Analysis
-
max time kernel
169s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2023 20:11
Behavioral task
behavioral1
Sample
NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe
-
Size
343KB
-
MD5
2b8195c7f771e6619755660e36d2fd00
-
SHA1
9e7233e01c196113aae6955070a6dfedbf9aaae5
-
SHA256
cd4c8b5a2bbd714670e89f67e18388d4bc86db462ccf5a7b2a20ecc3d2a55acc
-
SHA512
f25b5fe7b99a5797bd94da8e453dac712d981d9c21e6ece98a209cda9ae62b35e030ed808eb856cb6f10d7824fb8f299d3b449030ec2b0d009556a3269e54a79
-
SSDEEP
6144:CBAtNq1RcqO+uNk54t3haeTFLel6ZfoPPB2I5BjopZ7TngrVIeoKhyCjonootaf3:CaqpO+uNk54t3hJVKOfoHBfByZPgrVIi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlmanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nebmnqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phqbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qleahgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjqkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmhphqoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Didnmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijofaje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Benjkijd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffeaichg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpbpmhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdkdibjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbecljnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kblpnall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nejbaqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cccppgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dacebkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooaghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkjlqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbcofpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehbgjenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kccbjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flaaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjfnphpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnhbmgmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlfoodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omdghmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fajgekol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmnfglcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjhfgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhljpcfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnodkjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmijnfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankgpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqfbkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmclobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlnpio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoglbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnndhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmfdpkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdhbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khakqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfgace32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlcga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhlnjpdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdjfhhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bocjdiol.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022dbc-6.dat family_berbew behavioral2/files/0x0008000000022dbc-8.dat family_berbew behavioral2/files/0x0006000000022ddc-14.dat family_berbew behavioral2/files/0x0006000000022ddc-15.dat family_berbew behavioral2/files/0x0006000000022dde-22.dat family_berbew behavioral2/files/0x0006000000022de1-30.dat family_berbew behavioral2/files/0x0006000000022de3-38.dat family_berbew behavioral2/files/0x0006000000022de3-39.dat family_berbew behavioral2/files/0x0006000000022de1-31.dat family_berbew behavioral2/files/0x0006000000022dde-23.dat family_berbew behavioral2/files/0x0006000000022de5-46.dat family_berbew behavioral2/files/0x0006000000022de5-47.dat family_berbew behavioral2/files/0x0006000000022de7-56.dat family_berbew behavioral2/files/0x0006000000022de7-54.dat family_berbew behavioral2/files/0x0006000000022de9-63.dat family_berbew behavioral2/files/0x0006000000022de9-62.dat family_berbew behavioral2/files/0x0006000000022deb-71.dat family_berbew behavioral2/files/0x0006000000022deb-70.dat family_berbew behavioral2/files/0x0006000000022def-87.dat family_berbew behavioral2/files/0x0006000000022def-88.dat family_berbew behavioral2/files/0x0008000000022dc2-79.dat family_berbew behavioral2/files/0x0008000000022dc2-78.dat family_berbew behavioral2/files/0x0006000000022df1-97.dat family_berbew behavioral2/files/0x0006000000022df1-98.dat family_berbew behavioral2/files/0x0006000000022df3-105.dat family_berbew behavioral2/files/0x0006000000022df3-107.dat family_berbew behavioral2/files/0x0006000000022df5-115.dat family_berbew behavioral2/files/0x0006000000022df5-118.dat family_berbew behavioral2/files/0x0006000000022df7-124.dat family_berbew behavioral2/files/0x0006000000022df7-126.dat family_berbew behavioral2/files/0x0006000000022df9-132.dat family_berbew behavioral2/files/0x0006000000022df9-134.dat family_berbew behavioral2/files/0x0006000000022dfb-141.dat family_berbew behavioral2/files/0x0006000000022dfb-142.dat family_berbew behavioral2/files/0x0006000000022dfd-150.dat family_berbew behavioral2/files/0x0006000000022dfd-151.dat family_berbew behavioral2/files/0x0006000000022dff-160.dat family_berbew behavioral2/files/0x0006000000022dff-162.dat family_berbew behavioral2/files/0x0006000000022e01-170.dat family_berbew behavioral2/files/0x0006000000022e01-169.dat family_berbew behavioral2/files/0x0006000000022e03-177.dat family_berbew behavioral2/files/0x0006000000022e03-178.dat family_berbew behavioral2/files/0x0006000000022e05-185.dat family_berbew behavioral2/files/0x0006000000022e05-187.dat family_berbew behavioral2/files/0x0006000000022e07-194.dat family_berbew behavioral2/files/0x0006000000022e07-196.dat family_berbew behavioral2/files/0x0006000000022e09-204.dat family_berbew behavioral2/files/0x0006000000022e09-203.dat family_berbew behavioral2/files/0x0006000000022e0b-213.dat family_berbew behavioral2/files/0x0006000000022e0b-212.dat family_berbew behavioral2/files/0x0006000000022e0d-221.dat family_berbew behavioral2/files/0x0006000000022e0d-223.dat family_berbew behavioral2/files/0x0006000000022e0f-224.dat family_berbew behavioral2/files/0x0006000000022e0f-229.dat family_berbew behavioral2/files/0x0006000000022e1c-238.dat family_berbew behavioral2/files/0x0006000000022e1c-241.dat family_berbew behavioral2/files/0x0007000000022e11-242.dat family_berbew behavioral2/files/0x0007000000022e11-247.dat family_berbew behavioral2/files/0x0007000000022e11-249.dat family_berbew behavioral2/files/0x0007000000022e13-256.dat family_berbew behavioral2/files/0x0007000000022e19-265.dat family_berbew behavioral2/files/0x0007000000022e19-264.dat family_berbew behavioral2/files/0x0007000000022e13-257.dat family_berbew behavioral2/files/0x0006000000022e1e-273.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 316 Aoalgn32.exe 216 Adndoe32.exe 3784 Bochmn32.exe 4696 Bemqih32.exe 4604 Bkjiao32.exe 2064 Bdbnjdfg.exe 2872 Bojomm32.exe 4956 Bnoknihb.exe 1200 Bheplb32.exe 4144 Cocacl32.exe 2288 Cdpjlb32.exe 3484 Cnindhpg.exe 976 Chqogq32.exe 5040 Ddgplado.exe 1452 Dfiildio.exe 1664 Dijbno32.exe 1012 Dfnbgc32.exe 4672 Emhkdmlg.exe 4964 Eecphp32.exe 4136 Ennqfenp.exe 4424 Enpmld32.exe 3076 Eejeiocj.exe 4588 Ebnfbcbc.exe 1028 Flfkkhid.exe 1176 Fbpchb32.exe 5004 Flkdfh32.exe 4496 Fefedmil.exe 4252 Klahfp32.exe 2780 Kgiiiidd.exe 4256 Kcpjnjii.exe 2328 Kjjbjd32.exe 4612 Kpcjgnhb.exe 2784 Kjlopc32.exe 1392 Lgpoihnl.exe 2776 Lqhdbm32.exe 3448 Lggejg32.exe 4684 Lnangaoa.exe 2232 Lobjni32.exe 5104 Lncjlq32.exe 2764 Mgloefco.exe 1248 Mmhgmmbf.exe 2568 Mcbpjg32.exe 3544 Mjlhgaqp.exe 1560 Mmkdcm32.exe 2792 Moipoh32.exe 4012 Mfchlbfd.exe 4404 Mnjqmpgg.exe 4436 Mgbefe32.exe 2300 Mfeeabda.exe 1940 Mmpmnl32.exe 2316 Mcifkf32.exe 3180 Mfhbga32.exe 4744 Nnojho32.exe 1660 Nopfpgip.exe 2308 Nfjola32.exe 4340 Nmdgikhi.exe 636 Npbceggm.exe 2800 Llqjbhdc.exe 696 Oblhcj32.exe 4416 Aimogakj.exe 4712 Dinael32.exe 1632 Dknnoofg.exe 4508 Dnljkk32.exe 4420 Dpjfgf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bchgnoai.exe Bomknp32.exe File created C:\Windows\SysWOW64\Aecpnk32.dll Epgpajdp.exe File opened for modification C:\Windows\SysWOW64\Gmnfglcd.exe Gceaofmc.exe File created C:\Windows\SysWOW64\Njjnnm32.dll Ainfpi32.exe File opened for modification C:\Windows\SysWOW64\Clldhljp.exe Cebllbcc.exe File opened for modification C:\Windows\SysWOW64\Nqfbkf32.exe Njljnl32.exe File opened for modification C:\Windows\SysWOW64\Bgokdomj.exe Bpdfpmoo.exe File opened for modification C:\Windows\SysWOW64\Ehnpmkbg.exe Ebagdddp.exe File opened for modification C:\Windows\SysWOW64\Kokbpe32.exe Kmmedi32.exe File opened for modification C:\Windows\SysWOW64\Odkaac32.exe Okcmingd.exe File opened for modification C:\Windows\SysWOW64\Odelpm32.exe Lcbmlbig.exe File opened for modification C:\Windows\SysWOW64\Fmkqknci.exe Fjldocde.exe File created C:\Windows\SysWOW64\Cebllbcc.exe Cccppgcp.exe File created C:\Windows\SysWOW64\Ghdhja32.exe Geflne32.exe File created C:\Windows\SysWOW64\Hhiaepfl.exe Gclimi32.exe File created C:\Windows\SysWOW64\Ppfhnh32.dll Hhiaepfl.exe File created C:\Windows\SysWOW64\Acnokeqm.dll Cfiiggpg.exe File opened for modification C:\Windows\SysWOW64\Ekcplp32.exe Edihof32.exe File created C:\Windows\SysWOW64\Odljjo32.exe Obnnnc32.exe File opened for modification C:\Windows\SysWOW64\Djoohk32.exe Ckclfp32.exe File created C:\Windows\SysWOW64\Jnoopm32.exe Jkqccbkf.exe File created C:\Windows\SysWOW64\Bhibgo32.exe Pacahhib.exe File created C:\Windows\SysWOW64\Hmcipf32.dll Fnhbmgmk.exe File opened for modification C:\Windows\SysWOW64\Inhion32.exe Ikjmcc32.exe File opened for modification C:\Windows\SysWOW64\Beippj32.exe Blqlgdhi.exe File created C:\Windows\SysWOW64\Jgdcof32.dll Hmhphqoe.exe File opened for modification C:\Windows\SysWOW64\Mkepgp32.exe Mdkhkflh.exe File created C:\Windows\SysWOW64\Elfahb32.dll Dpalgenf.exe File created C:\Windows\SysWOW64\Qfkoaf32.dll Kmjinjnj.exe File created C:\Windows\SysWOW64\Fmndkd32.exe Djoohk32.exe File created C:\Windows\SysWOW64\Caagpdop.exe Bocjdiol.exe File created C:\Windows\SysWOW64\Pgdqpp32.dll Dldpde32.exe File opened for modification C:\Windows\SysWOW64\Hpgigj32.exe Gldgflba.exe File created C:\Windows\SysWOW64\Bgokdomj.exe Bpdfpmoo.exe File opened for modification C:\Windows\SysWOW64\Cnjkgf32.exe Cohkinob.exe File created C:\Windows\SysWOW64\Mopdmgeq.dll Hcpcehko.exe File opened for modification C:\Windows\SysWOW64\Phqbaj32.exe Pebfen32.exe File created C:\Windows\SysWOW64\Enlcahgh.exe Ejojljqa.exe File created C:\Windows\SysWOW64\Lpibmbek.dll Lofjam32.exe File created C:\Windows\SysWOW64\Ghlcga32.exe Gfkjef32.exe File created C:\Windows\SysWOW64\Hgnijh32.dll Hoakpi32.exe File created C:\Windows\SysWOW64\Feifgnki.exe Epiaig32.exe File created C:\Windows\SysWOW64\Pbpckclh.dll Odelpm32.exe File created C:\Windows\SysWOW64\Cialka32.dll Caagpdop.exe File created C:\Windows\SysWOW64\Kiikkada.exe Jabgkpad.exe File created C:\Windows\SysWOW64\Ploloqjj.dll Nkjlqd32.exe File created C:\Windows\SysWOW64\Fajcmcok.dll Mkohln32.exe File opened for modification C:\Windows\SysWOW64\Iiblcdil.exe Ijolhg32.exe File created C:\Windows\SysWOW64\Ikcmmjkb.exe Iefedcmk.exe File created C:\Windows\SysWOW64\Eccoloed.dll Mijofaje.exe File created C:\Windows\SysWOW64\Olidijjf.exe Obqopddf.exe File created C:\Windows\SysWOW64\Nqdfipld.dll Fjldocde.exe File created C:\Windows\SysWOW64\Goabhl32.exe Gfimpfmj.exe File created C:\Windows\SysWOW64\Egnajocq.exe Edoencdm.exe File opened for modification C:\Windows\SysWOW64\Ebagdddp.exe Elgohj32.exe File created C:\Windows\SysWOW64\Mmdcde32.dll Qpmmfbfl.exe File opened for modification C:\Windows\SysWOW64\Ijaimg32.exe Ibjqlj32.exe File opened for modification C:\Windows\SysWOW64\Kpjjhj32.exe Kmlmlo32.exe File created C:\Windows\SysWOW64\Eqmjen32.exe Ejcaidlp.exe File created C:\Windows\SysWOW64\Ngnill32.dll Dpqcoj32.exe File opened for modification C:\Windows\SysWOW64\Kmlmlo32.exe Kkmapc32.exe File created C:\Windows\SysWOW64\Efjbne32.exe Eqmjen32.exe File created C:\Windows\SysWOW64\Ecmebm32.exe Ehgqed32.exe File created C:\Windows\SysWOW64\Nogcjmhj.dll Hhbkccji.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1904 6592 WerFault.exe 842 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nebmnqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeaiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfglahbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfiiggpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hameic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Echkgnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekhjgoga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minkhnmc.dll" Fohobmke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kilphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghhpq32.dll" Gqaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaemgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheldnol.dll" Ghdoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkohln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmnib32.dll" Jabgkpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaobiplh.dll" Fkjfloeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll" Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeoqoni.dll" Kcikfcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Benjkijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbaipdn.dll" Ejcaidlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgepflm.dll" Hmabnnhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmmfl32.dll" Ekqcfpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdegkdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iimcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjhalkjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfmlok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggehilne.dll" Gbecljnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcabhido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nilkkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndbkbj32.dll" Omdghmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Claenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekqckmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphbql32.dll" Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdji32.dll" Obqopddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooaghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbggj32.dll" Ojkepmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keeiahmm.dll" Hpgigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdmfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mijofaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bomknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijolhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkihedld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odkaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmfdpkeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjpllgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfknmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maaoaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhnkppbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmndkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkjckkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbada32.dll" Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemqkk32.dll" Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmba32.dll" Plokgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehlkk32.dll" Lajfbmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfnbgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll" Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkgfdgpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifnkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pekkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgpaqbcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4388 wrote to memory of 316 4388 NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe 89 PID 4388 wrote to memory of 316 4388 NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe 89 PID 4388 wrote to memory of 316 4388 NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe 89 PID 316 wrote to memory of 216 316 Aoalgn32.exe 90 PID 316 wrote to memory of 216 316 Aoalgn32.exe 90 PID 316 wrote to memory of 216 316 Aoalgn32.exe 90 PID 216 wrote to memory of 3784 216 Adndoe32.exe 91 PID 216 wrote to memory of 3784 216 Adndoe32.exe 91 PID 216 wrote to memory of 3784 216 Adndoe32.exe 91 PID 3784 wrote to memory of 4696 3784 Bochmn32.exe 93 PID 3784 wrote to memory of 4696 3784 Bochmn32.exe 93 PID 3784 wrote to memory of 4696 3784 Bochmn32.exe 93 PID 4696 wrote to memory of 4604 4696 Bemqih32.exe 92 PID 4696 wrote to memory of 4604 4696 Bemqih32.exe 92 PID 4696 wrote to memory of 4604 4696 Bemqih32.exe 92 PID 4604 wrote to memory of 2064 4604 Bkjiao32.exe 94 PID 4604 wrote to memory of 2064 4604 Bkjiao32.exe 94 PID 4604 wrote to memory of 2064 4604 Bkjiao32.exe 94 PID 2064 wrote to memory of 2872 2064 Bdbnjdfg.exe 95 PID 2064 wrote to memory of 2872 2064 Bdbnjdfg.exe 95 PID 2064 wrote to memory of 2872 2064 Bdbnjdfg.exe 95 PID 2872 wrote to memory of 4956 2872 Bojomm32.exe 96 PID 2872 wrote to memory of 4956 2872 Bojomm32.exe 96 PID 2872 wrote to memory of 4956 2872 Bojomm32.exe 96 PID 4956 wrote to memory of 1200 4956 Bnoknihb.exe 97 PID 4956 wrote to memory of 1200 4956 Bnoknihb.exe 97 PID 4956 wrote to memory of 1200 4956 Bnoknihb.exe 97 PID 1200 wrote to memory of 4144 1200 Bheplb32.exe 98 PID 1200 wrote to memory of 4144 1200 Bheplb32.exe 98 PID 1200 wrote to memory of 4144 1200 Bheplb32.exe 98 PID 4144 wrote to memory of 2288 4144 Cocacl32.exe 99 PID 4144 wrote to memory of 2288 4144 Cocacl32.exe 99 PID 4144 wrote to memory of 2288 4144 Cocacl32.exe 99 PID 2288 wrote to memory of 3484 2288 Cdpjlb32.exe 100 PID 2288 wrote to memory of 3484 2288 Cdpjlb32.exe 100 PID 2288 wrote to memory of 3484 2288 Cdpjlb32.exe 100 PID 3484 wrote to memory of 976 3484 Cnindhpg.exe 101 PID 3484 wrote to memory of 976 3484 Cnindhpg.exe 101 PID 3484 wrote to memory of 976 3484 Cnindhpg.exe 101 PID 976 wrote to memory of 5040 976 Chqogq32.exe 102 PID 976 wrote to memory of 5040 976 Chqogq32.exe 102 PID 976 wrote to memory of 5040 976 Chqogq32.exe 102 PID 5040 wrote to memory of 1452 5040 Ddgplado.exe 103 PID 5040 wrote to memory of 1452 5040 Ddgplado.exe 103 PID 5040 wrote to memory of 1452 5040 Ddgplado.exe 103 PID 1452 wrote to memory of 1664 1452 Dfiildio.exe 104 PID 1452 wrote to memory of 1664 1452 Dfiildio.exe 104 PID 1452 wrote to memory of 1664 1452 Dfiildio.exe 104 PID 1664 wrote to memory of 1012 1664 Dijbno32.exe 105 PID 1664 wrote to memory of 1012 1664 Dijbno32.exe 105 PID 1664 wrote to memory of 1012 1664 Dijbno32.exe 105 PID 1012 wrote to memory of 4672 1012 Dfnbgc32.exe 107 PID 1012 wrote to memory of 4672 1012 Dfnbgc32.exe 107 PID 1012 wrote to memory of 4672 1012 Dfnbgc32.exe 107 PID 4672 wrote to memory of 4964 4672 Emhkdmlg.exe 106 PID 4672 wrote to memory of 4964 4672 Emhkdmlg.exe 106 PID 4672 wrote to memory of 4964 4672 Emhkdmlg.exe 106 PID 4964 wrote to memory of 4136 4964 Eecphp32.exe 108 PID 4964 wrote to memory of 4136 4964 Eecphp32.exe 108 PID 4964 wrote to memory of 4136 4964 Eecphp32.exe 108 PID 4136 wrote to memory of 4424 4136 Ennqfenp.exe 109 PID 4136 wrote to memory of 4424 4136 Ennqfenp.exe 109 PID 4136 wrote to memory of 4424 4136 Ennqfenp.exe 109 PID 4424 wrote to memory of 3076 4424 Enpmld32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2b8195c7f771e6619755660e36d2fd00_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696
-
-
-
-
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe4⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe5⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe6⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe7⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe8⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe9⤵
- Executes dropped EXE
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe10⤵PID:2652
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe11⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe12⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe13⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Kjjbjd32.exeC:\Windows\system32\Kjjbjd32.exe14⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe15⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe16⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe17⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe18⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe19⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe20⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe21⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe22⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe23⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe24⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe25⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe26⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe27⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe28⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe29⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe30⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe32⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe33⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe34⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe35⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe36⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe37⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe38⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe39⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe40⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe41⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe42⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe43⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe44⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe45⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe46⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe47⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe48⤵PID:4368
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe49⤵PID:1684
-
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe50⤵PID:1900
-
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe51⤵PID:1348
-
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe52⤵PID:3248
-
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe53⤵
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe54⤵PID:2452
-
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe55⤵PID:116
-
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe56⤵
- Drops file in System32 directory
PID:4840 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe58⤵PID:3772
-
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe59⤵PID:5132
-
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe60⤵PID:5184
-
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe61⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe62⤵PID:5272
-
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe63⤵PID:5312
-
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe64⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe65⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe66⤵PID:5460
-
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe68⤵PID:5544
-
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe69⤵PID:5592
-
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe70⤵PID:5628
-
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe71⤵PID:5684
-
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe73⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe74⤵PID:5816
-
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe75⤵PID:5860
-
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe76⤵PID:5904
-
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe77⤵PID:5944
-
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe78⤵PID:5988
-
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe79⤵PID:6036
-
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe80⤵PID:6076
-
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe81⤵PID:6120
-
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe82⤵PID:5168
-
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe83⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe84⤵PID:5368
-
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe85⤵PID:5448
-
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe86⤵PID:5512
-
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe87⤵PID:5580
-
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe88⤵PID:5672
-
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe90⤵PID:5812
-
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe93⤵PID:6028
-
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe94⤵PID:6116
-
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe95⤵PID:5128
-
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe97⤵PID:5420
-
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe98⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe99⤵PID:5652
-
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe100⤵PID:5800
-
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe102⤵
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe103⤵PID:6112
-
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe104⤵PID:3172
-
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe105⤵PID:5496
-
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe106⤵PID:2400
-
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe107⤵PID:5668
-
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe108⤵PID:5828
-
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe109⤵PID:6048
-
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe110⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe111⤵PID:5640
-
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe112⤵PID:6088
-
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe113⤵PID:5644
-
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe114⤵PID:5912
-
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe115⤵PID:2140
-
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe116⤵PID:2116
-
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe117⤵PID:3548
-
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe118⤵PID:5040
-
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe119⤵PID:2288
-
C:\Windows\SysWOW64\Icefib32.exeC:\Windows\system32\Icefib32.exe120⤵PID:3584
-
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe121⤵PID:1600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-