Analysis
-
max time kernel
128s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 21:43
Behavioral task
behavioral1
Sample
NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe
-
Size
404KB
-
MD5
7af45323302f73a27a3bff56284f8d00
-
SHA1
d1d7940e337638b928ad4f1cf4bf1478f94420a9
-
SHA256
c9d14759923badf0882e6e02f151df3191e918f93169e1ce633ab638122787fa
-
SHA512
73ab58ee470c76b49036f06485bd65b0d2b92e8b747dc83f88847873a0835b072466422496bddcdbd98599c67362cd55307cdaa6f43ce4cbbb07f8b10e0bafcc
-
SSDEEP
6144:zV65TF8GIBmrENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:zo5Z8VwcMpV6yYP4rbpV6yYPg058KS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnmogae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphgca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhfif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peodcmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qamago32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemhmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilglgfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkijbooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjhmhhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlacapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcpoedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgillpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpaacblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bplhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikifhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmhofbma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmfldkei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlbpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejhkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ialhdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haeadi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodiqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjaphgpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnbmqjjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmmnnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bibpkiie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfkdkqeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbhiial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bndjfjhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Comddn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhoefk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkncno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leabphmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jehcfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffcgoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emoaopnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbpmhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndbnkefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkdejcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odnngclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mafofggd.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022df5-8.dat family_berbew behavioral2/files/0x0007000000022df7-15.dat family_berbew behavioral2/files/0x0007000000022df7-14.dat family_berbew behavioral2/files/0x0007000000022df9-22.dat family_berbew behavioral2/files/0x0007000000022df9-23.dat family_berbew behavioral2/files/0x0007000000022df5-6.dat family_berbew behavioral2/files/0x0007000000022dfb-31.dat family_berbew behavioral2/files/0x0007000000022dfb-30.dat family_berbew behavioral2/files/0x0007000000022dfd-38.dat family_berbew behavioral2/files/0x0007000000022dfd-40.dat family_berbew behavioral2/files/0x0007000000022dff-46.dat family_berbew behavioral2/files/0x0007000000022dff-48.dat family_berbew behavioral2/files/0x0007000000022e07-56.dat family_berbew behavioral2/files/0x0007000000022e07-54.dat family_berbew behavioral2/files/0x0007000000022e09-63.dat family_berbew behavioral2/files/0x0007000000022e0b-72.dat family_berbew behavioral2/files/0x0007000000022e0b-70.dat family_berbew behavioral2/files/0x0007000000022e09-62.dat family_berbew behavioral2/files/0x0007000000022e0d-80.dat family_berbew behavioral2/files/0x0007000000022e0d-82.dat family_berbew behavioral2/files/0x0007000000022e0f-89.dat family_berbew behavioral2/files/0x0007000000022e0f-91.dat family_berbew behavioral2/files/0x0007000000022e11-92.dat family_berbew behavioral2/files/0x0007000000022e11-98.dat family_berbew behavioral2/files/0x0007000000022e11-101.dat family_berbew behavioral2/files/0x0007000000022e13-109.dat family_berbew behavioral2/files/0x0007000000022e13-111.dat family_berbew behavioral2/files/0x0007000000022e15-117.dat family_berbew behavioral2/files/0x0007000000022e15-119.dat family_berbew behavioral2/files/0x0007000000022e17-125.dat family_berbew behavioral2/files/0x0007000000022e17-126.dat family_berbew behavioral2/files/0x0007000000022e19-134.dat family_berbew behavioral2/files/0x0007000000022e19-133.dat family_berbew behavioral2/files/0x0007000000022e1b-142.dat family_berbew behavioral2/files/0x0007000000022e1b-144.dat family_berbew behavioral2/files/0x0007000000022e1d-150.dat family_berbew behavioral2/files/0x0007000000022e1d-151.dat family_berbew behavioral2/files/0x0007000000022e1f-158.dat family_berbew behavioral2/files/0x0007000000022e1f-159.dat family_berbew behavioral2/files/0x0007000000022e23-167.dat family_berbew behavioral2/files/0x0007000000022e23-169.dat family_berbew behavioral2/files/0x0007000000022e25-177.dat family_berbew behavioral2/files/0x0007000000022e25-175.dat family_berbew behavioral2/files/0x0007000000022e27-185.dat family_berbew behavioral2/files/0x0007000000022e27-184.dat family_berbew behavioral2/files/0x0007000000022e2a-195.dat family_berbew behavioral2/files/0x0007000000022e2c-201.dat family_berbew behavioral2/files/0x0007000000022e2c-203.dat family_berbew behavioral2/files/0x0007000000022e2a-193.dat family_berbew behavioral2/files/0x0007000000022e2f-210.dat family_berbew behavioral2/files/0x0007000000022e2f-212.dat family_berbew behavioral2/files/0x0007000000022e31-219.dat family_berbew behavioral2/files/0x0007000000022e31-220.dat family_berbew behavioral2/files/0x0007000000022e33-227.dat family_berbew behavioral2/files/0x0007000000022e33-229.dat family_berbew behavioral2/files/0x0007000000022e35-236.dat family_berbew behavioral2/files/0x0007000000022e35-237.dat family_berbew behavioral2/files/0x0007000000022e3b-245.dat family_berbew behavioral2/files/0x0007000000022e3b-244.dat family_berbew behavioral2/files/0x000a000000022d41-254.dat family_berbew behavioral2/files/0x000a000000022d41-252.dat family_berbew behavioral2/files/0x0007000000022e3e-262.dat family_berbew behavioral2/files/0x0007000000022e3e-261.dat family_berbew behavioral2/files/0x0007000000022e41-269.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2372 Cnahdi32.exe 3900 Chglab32.exe 4284 Coadnlnb.exe 4412 Ckhecmcf.exe 4372 Fechomko.exe 1340 Fmmmfj32.exe 3076 Gpnfge32.exe 5056 Gbnoiqdq.exe 4736 Gmfplibd.exe 3524 Hfaajnfb.exe 2640 Jjpode32.exe 4996 Lfjfecno.exe 3004 Pccahbmn.exe 4204 Bobabg32.exe 384 Bacjdbch.exe 856 Bmjkic32.exe 2192 Bnlhncgi.exe 2864 Chdialdl.exe 3528 Cnaaib32.exe 1728 Cgifbhid.exe 2524 Cocjiehd.exe 1080 Ckjknfnh.exe 408 Dddllkbf.exe 5048 Dnmaea32.exe 4280 Dhbebj32.exe 4440 Damfao32.exe 1472 Ddnobj32.exe 3332 Ekjded32.exe 1200 Edeeci32.exe 3100 Ekajec32.exe 4484 Eghkjdoa.exe 916 Fkfcqb32.exe 1960 Fnfmbmbi.exe 4668 Fbgbnkfm.exe 4688 Gkaclqkk.exe 2464 Gihpkd32.exe 4384 Ggmmlamj.exe 5028 Hecjke32.exe 1660 Heegad32.exe 4896 Hbihjifh.exe 1160 Hhimhobl.exe 2412 Ihmfco32.exe 3852 Iogopi32.exe 4524 Ibegfglj.exe 3156 Iajdgcab.exe 2424 Ihdldn32.exe 4180 Iehmmb32.exe 444 Jblmgf32.exe 4444 Jhifomdj.exe 2488 Jbojlfdp.exe 2900 Jihbip32.exe 4016 Jikoopij.exe 1292 Johggfha.exe 4248 Jeapcq32.exe 3844 Kedlip32.exe 4812 Kolabf32.exe 3472 Kamjda32.exe 3848 Koajmepf.exe 1616 Kapfiqoj.exe 2836 Klggli32.exe 1400 Kofdhd32.exe 4952 Lpepbgbd.exe 3880 Lhqefjpo.exe 1576 Lcfidb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oecego32.exe Omhpcm32.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Pfenga32.exe File created C:\Windows\SysWOW64\Cpmqoqbp.exe Cnndbecl.exe File opened for modification C:\Windows\SysWOW64\Khplnn32.exe Kgkfil32.exe File created C:\Windows\SysWOW64\Kdfmcobk.exe Knldfe32.exe File created C:\Windows\SysWOW64\Lmhnea32.exe Locnlmoe.exe File opened for modification C:\Windows\SysWOW64\Mnndhi32.exe Miqlpbap.exe File opened for modification C:\Windows\SysWOW64\Efopjbjg.exe Eohhie32.exe File created C:\Windows\SysWOW64\Cljomc32.exe Clhbhc32.exe File opened for modification C:\Windows\SysWOW64\Niadfpcn.exe Nnlqig32.exe File created C:\Windows\SysWOW64\Idkkki32.exe Imabnofj.exe File opened for modification C:\Windows\SysWOW64\Jekpljgg.exe Jlblcdpf.exe File opened for modification C:\Windows\SysWOW64\Bichcc32.exe Aokcjngj.exe File created C:\Windows\SysWOW64\Nilgogim.dll Moomgl32.exe File created C:\Windows\SysWOW64\Anmqigke.dll Kdmjmqjf.exe File created C:\Windows\SysWOW64\Aooold32.dll Jjpode32.exe File created C:\Windows\SysWOW64\Padnaq32.exe Pjjfdfbb.exe File created C:\Windows\SysWOW64\Hlnecf32.dll Icachjbb.exe File created C:\Windows\SysWOW64\Ldnemdgd.dll Idhiii32.exe File opened for modification C:\Windows\SysWOW64\Glajeiml.exe Gaglma32.exe File created C:\Windows\SysWOW64\Mqpfofao.dll Kdfmcobk.exe File opened for modification C:\Windows\SysWOW64\Fechomko.exe Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Bdocph32.exe Bjfogbjb.exe File created C:\Windows\SysWOW64\Pbjddh32.exe Pplhhm32.exe File created C:\Windows\SysWOW64\Bfedfi32.dll Gkcigjel.exe File created C:\Windows\SysWOW64\Jaqcnl32.exe Jhhodg32.exe File created C:\Windows\SysWOW64\Fghcqq32.exe Ellicihn.exe File created C:\Windows\SysWOW64\Jlhdoibc.dll Fjikeg32.exe File created C:\Windows\SysWOW64\Nnlqig32.exe Nfnooe32.exe File created C:\Windows\SysWOW64\Emamkgpg.dll Ekajec32.exe File created C:\Windows\SysWOW64\Ihdldn32.exe Iajdgcab.exe File created C:\Windows\SysWOW64\Chnnfa32.dll Bibpkiie.exe File opened for modification C:\Windows\SysWOW64\Dqhpjohb.exe Dfclmfhl.exe File created C:\Windows\SysWOW64\Idkgpm32.dll Nacboi32.exe File opened for modification C:\Windows\SysWOW64\Nddkaddm.exe Njogdldg.exe File created C:\Windows\SysWOW64\Iacepmik.exe Ilglgfjd.exe File created C:\Windows\SysWOW64\Clhbhc32.exe Benjkijd.exe File created C:\Windows\SysWOW64\Omhpcm32.exe Nnbfjf32.exe File opened for modification C:\Windows\SysWOW64\Hjkigojc.exe Hdaajd32.exe File opened for modification C:\Windows\SysWOW64\Lmhnea32.exe Locnlmoe.exe File created C:\Windows\SysWOW64\Pefmongg.dll Cfeplh32.exe File opened for modification C:\Windows\SysWOW64\Dnqaheai.exe Cckmklac.exe File opened for modification C:\Windows\SysWOW64\Fnhppa32.exe Ecblbi32.exe File created C:\Windows\SysWOW64\Ekajec32.exe Edeeci32.exe File opened for modification C:\Windows\SysWOW64\Ioqohb32.exe Idkkki32.exe File created C:\Windows\SysWOW64\Qikbaaml.exe Qjffpe32.exe File created C:\Windows\SysWOW64\Cemndbci.exe Cppelkeb.exe File created C:\Windows\SysWOW64\Jolodqcp.exe Jhbfgflc.exe File created C:\Windows\SysWOW64\Kaaaak32.exe Jekpljgg.exe File created C:\Windows\SysWOW64\Aidcjk32.exe Abjkmqni.exe File opened for modification C:\Windows\SysWOW64\Beippj32.exe Bplhhc32.exe File opened for modification C:\Windows\SysWOW64\Hbihjifh.exe Heegad32.exe File created C:\Windows\SysWOW64\Momcpa32.exe Mjnnbk32.exe File created C:\Windows\SysWOW64\Jalakeme.exe Jondojna.exe File opened for modification C:\Windows\SysWOW64\Cphgca32.exe Cjnoggoh.exe File opened for modification C:\Windows\SysWOW64\Hfkdkqeo.exe Hdlhoefk.exe File created C:\Windows\SysWOW64\Cacdlf32.dll Iejgelej.exe File opened for modification C:\Windows\SysWOW64\Pfenga32.exe Oecego32.exe File created C:\Windows\SysWOW64\Abjkmqni.exe Qlpcpffl.exe File opened for modification C:\Windows\SysWOW64\Jkcpia32.exe Jakkplbc.exe File opened for modification C:\Windows\SysWOW64\Kaaaak32.exe Jekpljgg.exe File opened for modification C:\Windows\SysWOW64\Fnjmea32.exe Ffcedd32.exe File created C:\Windows\SysWOW64\Ildolk32.dll Njgqhicg.exe File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Ofegni32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7912 5772 WerFault.exe 537 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfnbbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecnbgian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icklacqn.dll" Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll" Igjbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdnhb32.dll" Pllieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfqogfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnmbao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heegad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jddnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll" Okailj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iacepmik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cebllbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll" Dknnoofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kejloi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Miqlpbap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll" Kbjbnnfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dimcppgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlpcpffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcecm32.dll" Ccdgjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglila32.dll" Cckmklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mappie32.dll" Jolhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll" Cienon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflimp32.dll" Hgocgjgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofbdncaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecnbgian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcjogeh.dll" Ghanoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncilb32.dll" Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll" Nkapelka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkjpdog.dll" Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphkadgc.dll" Jhbfgflc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnnmogae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollklain.dll" Apqhldjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnnfa32.dll" Bibpkiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aiqkmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahogoog.dll" Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll" Noaeqjpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pemhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgffmigc.dll" Qpibke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onceji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iaedanal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idhiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dofgklcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kknhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll" Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjikeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlkfbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjdcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lomkin32.dll" Ialhdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmfbplf.dll" Gbpnjdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bojohp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejhkdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghanoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkcpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnbmqjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdaajd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2372 2716 NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe 86 PID 2716 wrote to memory of 2372 2716 NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe 86 PID 2716 wrote to memory of 2372 2716 NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe 86 PID 2372 wrote to memory of 3900 2372 Cnahdi32.exe 87 PID 2372 wrote to memory of 3900 2372 Cnahdi32.exe 87 PID 2372 wrote to memory of 3900 2372 Cnahdi32.exe 87 PID 3900 wrote to memory of 4284 3900 Chglab32.exe 88 PID 3900 wrote to memory of 4284 3900 Chglab32.exe 88 PID 3900 wrote to memory of 4284 3900 Chglab32.exe 88 PID 4284 wrote to memory of 4412 4284 Coadnlnb.exe 90 PID 4284 wrote to memory of 4412 4284 Coadnlnb.exe 90 PID 4284 wrote to memory of 4412 4284 Coadnlnb.exe 90 PID 4412 wrote to memory of 4372 4412 Ckhecmcf.exe 91 PID 4412 wrote to memory of 4372 4412 Ckhecmcf.exe 91 PID 4412 wrote to memory of 4372 4412 Ckhecmcf.exe 91 PID 4372 wrote to memory of 1340 4372 Fechomko.exe 92 PID 4372 wrote to memory of 1340 4372 Fechomko.exe 92 PID 4372 wrote to memory of 1340 4372 Fechomko.exe 92 PID 1340 wrote to memory of 3076 1340 Fmmmfj32.exe 93 PID 1340 wrote to memory of 3076 1340 Fmmmfj32.exe 93 PID 1340 wrote to memory of 3076 1340 Fmmmfj32.exe 93 PID 3076 wrote to memory of 5056 3076 Gpnfge32.exe 95 PID 3076 wrote to memory of 5056 3076 Gpnfge32.exe 95 PID 3076 wrote to memory of 5056 3076 Gpnfge32.exe 95 PID 5056 wrote to memory of 4736 5056 Gbnoiqdq.exe 96 PID 5056 wrote to memory of 4736 5056 Gbnoiqdq.exe 96 PID 5056 wrote to memory of 4736 5056 Gbnoiqdq.exe 96 PID 4736 wrote to memory of 3524 4736 Gmfplibd.exe 97 PID 4736 wrote to memory of 3524 4736 Gmfplibd.exe 97 PID 4736 wrote to memory of 3524 4736 Gmfplibd.exe 97 PID 3524 wrote to memory of 2640 3524 Hfaajnfb.exe 98 PID 3524 wrote to memory of 2640 3524 Hfaajnfb.exe 98 PID 3524 wrote to memory of 2640 3524 Hfaajnfb.exe 98 PID 2640 wrote to memory of 4996 2640 Jjpode32.exe 99 PID 2640 wrote to memory of 4996 2640 Jjpode32.exe 99 PID 2640 wrote to memory of 4996 2640 Jjpode32.exe 99 PID 4996 wrote to memory of 3004 4996 Lfjfecno.exe 100 PID 4996 wrote to memory of 3004 4996 Lfjfecno.exe 100 PID 4996 wrote to memory of 3004 4996 Lfjfecno.exe 100 PID 3004 wrote to memory of 4204 3004 Pccahbmn.exe 102 PID 3004 wrote to memory of 4204 3004 Pccahbmn.exe 102 PID 3004 wrote to memory of 4204 3004 Pccahbmn.exe 102 PID 4204 wrote to memory of 384 4204 Bobabg32.exe 103 PID 4204 wrote to memory of 384 4204 Bobabg32.exe 103 PID 4204 wrote to memory of 384 4204 Bobabg32.exe 103 PID 384 wrote to memory of 856 384 Bacjdbch.exe 104 PID 384 wrote to memory of 856 384 Bacjdbch.exe 104 PID 384 wrote to memory of 856 384 Bacjdbch.exe 104 PID 856 wrote to memory of 2192 856 Bmjkic32.exe 105 PID 856 wrote to memory of 2192 856 Bmjkic32.exe 105 PID 856 wrote to memory of 2192 856 Bmjkic32.exe 105 PID 2192 wrote to memory of 2864 2192 Bnlhncgi.exe 106 PID 2192 wrote to memory of 2864 2192 Bnlhncgi.exe 106 PID 2192 wrote to memory of 2864 2192 Bnlhncgi.exe 106 PID 2864 wrote to memory of 3528 2864 Chdialdl.exe 107 PID 2864 wrote to memory of 3528 2864 Chdialdl.exe 107 PID 2864 wrote to memory of 3528 2864 Chdialdl.exe 107 PID 3528 wrote to memory of 1728 3528 Cnaaib32.exe 108 PID 3528 wrote to memory of 1728 3528 Cnaaib32.exe 108 PID 3528 wrote to memory of 1728 3528 Cnaaib32.exe 108 PID 1728 wrote to memory of 2524 1728 Cgifbhid.exe 109 PID 1728 wrote to memory of 2524 1728 Cgifbhid.exe 109 PID 1728 wrote to memory of 2524 1728 Cgifbhid.exe 109 PID 2524 wrote to memory of 1080 2524 Cocjiehd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7af45323302f73a27a3bff56284f8d00_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe24⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe25⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe26⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe27⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ddnobj32.exeC:\Windows\system32\Ddnobj32.exe28⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe29⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe32⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe34⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe35⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe36⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe38⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe41⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe42⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe43⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe44⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe45⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe48⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe49⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe50⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe52⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe53⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe55⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe56⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe57⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe58⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe59⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe60⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe61⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kofdhd32.exeC:\Windows\system32\Kofdhd32.exe62⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe63⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe64⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe65⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe66⤵PID:3744
-
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe67⤵PID:1628
-
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4056 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe70⤵PID:2120
-
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe71⤵PID:180
-
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe72⤵PID:1916
-
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe73⤵PID:4460
-
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe75⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe77⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe79⤵PID:5220
-
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe80⤵PID:5264
-
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe81⤵PID:5308
-
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe82⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe83⤵PID:5400
-
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe84⤵PID:5444
-
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe85⤵PID:5488
-
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe86⤵PID:5528
-
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe87⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe88⤵PID:5616
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe89⤵PID:5660
-
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe90⤵PID:5704
-
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe91⤵PID:5748
-
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe93⤵PID:5836
-
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe95⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe96⤵
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe97⤵PID:6008
-
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe98⤵PID:6048
-
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe99⤵PID:6092
-
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe100⤵PID:6136
-
C:\Windows\SysWOW64\Bjfogbjb.exeC:\Windows\system32\Bjfogbjb.exe101⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5232 -
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe103⤵PID:5304
-
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe104⤵PID:5368
-
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe105⤵PID:5452
-
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe106⤵PID:5524
-
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe108⤵PID:5656
-
C:\Windows\SysWOW64\Ciihjmcj.exeC:\Windows\system32\Ciihjmcj.exe109⤵PID:5728
-
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe110⤵PID:5792
-
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe111⤵PID:5860
-
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe112⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe113⤵PID:5992
-
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe114⤵PID:6060
-
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe115⤵PID:6128
-
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe116⤵PID:5184
-
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe117⤵PID:5280
-
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe118⤵PID:5428
-
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe119⤵PID:5520
-
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe120⤵PID:5624
-
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe121⤵PID:5736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-