Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:23
Behavioral task
behavioral1
Sample
NEAS.798b1f167cade37711408540ff93cb5f.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.798b1f167cade37711408540ff93cb5f.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.798b1f167cade37711408540ff93cb5f.exe
-
Size
67KB
-
MD5
798b1f167cade37711408540ff93cb5f
-
SHA1
0ff20ca6e47e27698453d361dff8469e99c3ee59
-
SHA256
1b1d3ed335bfc261e298fc4fa8fdce225ae2783b8cca693048facb87d6f6885b
-
SHA512
385d00e0a044581dca4d5d081f2e1ffa3a6922e4c4ba6b1895ae167d2df1ec395269c0788f70cb8580b9da2b764a7f4f31ce7562e923b3ffd4412708f4d02b6f
-
SSDEEP
1536:dtF6qP6DTPap0l1851oLsJifTduD4oTxw:noip0ly51ysJibdMTxw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgogojd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoiaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojibgkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcgdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekjcaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomqmoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfnoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampaho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibocnnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngkjhmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlcehhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiajeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcejbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdjonng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhgpbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiphhhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdamph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhchhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdbcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnohinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmphjfab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkmhlpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblidkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibocnnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jecoog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcnlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekoniian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedjkkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mieeka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koceep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjlqklp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogndki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkfkmmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgmhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oefamoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moobkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeffip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokbgpeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpckclld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mijofaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agndidce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefmbbod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpmcl32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1324-0-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x00040000000222d5-8.dat family_berbew behavioral2/memory/968-7-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x00040000000222d5-6.dat family_berbew behavioral2/files/0x0007000000022d34-14.dat family_berbew behavioral2/files/0x0007000000022d34-15.dat family_berbew behavioral2/memory/2752-16-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/4772-23-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0007000000022d37-22.dat family_berbew behavioral2/files/0x0007000000022d37-24.dat family_berbew behavioral2/files/0x0008000000022d4e-30.dat family_berbew behavioral2/memory/2248-31-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0008000000022d4e-32.dat family_berbew behavioral2/files/0x0008000000022d57-38.dat family_berbew behavioral2/files/0x0008000000022d57-39.dat family_berbew behavioral2/memory/2456-40-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1c-46.dat family_berbew behavioral2/files/0x0006000000022e1c-47.dat family_berbew behavioral2/memory/3300-48-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-54.dat family_berbew behavioral2/files/0x0006000000022e1f-55.dat family_berbew behavioral2/memory/3896-56-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0008000000022d2f-62.dat family_berbew behavioral2/memory/1576-63-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0008000000022d2f-64.dat family_berbew behavioral2/files/0x0006000000022e22-70.dat family_berbew behavioral2/files/0x0006000000022e22-71.dat family_berbew behavioral2/memory/3504-72-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-79.dat family_berbew behavioral2/memory/1324-80-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/4904-85-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-78.dat family_berbew behavioral2/files/0x0006000000022e26-87.dat family_berbew behavioral2/memory/968-88-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/3056-90-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e26-89.dat family_berbew behavioral2/files/0x0006000000022e28-96.dat family_berbew behavioral2/files/0x0006000000022e28-98.dat family_berbew behavioral2/memory/2752-97-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/3760-99-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-105.dat family_berbew behavioral2/memory/4772-107-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/2208-108-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-106.dat family_berbew behavioral2/files/0x0006000000022e2c-114.dat family_berbew behavioral2/memory/2248-116-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2c-115.dat family_berbew behavioral2/memory/1168-121-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2f-123.dat family_berbew behavioral2/memory/2456-125-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/3592-130-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-132.dat family_berbew behavioral2/files/0x0006000000022e2f-124.dat family_berbew behavioral2/files/0x0006000000022e31-134.dat family_berbew behavioral2/memory/3820-139-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/3300-133-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e33-141.dat family_berbew behavioral2/memory/4696-148-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e35-150.dat family_berbew behavioral2/files/0x0006000000022e33-142.dat family_berbew behavioral2/memory/3896-143-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/memory/1612-157-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral2/files/0x0006000000022e35-152.dat family_berbew behavioral2/memory/1576-151-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 968 Lmdnbn32.exe 2752 Lflbkcll.exe 4772 Modgdicm.exe 2248 Mnegbp32.exe 2456 Mnhdgpii.exe 3300 Mnjqmpgg.exe 3896 Mcgiefen.exe 1576 Mmpmnl32.exe 3504 Mgeakekd.exe 4904 Nqmfdj32.exe 3056 Nfjola32.exe 3760 Ncnofeof.exe 2208 Nncccnol.exe 1168 Nglhld32.exe 3592 Nmipdk32.exe 3820 Ngndaccj.exe 4696 Nagiji32.exe 1612 Omnjojpo.exe 3692 Ojajin32.exe 3224 Ogekbb32.exe 2740 Oanokhdb.exe 888 Oaplqh32.exe 1164 Ohlqcagj.exe 4596 Pmiikh32.exe 2644 Phonha32.exe 1864 Pmlfqh32.exe 4028 Pdenmbkk.exe 3656 Pnkbkk32.exe 2464 Pdhkcb32.exe 2172 Pnmopk32.exe 4764 Palklf32.exe 3616 Pmblagmf.exe 4336 Qhhpop32.exe 1408 Qpcecb32.exe 5104 Qfmmplad.exe 2416 Qacameaj.exe 5044 Qdaniq32.exe 3272 Aogbfi32.exe 2944 Adcjop32.exe 3284 Amlogfel.exe 4944 Ahaceo32.exe 5072 Aajhndkb.exe 4692 Ahdpjn32.exe 1044 Amqhbe32.exe 1600 Akdilipp.exe 828 Aaoaic32.exe 1624 Bgkiaj32.exe 3020 Bobabg32.exe 3652 Bhkfkmmg.exe 2332 Boenhgdd.exe 2832 Bacjdbch.exe 1504 Bogkmgba.exe 2940 Bhblllfo.exe 684 Bkphhgfc.exe 4024 Bajqda32.exe 2240 Cdimqm32.exe 1256 Cggimh32.exe 220 Cnaaib32.exe 4308 Cponen32.exe 3920 Cgifbhid.exe 1856 Cncnob32.exe 3436 Cdmfllhn.exe 2196 Ckgohf32.exe 2684 Cpdgqmnb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ihdjfhhc.exe Imofip32.exe File created C:\Windows\SysWOW64\Opiipkfb.exe Ogndki32.exe File created C:\Windows\SysWOW64\Ndddeknc.dll Phjdggoj.exe File created C:\Windows\SysWOW64\Ckealm32.exe Calmcg32.exe File created C:\Windows\SysWOW64\Fbjieo32.dll Bobabg32.exe File created C:\Windows\SysWOW64\Okjpkd32.dll Finnef32.exe File created C:\Windows\SysWOW64\Bloflk32.exe Addahh32.exe File created C:\Windows\SysWOW64\Ejdhcjpl.exe Ecjpfp32.exe File created C:\Windows\SysWOW64\Fkajoiok.exe Fgenoj32.exe File created C:\Windows\SysWOW64\Mlnijmhc.exe Mhbmin32.exe File opened for modification C:\Windows\SysWOW64\Jjhjli32.exe Jdkadb32.exe File opened for modification C:\Windows\SysWOW64\Onapnbhi.exe Ohggah32.exe File created C:\Windows\SysWOW64\Ciaaqgdb.dll Padeem32.exe File created C:\Windows\SysWOW64\Mnjqmpgg.exe Mnhdgpii.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Cgecpa32.exe Cnmoglij.exe File created C:\Windows\SysWOW64\Dkehlo32.exe Dgjmkqke.exe File created C:\Windows\SysWOW64\Bpemfc32.dll Laiipofp.exe File created C:\Windows\SysWOW64\Lemjlcgo.exe Locbpi32.exe File created C:\Windows\SysWOW64\Mimphakb.exe Mhncnodp.exe File created C:\Windows\SysWOW64\Eibfmp32.exe Efdjqeni.exe File created C:\Windows\SysWOW64\Jnajolfl.dll Fmjqjqao.exe File created C:\Windows\SysWOW64\Omooiflc.dll Mmcnlc32.exe File created C:\Windows\SysWOW64\Lbandhne.dll Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Bnaolm32.exe Bpmobi32.exe File created C:\Windows\SysWOW64\Jaodkk32.exe Jhgpbf32.exe File created C:\Windows\SysWOW64\Abmhbplf.exe Apnkfelb.exe File created C:\Windows\SysWOW64\Hagqiofj.dll Ggilbb32.exe File created C:\Windows\SysWOW64\Ajohfcpj.exe Abhqefpg.exe File created C:\Windows\SysWOW64\Endnohdp.exe Ekeacmel.exe File created C:\Windows\SysWOW64\Bgafin32.exe Bojohp32.exe File opened for modification C:\Windows\SysWOW64\Lhdqhp32.exe Lefdld32.exe File created C:\Windows\SysWOW64\Hjhaeklb.exe Hgghdp32.exe File opened for modification C:\Windows\SysWOW64\Mqafbaap.exe Mmfkac32.exe File opened for modification C:\Windows\SysWOW64\Ppjbfi32.exe Pjmjnb32.exe File created C:\Windows\SysWOW64\Jkmllk32.dll Cpmajdig.exe File created C:\Windows\SysWOW64\Mjjkejin.dll Jhnojl32.exe File created C:\Windows\SysWOW64\Jojboa32.exe Jhpjbgne.exe File created C:\Windows\SysWOW64\Jefgak32.exe Jnoopm32.exe File opened for modification C:\Windows\SysWOW64\Gjnnoldm.exe Ghmbhd32.exe File created C:\Windows\SysWOW64\Eomgkc32.dll Ddfikaeq.exe File created C:\Windows\SysWOW64\Icamkbbh.dll Fepehm32.exe File opened for modification C:\Windows\SysWOW64\Caqpkjcl.exe Cgklmacf.exe File opened for modification C:\Windows\SysWOW64\Fdamph32.exe Fabqdl32.exe File created C:\Windows\SysWOW64\Ncifdlii.exe Nqkihpie.exe File opened for modification C:\Windows\SysWOW64\Ejmild32.exe Ehomph32.exe File created C:\Windows\SysWOW64\Edmcbd32.dll Lqfgfclm.exe File opened for modification C:\Windows\SysWOW64\Nncccnol.exe Ncnofeof.exe File opened for modification C:\Windows\SysWOW64\Aiplmq32.exe Afappe32.exe File opened for modification C:\Windows\SysWOW64\Oplkgi32.exe Ohebek32.exe File opened for modification C:\Windows\SysWOW64\Dcjnikhc.exe Dpnbhl32.exe File created C:\Windows\SysWOW64\Gjhjad32.dll Kblidkhp.exe File created C:\Windows\SysWOW64\Dpnbhl32.exe Dmpfla32.exe File created C:\Windows\SysWOW64\Bpfkiepp.exe Bkibqnah.exe File created C:\Windows\SysWOW64\Gcmemp32.dll Cpajdc32.exe File created C:\Windows\SysWOW64\Mkiongah.dll Fbbicl32.exe File created C:\Windows\SysWOW64\Heffebak.dll Ipihpkkd.exe File created C:\Windows\SysWOW64\Kaadlo32.dll Nhegig32.exe File created C:\Windows\SysWOW64\Glagpmgi.dll Mieeka32.exe File opened for modification C:\Windows\SysWOW64\Dogdnj32.exe Ddbppa32.exe File opened for modification C:\Windows\SysWOW64\Nmmqgo32.exe Nfchjddj.exe File created C:\Windows\SysWOW64\Pllgej32.dll Cifmjd32.exe File created C:\Windows\SysWOW64\Hpohkn32.dll Lnldeg32.exe File created C:\Windows\SysWOW64\Anfmbd32.dll Dgcihgaj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4368 6208 WerFault.exe 1034 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necphcfk.dll" Laiaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benjqmcm.dll" Ojgjhicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldbfp32.dll" Kpldpddh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkcqhdh.dll" Enfckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Ncnofeof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipnio32.dll" Ikjcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgqblp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkkjfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdopkhfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddbppa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll" Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkcql32.dll" Ehomph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfccogfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geqlhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfombmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oapljmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfhfjhli.dll" Mflbjejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfmhecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gneaelqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcadcgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daccdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll" Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbfjljhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldccid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokceaoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kleajegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndlca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbebbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhkgpjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmmejml.dll" Mlkldmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljjjqd32.dll" Hojibgkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkiepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnlgjlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oihkgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqqnjea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coigllel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomgkc32.dll" Ddfikaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giljfddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhpjbgne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jngjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danlilhh.dll" Naaqhlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foclpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncelonn.dll" Enhpao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll" Bgdemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpkoalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlmiagbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbhedopp.dll" Nacmnlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojpmiij.dll" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noppeaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjcdimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopjchnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojibgkm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1324 wrote to memory of 968 1324 NEAS.798b1f167cade37711408540ff93cb5f.exe 89 PID 1324 wrote to memory of 968 1324 NEAS.798b1f167cade37711408540ff93cb5f.exe 89 PID 1324 wrote to memory of 968 1324 NEAS.798b1f167cade37711408540ff93cb5f.exe 89 PID 968 wrote to memory of 2752 968 Lmdnbn32.exe 90 PID 968 wrote to memory of 2752 968 Lmdnbn32.exe 90 PID 968 wrote to memory of 2752 968 Lmdnbn32.exe 90 PID 2752 wrote to memory of 4772 2752 Lflbkcll.exe 91 PID 2752 wrote to memory of 4772 2752 Lflbkcll.exe 91 PID 2752 wrote to memory of 4772 2752 Lflbkcll.exe 91 PID 4772 wrote to memory of 2248 4772 Modgdicm.exe 92 PID 4772 wrote to memory of 2248 4772 Modgdicm.exe 92 PID 4772 wrote to memory of 2248 4772 Modgdicm.exe 92 PID 2248 wrote to memory of 2456 2248 Mnegbp32.exe 93 PID 2248 wrote to memory of 2456 2248 Mnegbp32.exe 93 PID 2248 wrote to memory of 2456 2248 Mnegbp32.exe 93 PID 2456 wrote to memory of 3300 2456 Mnhdgpii.exe 94 PID 2456 wrote to memory of 3300 2456 Mnhdgpii.exe 94 PID 2456 wrote to memory of 3300 2456 Mnhdgpii.exe 94 PID 3300 wrote to memory of 3896 3300 Mnjqmpgg.exe 95 PID 3300 wrote to memory of 3896 3300 Mnjqmpgg.exe 95 PID 3300 wrote to memory of 3896 3300 Mnjqmpgg.exe 95 PID 3896 wrote to memory of 1576 3896 Mcgiefen.exe 96 PID 3896 wrote to memory of 1576 3896 Mcgiefen.exe 96 PID 3896 wrote to memory of 1576 3896 Mcgiefen.exe 96 PID 1576 wrote to memory of 3504 1576 Mmpmnl32.exe 97 PID 1576 wrote to memory of 3504 1576 Mmpmnl32.exe 97 PID 1576 wrote to memory of 3504 1576 Mmpmnl32.exe 97 PID 3504 wrote to memory of 4904 3504 Mgeakekd.exe 98 PID 3504 wrote to memory of 4904 3504 Mgeakekd.exe 98 PID 3504 wrote to memory of 4904 3504 Mgeakekd.exe 98 PID 4904 wrote to memory of 3056 4904 Nqmfdj32.exe 99 PID 4904 wrote to memory of 3056 4904 Nqmfdj32.exe 99 PID 4904 wrote to memory of 3056 4904 Nqmfdj32.exe 99 PID 3056 wrote to memory of 3760 3056 Nfjola32.exe 100 PID 3056 wrote to memory of 3760 3056 Nfjola32.exe 100 PID 3056 wrote to memory of 3760 3056 Nfjola32.exe 100 PID 3760 wrote to memory of 2208 3760 Ncnofeof.exe 101 PID 3760 wrote to memory of 2208 3760 Ncnofeof.exe 101 PID 3760 wrote to memory of 2208 3760 Ncnofeof.exe 101 PID 2208 wrote to memory of 1168 2208 Nncccnol.exe 102 PID 2208 wrote to memory of 1168 2208 Nncccnol.exe 102 PID 2208 wrote to memory of 1168 2208 Nncccnol.exe 102 PID 1168 wrote to memory of 3592 1168 Nglhld32.exe 103 PID 1168 wrote to memory of 3592 1168 Nglhld32.exe 103 PID 1168 wrote to memory of 3592 1168 Nglhld32.exe 103 PID 3592 wrote to memory of 3820 3592 Nmipdk32.exe 104 PID 3592 wrote to memory of 3820 3592 Nmipdk32.exe 104 PID 3592 wrote to memory of 3820 3592 Nmipdk32.exe 104 PID 3820 wrote to memory of 4696 3820 Ngndaccj.exe 105 PID 3820 wrote to memory of 4696 3820 Ngndaccj.exe 105 PID 3820 wrote to memory of 4696 3820 Ngndaccj.exe 105 PID 4696 wrote to memory of 1612 4696 Nagiji32.exe 106 PID 4696 wrote to memory of 1612 4696 Nagiji32.exe 106 PID 4696 wrote to memory of 1612 4696 Nagiji32.exe 106 PID 1612 wrote to memory of 3692 1612 Omnjojpo.exe 107 PID 1612 wrote to memory of 3692 1612 Omnjojpo.exe 107 PID 1612 wrote to memory of 3692 1612 Omnjojpo.exe 107 PID 3692 wrote to memory of 3224 3692 Ojajin32.exe 108 PID 3692 wrote to memory of 3224 3692 Ojajin32.exe 108 PID 3692 wrote to memory of 3224 3692 Ojajin32.exe 108 PID 3224 wrote to memory of 2740 3224 Ogekbb32.exe 109 PID 3224 wrote to memory of 2740 3224 Ogekbb32.exe 109 PID 3224 wrote to memory of 2740 3224 Ogekbb32.exe 109 PID 2740 wrote to memory of 888 2740 Oanokhdb.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.798b1f167cade37711408540ff93cb5f.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.798b1f167cade37711408540ff93cb5f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe23⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe24⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe26⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe27⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe28⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe29⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe30⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe31⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe32⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe34⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe35⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe36⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe38⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe39⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe40⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe41⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe42⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe43⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe44⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe45⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe48⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe51⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe54⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe55⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe56⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe57⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe58⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe59⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe60⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe61⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe66⤵PID:2736
-
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe67⤵PID:3248
-
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe68⤵PID:4180
-
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe69⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe70⤵PID:2544
-
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe71⤵
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe72⤵PID:4420
-
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe73⤵
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe74⤵PID:3116
-
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe75⤵PID:1352
-
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe76⤵
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe77⤵PID:792
-
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe78⤵PID:3908
-
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe79⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe80⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe81⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe82⤵PID:5272
-
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe83⤵PID:5344
-
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe84⤵PID:5384
-
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe85⤵PID:5428
-
C:\Windows\SysWOW64\Eiekog32.exeC:\Windows\system32\Eiekog32.exe86⤵PID:5468
-
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe87⤵PID:5516
-
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe88⤵PID:5560
-
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe89⤵PID:5604
-
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe90⤵PID:5648
-
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe91⤵PID:5688
-
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe92⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe93⤵PID:5772
-
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe94⤵PID:5820
-
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe95⤵PID:5860
-
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe96⤵PID:5908
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe97⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe99⤵PID:6036
-
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe100⤵PID:6080
-
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6124 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe102⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe103⤵PID:5264
-
C:\Windows\SysWOW64\Ganldgib.exeC:\Windows\system32\Ganldgib.exe104⤵PID:5328
-
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe105⤵PID:5440
-
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe106⤵PID:5532
-
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe107⤵PID:5632
-
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe108⤵PID:5708
-
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe110⤵PID:5844
-
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe111⤵PID:5944
-
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe112⤵PID:6004
-
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe113⤵PID:6108
-
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe114⤵PID:2316
-
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe115⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe116⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe118⤵PID:5872
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe119⤵PID:6020
-
C:\Windows\SysWOW64\Hajkqfoe.exeC:\Windows\system32\Hajkqfoe.exe120⤵PID:6136
-
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-