Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07-11-2023 14:23
Behavioral task
behavioral1
Sample
NEAS.798b1f167cade37711408540ff93cb5f.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.798b1f167cade37711408540ff93cb5f.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.798b1f167cade37711408540ff93cb5f.exe
-
Size
67KB
-
MD5
798b1f167cade37711408540ff93cb5f
-
SHA1
0ff20ca6e47e27698453d361dff8469e99c3ee59
-
SHA256
1b1d3ed335bfc261e298fc4fa8fdce225ae2783b8cca693048facb87d6f6885b
-
SHA512
385d00e0a044581dca4d5d081f2e1ffa3a6922e4c4ba6b1895ae167d2df1ec395269c0788f70cb8580b9da2b764a7f4f31ce7562e923b3ffd4412708f4d02b6f
-
SSDEEP
1536:dtF6qP6DTPap0l1851oLsJifTduD4oTxw:noip0ly51ysJibdMTxw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekknjcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhpgpebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhamckel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfogake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcdopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmamm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfpbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqlicclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdnlhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjqamme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdcfoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmljgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplllkdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqknil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllnhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhelbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmakmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfblgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapfagno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeemeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmdapml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbidne32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2356-0-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x00060000000120bd-5.dat family_berbew behavioral1/memory/2356-6-0x00000000002A0000-0x00000000002DB000-memory.dmp family_berbew behavioral1/files/0x00060000000120bd-8.dat family_berbew behavioral1/files/0x00060000000120bd-9.dat family_berbew behavioral1/files/0x00060000000120bd-12.dat family_berbew behavioral1/files/0x00060000000120bd-14.dat family_berbew behavioral1/files/0x001d000000015c8a-26.dat family_berbew behavioral1/memory/828-33-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x001d000000015c8a-28.dat family_berbew behavioral1/memory/2176-19-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x001d000000015c8a-23.dat family_berbew behavioral1/files/0x001d000000015c8a-22.dat family_berbew behavioral1/files/0x001d000000015c8a-20.dat family_berbew behavioral1/files/0x0007000000015e30-34.dat family_berbew behavioral1/files/0x0007000000015e30-36.dat family_berbew behavioral1/files/0x0007000000015e30-37.dat family_berbew behavioral1/files/0x0007000000015e30-42.dat family_berbew behavioral1/memory/828-41-0x00000000002B0000-0x00000000002EB000-memory.dmp family_berbew behavioral1/files/0x0007000000015e30-40.dat family_berbew behavioral1/memory/2772-47-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0009000000015eb0-48.dat family_berbew behavioral1/files/0x0009000000015eb0-50.dat family_berbew behavioral1/memory/2704-55-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0009000000015eb0-54.dat family_berbew behavioral1/files/0x0009000000015eb0-51.dat family_berbew behavioral1/files/0x0009000000015eb0-56.dat family_berbew behavioral1/files/0x0006000000016466-61.dat family_berbew behavioral1/memory/2704-63-0x0000000000220000-0x000000000025B000-memory.dmp family_berbew behavioral1/memory/2704-65-0x0000000000220000-0x000000000025B000-memory.dmp family_berbew behavioral1/files/0x0006000000016466-66.dat family_berbew behavioral1/files/0x0006000000016466-69.dat family_berbew behavioral1/files/0x0006000000016466-64.dat family_berbew behavioral1/files/0x0006000000016466-70.dat family_berbew behavioral1/memory/2356-77-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/memory/2796-83-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016619-79.dat family_berbew behavioral1/files/0x0006000000016619-78.dat family_berbew behavioral1/files/0x0006000000016619-82.dat family_berbew behavioral1/files/0x0006000000016619-75.dat family_berbew behavioral1/files/0x0006000000016619-84.dat family_berbew behavioral1/files/0x0006000000016ae2-97.dat family_berbew behavioral1/files/0x0006000000016ae2-96.dat family_berbew behavioral1/files/0x0006000000016ae2-93.dat family_berbew behavioral1/files/0x0006000000016ae2-91.dat family_berbew behavioral1/files/0x0006000000016ae2-89.dat family_berbew behavioral1/files/0x0006000000016c23-109.dat family_berbew behavioral1/files/0x0006000000016c23-106.dat family_berbew behavioral1/files/0x0006000000016c23-105.dat family_berbew behavioral1/memory/3060-104-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016c23-102.dat family_berbew behavioral1/memory/2024-110-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016c23-111.dat family_berbew behavioral1/files/0x0006000000016c35-116.dat family_berbew behavioral1/memory/2024-117-0x0000000000440000-0x000000000047B000-memory.dmp family_berbew behavioral1/files/0x0006000000016c35-119.dat family_berbew behavioral1/files/0x0006000000016c35-120.dat family_berbew behavioral1/files/0x0006000000016c35-125.dat family_berbew behavioral1/files/0x0006000000016c35-124.dat family_berbew behavioral1/memory/2704-123-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x001b000000015c94-136.dat family_berbew behavioral1/files/0x001b000000015c94-133.dat family_berbew behavioral1/files/0x001b000000015c94-132.dat family_berbew behavioral1/files/0x001b000000015c94-130.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2176 Ejehgkdp.exe 828 Efnfbl32.exe 2772 Ekknjcfh.exe 2704 Eknkpbdf.exe 2960 Edfpih32.exe 2796 Fgfhjcgg.exe 3060 Fgiepced.exe 2024 Fncmmmma.exe 328 Fjjnan32.exe 1964 Fjlkgn32.exe 332 Fcdopc32.exe 432 Glpdde32.exe 2892 Gbjlaplk.exe 1604 Gmoqnhla.exe 2316 Gifaciae.exe 2068 Ghkndf32.exe 2528 Gacbmk32.exe 1452 Ghmkjedk.exe 2284 Gmjcblbb.exe 2464 Hhpgpebh.exe 1484 Hhbdee32.exe 1148 Hmomml32.exe 3028 Hifmbmda.exe 1748 Hoebpc32.exe 1588 Heokmmgb.exe 2396 Iogoec32.exe 2032 Iknpkd32.exe 2676 Iecdhm32.exe 2860 Imoilo32.exe 2604 Iefamlak.exe 2964 Ionefb32.exe 2600 Idknoi32.exe 2636 Ikefkcmo.exe 3064 Jglgpdcc.exe 2832 Jnfomn32.exe 1980 Jpdkii32.exe 2144 Jcbhee32.exe 524 Jnhlbn32.exe 656 Jpfhoi32.exe 620 Joihjfnl.exe 2920 Jcedkd32.exe 1156 Jfcqgpfi.exe 3036 Jhamckel.exe 2304 Kcgmoggn.exe 2112 Kqknil32.exe 1056 Lfhfab32.exe 1796 Lmbonmll.exe 972 Lopkjhko.exe 2072 Ljfogake.exe 2012 Lmdkcl32.exe 1808 Lbackc32.exe 2508 Leopgo32.exe 1504 Lpedeg32.exe 2124 Lgpiij32.exe 2448 Lklejh32.exe 2352 Lnjafd32.exe 2272 Ledibnco.exe 2864 Llnaoh32.exe 2592 Makjho32.exe 2768 Mlpneh32.exe 2584 Mjcoqdoc.exe 2552 Mmakmp32.exe 2900 Mclcijfd.exe 1644 Mjekfd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 NEAS.798b1f167cade37711408540ff93cb5f.exe 2356 NEAS.798b1f167cade37711408540ff93cb5f.exe 2176 Ejehgkdp.exe 2176 Ejehgkdp.exe 828 Efnfbl32.exe 828 Efnfbl32.exe 2772 Ekknjcfh.exe 2772 Ekknjcfh.exe 2704 Eknkpbdf.exe 2704 Eknkpbdf.exe 2960 Edfpih32.exe 2960 Edfpih32.exe 2796 Fgfhjcgg.exe 2796 Fgfhjcgg.exe 3060 Fgiepced.exe 3060 Fgiepced.exe 2024 Fncmmmma.exe 2024 Fncmmmma.exe 328 Fjjnan32.exe 328 Fjjnan32.exe 1964 Fjlkgn32.exe 1964 Fjlkgn32.exe 332 Fcdopc32.exe 332 Fcdopc32.exe 432 Glpdde32.exe 432 Glpdde32.exe 2892 Gbjlaplk.exe 2892 Gbjlaplk.exe 1604 Gmoqnhla.exe 1604 Gmoqnhla.exe 2316 Gifaciae.exe 2316 Gifaciae.exe 2068 Ghkndf32.exe 2068 Ghkndf32.exe 2528 Gacbmk32.exe 2528 Gacbmk32.exe 1452 Ghmkjedk.exe 1452 Ghmkjedk.exe 2284 Gmjcblbb.exe 2284 Gmjcblbb.exe 2464 Hhpgpebh.exe 2464 Hhpgpebh.exe 1484 Hhbdee32.exe 1484 Hhbdee32.exe 1148 Hmomml32.exe 1148 Hmomml32.exe 3028 Hifmbmda.exe 3028 Hifmbmda.exe 1748 Hoebpc32.exe 1748 Hoebpc32.exe 1588 Heokmmgb.exe 1588 Heokmmgb.exe 2396 Iogoec32.exe 2396 Iogoec32.exe 2032 Iknpkd32.exe 2032 Iknpkd32.exe 2676 Iecdhm32.exe 2676 Iecdhm32.exe 2860 Imoilo32.exe 2860 Imoilo32.exe 2604 Iefamlak.exe 2604 Iefamlak.exe 2964 Ionefb32.exe 2964 Ionefb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jckgicnp.exe Jjbbpmgo.exe File created C:\Windows\SysWOW64\Fadndbci.exe Fofbhgde.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gnkoid32.exe File opened for modification C:\Windows\SysWOW64\Jbbccgmp.exe Jjkkbjln.exe File created C:\Windows\SysWOW64\Ohpbbo32.dll Jnkakl32.exe File opened for modification C:\Windows\SysWOW64\Lkdhoc32.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Gdcjpncm.exe Fadndbci.exe File opened for modification C:\Windows\SysWOW64\Ibkmchbh.exe Imodkadq.exe File created C:\Windows\SysWOW64\Ibmcpifp.dll Jhjphfgi.exe File created C:\Windows\SysWOW64\Gbaihlkd.dll Ieigfk32.exe File created C:\Windows\SysWOW64\Lqncaj32.exe Lnpgeopa.exe File created C:\Windows\SysWOW64\Elajgpmj.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Mleijpbj.dll Ppkhhjei.exe File created C:\Windows\SysWOW64\Pejmfqan.exe Pckajebj.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Cmfkfa32.exe Cjgoje32.exe File created C:\Windows\SysWOW64\Boifga32.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Cdmepgce.exe Ckeqga32.exe File created C:\Windows\SysWOW64\Glpdde32.exe Fcdopc32.exe File created C:\Windows\SysWOW64\Mjjdacik.exe Mfoiqe32.exe File created C:\Windows\SysWOW64\Dbcflk32.dll Dllhhaep.exe File opened for modification C:\Windows\SysWOW64\Ldheebad.exe Kcginj32.exe File created C:\Windows\SysWOW64\Fnipkkdl.exe Fkjdopeh.exe File opened for modification C:\Windows\SysWOW64\Mpgmijgc.exe Mlkail32.exe File created C:\Windows\SysWOW64\Bofgii32.exe Bfncpcoc.exe File created C:\Windows\SysWOW64\Jaephc32.dll Fcmdnfad.exe File created C:\Windows\SysWOW64\Fcqjfeja.exe Fmdbnnlj.exe File created C:\Windows\SysWOW64\Kgfkgo32.dll Fggkcl32.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hcepqh32.exe File created C:\Windows\SysWOW64\Kjnmgq32.dll Ljghjpfe.exe File created C:\Windows\SysWOW64\Gcmobfna.dll Gfkmie32.exe File created C:\Windows\SysWOW64\Ckohkhoi.dll Jndjmifj.exe File created C:\Windows\SysWOW64\Legaoehg.exe Laleof32.exe File opened for modification C:\Windows\SysWOW64\Amohfo32.exe Ajqljc32.exe File opened for modification C:\Windows\SysWOW64\Bejfao32.exe Bmcnqama.exe File created C:\Windows\SysWOW64\Mnkgen32.dll Elajgpmj.exe File created C:\Windows\SysWOW64\Kbfheikj.dll Kgnkci32.exe File created C:\Windows\SysWOW64\Geeemeif.exe Gbfiaj32.exe File created C:\Windows\SysWOW64\Hibjbgbh.exe Halbai32.exe File opened for modification C:\Windows\SysWOW64\Iapgkl32.exe Ipokcdjn.exe File opened for modification C:\Windows\SysWOW64\Lqncaj32.exe Lnpgeopa.exe File opened for modification C:\Windows\SysWOW64\Fppaej32.exe Fkcilc32.exe File created C:\Windows\SysWOW64\Hfopbgif.dll Lplbjm32.exe File created C:\Windows\SysWOW64\Ibejjo32.dll Oonldcih.exe File opened for modification C:\Windows\SysWOW64\Ijaaae32.exe Iipejmko.exe File opened for modification C:\Windows\SysWOW64\Ionefb32.exe Iefamlak.exe File opened for modification C:\Windows\SysWOW64\Mpbdnk32.exe Mjekfd32.exe File opened for modification C:\Windows\SysWOW64\Ohkaco32.exe Oaaifdhb.exe File created C:\Windows\SysWOW64\Bfhmqhkd.exe Blchcpko.exe File created C:\Windows\SysWOW64\Lofoed32.dll Jjbbpmgo.exe File created C:\Windows\SysWOW64\Jhoklnkg.exe Jeqopcld.exe File opened for modification C:\Windows\SysWOW64\Ikjhki32.exe Imggplgm.exe File created C:\Windows\SysWOW64\Abhkfg32.exe Amkbnp32.exe File opened for modification C:\Windows\SysWOW64\Fcpacf32.exe Fleifl32.exe File created C:\Windows\SysWOW64\Fmdbnnlj.exe Fppaej32.exe File created C:\Windows\SysWOW64\Gcakqmpi.dll Lidgcclp.exe File created C:\Windows\SysWOW64\Mpgmijgc.exe Mlkail32.exe File created C:\Windows\SysWOW64\Fgbbce32.dll Pjcckf32.exe File created C:\Windows\SysWOW64\Gnmifk32.exe Ggcaiqhj.exe File created C:\Windows\SysWOW64\Iibgoigc.dll Kcginj32.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fcqjfeja.exe File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe Honnki32.exe File opened for modification C:\Windows\SysWOW64\Elldgehk.exe Ejmhkiig.exe File created C:\Windows\SysWOW64\Aaiioe32.dll Edibhmml.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3240 5796 WerFault.exe 658 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckoelflc.dll" Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqahn32.dll" Amohfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcnejk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagkpl32.dll" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll" Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepckd32.dll" Bfhmqhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoebpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Hbknkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpojkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboepn32.dll" Edfpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amponajh.dll" Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlqjkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifmbmda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqknil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhfab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjlmca32.dll" Kcgmoggn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeehln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll" Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edfpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieljfpdl.dll" Ckolek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqbqqjl.dll" Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqglggcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daadna32.dll" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleohi32.dll" Gbfiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogkdiemp.dll" Jodhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbldf32.dll" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odohol32.dll" Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaqnkafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcjeo32.dll" Fheabelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdihiook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbidne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfdopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjjdacik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abegfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdlng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlpneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkgo32.dll" Fggkcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2176 2356 NEAS.798b1f167cade37711408540ff93cb5f.exe 28 PID 2356 wrote to memory of 2176 2356 NEAS.798b1f167cade37711408540ff93cb5f.exe 28 PID 2356 wrote to memory of 2176 2356 NEAS.798b1f167cade37711408540ff93cb5f.exe 28 PID 2356 wrote to memory of 2176 2356 NEAS.798b1f167cade37711408540ff93cb5f.exe 28 PID 2176 wrote to memory of 828 2176 Ejehgkdp.exe 29 PID 2176 wrote to memory of 828 2176 Ejehgkdp.exe 29 PID 2176 wrote to memory of 828 2176 Ejehgkdp.exe 29 PID 2176 wrote to memory of 828 2176 Ejehgkdp.exe 29 PID 828 wrote to memory of 2772 828 Efnfbl32.exe 30 PID 828 wrote to memory of 2772 828 Efnfbl32.exe 30 PID 828 wrote to memory of 2772 828 Efnfbl32.exe 30 PID 828 wrote to memory of 2772 828 Efnfbl32.exe 30 PID 2772 wrote to memory of 2704 2772 Ekknjcfh.exe 31 PID 2772 wrote to memory of 2704 2772 Ekknjcfh.exe 31 PID 2772 wrote to memory of 2704 2772 Ekknjcfh.exe 31 PID 2772 wrote to memory of 2704 2772 Ekknjcfh.exe 31 PID 2704 wrote to memory of 2960 2704 Eknkpbdf.exe 32 PID 2704 wrote to memory of 2960 2704 Eknkpbdf.exe 32 PID 2704 wrote to memory of 2960 2704 Eknkpbdf.exe 32 PID 2704 wrote to memory of 2960 2704 Eknkpbdf.exe 32 PID 2960 wrote to memory of 2796 2960 Edfpih32.exe 33 PID 2960 wrote to memory of 2796 2960 Edfpih32.exe 33 PID 2960 wrote to memory of 2796 2960 Edfpih32.exe 33 PID 2960 wrote to memory of 2796 2960 Edfpih32.exe 33 PID 2796 wrote to memory of 3060 2796 Fgfhjcgg.exe 34 PID 2796 wrote to memory of 3060 2796 Fgfhjcgg.exe 34 PID 2796 wrote to memory of 3060 2796 Fgfhjcgg.exe 34 PID 2796 wrote to memory of 3060 2796 Fgfhjcgg.exe 34 PID 3060 wrote to memory of 2024 3060 Fgiepced.exe 35 PID 3060 wrote to memory of 2024 3060 Fgiepced.exe 35 PID 3060 wrote to memory of 2024 3060 Fgiepced.exe 35 PID 3060 wrote to memory of 2024 3060 Fgiepced.exe 35 PID 2024 wrote to memory of 328 2024 Fncmmmma.exe 36 PID 2024 wrote to memory of 328 2024 Fncmmmma.exe 36 PID 2024 wrote to memory of 328 2024 Fncmmmma.exe 36 PID 2024 wrote to memory of 328 2024 Fncmmmma.exe 36 PID 328 wrote to memory of 1964 328 Fjjnan32.exe 37 PID 328 wrote to memory of 1964 328 Fjjnan32.exe 37 PID 328 wrote to memory of 1964 328 Fjjnan32.exe 37 PID 328 wrote to memory of 1964 328 Fjjnan32.exe 37 PID 1964 wrote to memory of 332 1964 Fjlkgn32.exe 38 PID 1964 wrote to memory of 332 1964 Fjlkgn32.exe 38 PID 1964 wrote to memory of 332 1964 Fjlkgn32.exe 38 PID 1964 wrote to memory of 332 1964 Fjlkgn32.exe 38 PID 332 wrote to memory of 432 332 Fcdopc32.exe 39 PID 332 wrote to memory of 432 332 Fcdopc32.exe 39 PID 332 wrote to memory of 432 332 Fcdopc32.exe 39 PID 332 wrote to memory of 432 332 Fcdopc32.exe 39 PID 432 wrote to memory of 2892 432 Glpdde32.exe 40 PID 432 wrote to memory of 2892 432 Glpdde32.exe 40 PID 432 wrote to memory of 2892 432 Glpdde32.exe 40 PID 432 wrote to memory of 2892 432 Glpdde32.exe 40 PID 2892 wrote to memory of 1604 2892 Gbjlaplk.exe 41 PID 2892 wrote to memory of 1604 2892 Gbjlaplk.exe 41 PID 2892 wrote to memory of 1604 2892 Gbjlaplk.exe 41 PID 2892 wrote to memory of 1604 2892 Gbjlaplk.exe 41 PID 1604 wrote to memory of 2316 1604 Gmoqnhla.exe 42 PID 1604 wrote to memory of 2316 1604 Gmoqnhla.exe 42 PID 1604 wrote to memory of 2316 1604 Gmoqnhla.exe 42 PID 1604 wrote to memory of 2316 1604 Gmoqnhla.exe 42 PID 2316 wrote to memory of 2068 2316 Gifaciae.exe 43 PID 2316 wrote to memory of 2068 2316 Gifaciae.exe 43 PID 2316 wrote to memory of 2068 2316 Gifaciae.exe 43 PID 2316 wrote to memory of 2068 2316 Gifaciae.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.798b1f167cade37711408540ff93cb5f.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.798b1f167cade37711408540ff93cb5f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe33⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe34⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe35⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe36⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe37⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe38⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe39⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe40⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe41⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe43⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe48⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe49⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe52⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe53⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe54⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe55⤵PID:1128
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe56⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe57⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe58⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe61⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe63⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe65⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe67⤵PID:1944
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe68⤵PID:2472
-
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe69⤵PID:472
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe70⤵PID:1216
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe71⤵PID:644
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe72⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe73⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe74⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe75⤵PID:2312
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe76⤵PID:3052
-
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe78⤵PID:2344
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe79⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe80⤵PID:484
-
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe81⤵PID:2544
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe82⤵PID:1096
-
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe83⤵PID:2432
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe84⤵PID:2268
-
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe85⤵PID:2996
-
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe86⤵PID:2056
-
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe87⤵PID:2696
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe88⤵PID:2092
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe89⤵PID:2648
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe90⤵PID:2888
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe91⤵PID:1952
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe92⤵PID:2240
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe93⤵PID:2556
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe94⤵PID:1400
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe95⤵PID:956
-
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe97⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe98⤵PID:1988
-
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe99⤵PID:2132
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe101⤵PID:1680
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe102⤵PID:368
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe103⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe104⤵PID:1700
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe105⤵PID:2436
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe106⤵PID:2120
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe107⤵PID:2980
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe108⤵PID:2644
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe109⤵PID:1692
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe110⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe111⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe112⤵PID:752
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe113⤵PID:572
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe114⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe115⤵PID:1160
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe116⤵PID:1912
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe117⤵PID:2420
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe118⤵PID:1948
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe119⤵PID:1532
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe120⤵PID:1940
-
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe121⤵
- Drops file in System32 directory
PID:1260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-