification C:\Windows\SysWOW64\Kmkbfeab.exe Kkjeomld.exe File created C:\Windows\SysWOW64\Kjlopc32.exe Kgnbdh32.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Nfohgqlg.exe File created C:\Windows\SysWOW64\Pggbkagp.exe Pcijeb32.exe File opened for modification C:\Windows\SysWOW64\Iggjga32.exe Icknfcol.exe File opened for modification C:\Windows\SysWOW64\Kqfngd32.exe Kmkbfeab.exe File opened for modification C:\Windows\SysWOW64\Jokkgl32.exe Jllokajf.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Ckebcg32.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Pahpfc32.exe Pojcjh32.exe File opened for modification C:\Windows\SysWOW64\Nlfnaicd.exe Nelfeo32.exe File opened for modification C:\Windows\SysWOW64\Gppcmeem.exe Gifkpknp.exe File opened for modification C:\Windows\SysWOW64\Nlnbgddc.exe Nhbfff32.exe File created C:\Windows\SysWOW64\Dpehof32.exe Dcjnoece.exe File created C:\Windows\SysWOW64\Dgcaaddl.dll Neafjdkn.exe File created C:\Windows\SysWOW64\Codhnb32.exe Cmflbf32.exe File opened for modification C:\Windows\SysWOW64\Hlambk32.exe Hkpqkcpd.exe File created C:\Windows\SysWOW64\Lqkgbcff.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Enigke32.exe File created C:\Windows\SysWOW64\Dmfeidbe.exe Djhimica.exe File created C:\Windows\SysWOW64\Ilccoh32.exe Ijegcm32.exe File created C:\Windows\SysWOW64\Apmhinni.dll Jcdala32.exe File created C:\Windows\SysWOW64\Monjjgkb.exe Mnmmboed.exe File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Cmflbf32.exe Cmcolgbj.exe File created C:\Windows\SysWOW64\Eiaoid32.exe Ecbjkngo.exe File opened for modification C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File opened for modification C:\Windows\SysWOW64\Oanokhdb.exe Onocomdo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13628 13372 WerFault.exe 869 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll" Kbaipkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leoghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmqinmi.dll" Kgmcce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohgoaehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbhl32.dll" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdnigno.dll" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqpnpgeo.dll" Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gknkpjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfaap32.dll" Oidhlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmcolgbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeffoid.dll" Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfgikbb.dll" Dpgeee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckoph32.dll" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmbdbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhnlkfpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmdemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll" Ekodjiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icplcpgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plejdkmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nincmhle.dll" Lhncdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaalh32.dll" Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdief32.dll" Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohkbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdcojj.dll" Gingkqkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danihi32.dll" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmmqg32.dll" Eifaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaccdk32.dll" Jnkcogno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll" Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpmpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoaedogc.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpapmqq.dll" Ddligq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3616 wrote to memory of 4612 3616 NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe 85 PID 3616 wrote to memory of 4612 3616 NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe 85 PID 3616 wrote to memory of 4612 3616 NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe 85 PID 4612 wrote to memory of 4940 4612 Hbnjmp32.exe 86 PID 4612 wrote to memory of 4940 4612 Hbnjmp32.exe 86 PID 4612 wrote to memory of 4940 4612 Hbnjmp32.exe 86 PID 4940 wrote to memory of 4476 4940 Hihbijhn.exe 87 PID 4940 wrote to memory of 4476 4940 Hihbijhn.exe 87 PID 4940 wrote to memory of 4476 4940 Hihbijhn.exe 87 PID 4476 wrote to memory of 3508 4476 Hcmgfbhd.exe 88 PID 4476 wrote to memory of 3508 4476 Hcmgfbhd.exe 88 PID 4476 wrote to memory of 3508 4476 Hcmgfbhd.exe 88 PID 3508 wrote to memory of 3032 3508 Hmfkoh32.exe 89 PID 3508 wrote to memory of 3032 3508 Hmfkoh32.exe 89 PID 3508 wrote to memory of 3032 3508 Hmfkoh32.exe 89 PID 3032 wrote to memory of 4148 3032 Hcpclbfa.exe 90 PID 3032 wrote to memory of 4148 3032 Hcpclbfa.exe 90 PID 3032 wrote to memory of 4148 3032 Hcpclbfa.exe 90 PID 4148 wrote to memory of 3352 4148 Heapdjlp.exe 91 PID 4148 wrote to memory of 3352 4148 Heapdjlp.exe 91 PID 4148 wrote to memory of 3352 4148 Heapdjlp.exe 91 PID 3352 wrote to memory of 4316 3352 Hfqlnm32.exe 92 PID 3352 wrote to memory of 4316 3352 Hfqlnm32.exe 92 PID 3352 wrote to memory of 4316 3352 Hfqlnm32.exe 92 PID 4316 wrote to memory of 2804 4316 Hkmefd32.exe 94 PID 4316 wrote to memory of 2804 4316 Hkmefd32.exe 94 PID 4316 wrote to memory of 2804 4316 Hkmefd32.exe 94 PID 2804 wrote to memory of 3768 2804 Iiaephpc.exe 95 PID 2804 wrote to memory of 3768 2804 Iiaephpc.exe 95 PID 2804 wrote to memory of 3768 2804 Iiaephpc.exe 95 PID 3768 wrote to memory of 4036 3768 Iehfdi32.exe 96 PID 3768 wrote to memory of 4036 3768 Iehfdi32.exe 96 PID 3768 wrote to memory of 4036 3768 Iehfdi32.exe 96 PID 4036 wrote to memory of 3268 4036 Iblfnn32.exe 97 PID 4036 wrote to memory of 3268 4036 Iblfnn32.exe 97 PID 4036 wrote to memory of 3268 4036 Iblfnn32.exe 97 PID 3268 wrote to memory of 2404 3268 Ippggbck.exe 98 PID 3268 wrote to memory of 2404 3268 Ippggbck.exe 98 PID 3268 wrote to memory of 2404 3268 Ippggbck.exe 98 PID 2404 wrote to memory of 860 2404 Iemppiab.exe 99 PID 2404 wrote to memory of 860 2404 Iemppiab.exe 99 PID 2404 wrote to memory of 860 2404 Iemppiab.exe 99 PID 860 wrote to memory of 1272 860 Ilghlc32.exe 100 PID 860 wrote to memory of 1272 860 Ilghlc32.exe 100 PID 860 wrote to memory of 1272 860 Ilghlc32.exe 100 PID 1272 wrote to memory of 5036 1272 Ifllil32.exe 101 PID 1272 wrote to memory of 5036 1272 Ifllil32.exe 101 PID 1272 wrote to memory of 5036 1272 Ifllil32.exe 101 PID 5036 wrote to memory of 4836 5036 Icplcpgo.exe 102 PID 5036 wrote to memory of 4836 5036 Icplcpgo.exe 102 PID 5036 wrote to memory of 4836 5036 Icplcpgo.exe 102 PID 4836 wrote to memory of 3840 4836 Jlkagbej.exe 103 PID 4836 wrote to memory of 3840 4836 Jlkagbej.exe 103 PID 4836 wrote to memory of 3840 4836 Jlkagbej.exe 103 PID 3840 wrote to memory of 3588 3840 Jmknaell.exe 104 PID 3840 wrote to memory of 3588 3840 Jmknaell.exe 104 PID 3840 wrote to memory of 3588 3840 Jmknaell.exe 104 PID 3588 wrote to memory of 4460 3588 Jefbfgig.exe 105 PID 3588 wrote to memory of 4460 3588 Jefbfgig.exe 105 PID 3588 wrote to memory of 4460 3588 Jefbfgig.exe 105 PID 4460 wrote to memory of 2332 4460 Jbjcolha.exe 106 PID 4460 wrote to memory of 2332 4460 Jbjcolha.exe 106 PID 4460 wrote to memory of 2332 4460 Jbjcolha.exe 106 PID 2332 wrote to memory of 3872 2332 Jpnchp32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3998bf5ca3a4976064d9341bdb4e5270_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe26⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe28⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe29⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe30⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe31⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe32⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe33⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe35⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe36⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe37⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe38⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3552 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe40⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe41⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe42⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe43⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe44⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe45⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe46⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe47⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe48⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe49⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe50⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe56⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe58⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe59⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe60⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe61⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe62⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe63⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe64⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe65⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe67⤵PID:2240
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe69⤵PID:2532
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe70⤵PID:3188
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe71⤵PID:4860
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe72⤵PID:4840
-
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe73⤵PID:212
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe74⤵PID:3244
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe75⤵PID:1648
-
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe76⤵PID:2848
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe77⤵
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe78⤵PID:3004
-
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4804 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe80⤵PID:4040
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe82⤵PID:2116
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe83⤵PID:1484
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe84⤵PID:1068
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe85⤵PID:4152
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe86⤵PID:5148
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe87⤵PID:5216
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe88⤵PID:5284
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe89⤵PID:5332
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe90⤵PID:5380
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe92⤵PID:5476
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe93⤵PID:5532
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe94⤵PID:5568
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe95⤵PID:5628
-
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe96⤵PID:5668
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe97⤵PID:5720
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe98⤵PID:5756
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe99⤵PID:5800
-
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe100⤵PID:5848
-
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe101⤵PID:5892
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe102⤵PID:5940
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe103⤵PID:6000
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe104⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe105⤵PID:4700
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe106⤵PID:5188
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe108⤵PID:5400
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe109⤵PID:5496
-
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe110⤵PID:5580
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe111⤵PID:5652
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe112⤵PID:5716
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe113⤵PID:5792
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe115⤵PID:5936
-
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe116⤵PID:2056
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe117⤵PID:6036
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe118⤵PID:5172
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe119⤵PID:5360
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe121⤵PID:5612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-