Analysis
-
max time kernel
175s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 17:36
Behavioral task
behavioral1
Sample
NEAS.a170d8a02830fa34939005b74975c0b0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a170d8a02830fa34939005b74975c0b0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a170d8a02830fa34939005b74975c0b0.exe
-
Size
199KB
-
MD5
a170d8a02830fa34939005b74975c0b0
-
SHA1
dd12fe300b501da85b049101c37259fc40450e15
-
SHA256
2cb3d2944247bf9b5cac204a32d1e23cd35b023a7efeddaceed6b24f62b57ac9
-
SHA512
15c8c3f5c7aae0e638a0167c9af89e0a5f13aa0914c19ec7f95589467741982f29d3fb5989816a0b339b59785180b5b4eea1489e7519b4422df126e1f0ea9b92
-
SSDEEP
6144:2S0BvfftSZSCZj81+jq4peBK034YOmFz1h:2pBvoZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbkjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhkpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljloii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cponodge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdqlgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofgmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelmik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnkoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkegiggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mledgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekggijge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmfgimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmongoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhfhjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iffmmihf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaofphbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdalfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlclnhho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqhfhjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchpibng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpojpic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggecl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobjho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doiabgqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojmmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbkmebo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffmmihf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebdighb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpenoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbpmhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjccna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfhfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqfgfclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.a170d8a02830fa34939005b74975c0b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdngljk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caojigoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobldfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkmgladi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmliem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncobabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocliecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfkqcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnnfnlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omegdebp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddlfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpffaib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himqjpme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glenpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnendhol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjkmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcgam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjggkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipdjfoo.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000022cee-7.dat family_berbew behavioral2/files/0x000a000000022cee-9.dat family_berbew behavioral2/files/0x0006000000022d05-15.dat family_berbew behavioral2/files/0x0006000000022d05-17.dat family_berbew behavioral2/files/0x0006000000022d07-23.dat family_berbew behavioral2/files/0x0006000000022d07-25.dat family_berbew behavioral2/files/0x0006000000022d09-31.dat family_berbew behavioral2/files/0x0006000000022d09-32.dat family_berbew behavioral2/files/0x0006000000022d0b-39.dat family_berbew behavioral2/files/0x0006000000022d0b-41.dat family_berbew behavioral2/files/0x0006000000022d0d-42.dat family_berbew behavioral2/files/0x0006000000022d0d-47.dat family_berbew behavioral2/files/0x0006000000022d0d-49.dat family_berbew behavioral2/files/0x0006000000022d10-55.dat family_berbew behavioral2/files/0x0006000000022d10-57.dat family_berbew behavioral2/files/0x0006000000022d13-64.dat family_berbew behavioral2/files/0x0006000000022d13-66.dat family_berbew behavioral2/files/0x0006000000022d15-72.dat family_berbew behavioral2/files/0x0006000000022d15-74.dat family_berbew behavioral2/files/0x0007000000022d16-80.dat family_berbew behavioral2/files/0x0007000000022d16-82.dat family_berbew behavioral2/files/0x0006000000022d18-88.dat family_berbew behavioral2/files/0x0006000000022d18-90.dat family_berbew behavioral2/files/0x0008000000022cf9-96.dat family_berbew behavioral2/files/0x0008000000022cf9-97.dat family_berbew behavioral2/files/0x000c000000022d00-99.dat family_berbew behavioral2/files/0x000c000000022d00-104.dat family_berbew behavioral2/files/0x000c000000022d00-105.dat family_berbew behavioral2/files/0x0008000000022d0e-112.dat family_berbew behavioral2/files/0x0008000000022d0e-114.dat family_berbew behavioral2/files/0x0006000000022d1c-120.dat family_berbew behavioral2/files/0x0006000000022d1c-122.dat family_berbew behavioral2/files/0x0006000000022d1e-124.dat family_berbew behavioral2/files/0x0006000000022d1e-128.dat family_berbew behavioral2/files/0x0006000000022d1e-129.dat family_berbew behavioral2/files/0x0006000000022d20-137.dat family_berbew behavioral2/files/0x0006000000022d20-136.dat family_berbew behavioral2/files/0x0006000000022d22-144.dat family_berbew behavioral2/files/0x0006000000022d22-146.dat family_berbew behavioral2/files/0x0006000000022d25-147.dat family_berbew behavioral2/files/0x0006000000022d25-152.dat family_berbew behavioral2/files/0x0006000000022d25-154.dat family_berbew behavioral2/files/0x0006000000022d27-160.dat family_berbew behavioral2/files/0x0006000000022d27-162.dat family_berbew behavioral2/files/0x0006000000022d29-163.dat family_berbew behavioral2/files/0x0006000000022d29-168.dat family_berbew behavioral2/files/0x0006000000022d29-169.dat family_berbew behavioral2/files/0x0006000000022d2b-176.dat family_berbew behavioral2/files/0x0006000000022d2b-177.dat family_berbew behavioral2/files/0x0006000000022d2f-184.dat family_berbew behavioral2/files/0x0006000000022d2f-186.dat family_berbew behavioral2/files/0x0006000000022d31-192.dat family_berbew behavioral2/files/0x0006000000022d31-193.dat family_berbew behavioral2/files/0x0006000000022d33-200.dat family_berbew behavioral2/files/0x0006000000022d33-201.dat family_berbew behavioral2/files/0x0006000000022d35-203.dat family_berbew behavioral2/files/0x0006000000022d35-207.dat family_berbew behavioral2/files/0x0006000000022d35-209.dat family_berbew behavioral2/files/0x0006000000022d37-216.dat family_berbew behavioral2/files/0x0006000000022d37-217.dat family_berbew behavioral2/files/0x0006000000022d39-219.dat family_berbew behavioral2/files/0x0006000000022d39-224.dat family_berbew behavioral2/files/0x0006000000022d39-226.dat family_berbew behavioral2/files/0x0006000000022d3e-232.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4756 Hoglbc32.exe 3608 Dqfceoje.exe 5024 Fcibchgq.exe 1732 Fpbpmhjb.exe 1124 Gfcnka32.exe 1960 Hpchdf32.exe 580 Ijpcbn32.exe 2980 Ihkila32.exe 1388 Jaekkfcm.exe 568 Khplnn32.exe 4996 Lnfgmc32.exe 236 Bpggbm32.exe 4104 Ccacjgfb.exe 3280 Dpcpei32.exe 3048 Elojej32.exe 3472 Fcfocb32.exe 60 Gjgmpkfl.exe 1944 Gmfilfep.exe 2860 Hmolbene.exe 2744 Himche32.exe 3096 Ibhdgjap.exe 1692 Iffmmihf.exe 3816 Jmihpa32.exe 4624 Jmnakqcc.exe 2924 Jdhigk32.exe 5116 Jdjfmjhm.exe 3108 Kinefp32.exe 4952 Lkpnec32.exe 2580 Eekanh32.exe 4844 Hcimei32.exe 4116 Jbqpbbfi.exe 3716 Jpdqlgdc.exe 2676 Kpncbemh.exe 4696 Mibpng32.exe 1676 Nebdighb.exe 3984 Ofgmdf32.exe 4592 Ogkcihgj.exe 4300 Onekeb32.exe 1892 Pnlafaio.exe 4916 Pmangnmg.exe 3372 Qnhabp32.exe 5084 Ddonnq32.exe 2976 Ekpmljin.exe 1276 Eeeaibid.exe 4172 Eggmqk32.exe 4396 Femgia32.exe 4428 Fnoboc32.exe 4288 Fggfghap.exe 1304 Gehfepio.exe 1724 Gkeonggf.exe 4032 Hbhjqp32.exe 4692 Hgebif32.exe 3960 Ifpemmdd.exe 4140 Inkjao32.exe 220 Jgmapcqe.exe 1628 Jecoog32.exe 2756 Jkmgladi.exe 3348 Jbgoik32.exe 4352 Jiageecb.exe 2852 Ajlngk32.exe 1712 Bgnkamef.exe 1584 Bmkcjd32.exe 4044 Boipfp32.exe 4600 Bfchcijo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gkeonggf.exe Gehfepio.exe File opened for modification C:\Windows\SysWOW64\Jgmapcqe.exe Inkjao32.exe File created C:\Windows\SysWOW64\Beomhm32.exe Boeelcmm.exe File created C:\Windows\SysWOW64\Lnoijo32.dll Cknlln32.exe File created C:\Windows\SysWOW64\Fldabbgk.dll Enmjedpa.exe File opened for modification C:\Windows\SysWOW64\Aabkldcl.exe Afmfolcf.exe File created C:\Windows\SysWOW64\Ohcdlepj.dll NEAS.a170d8a02830fa34939005b74975c0b0.exe File created C:\Windows\SysWOW64\Himche32.exe Hmolbene.exe File created C:\Windows\SysWOW64\Bpmhab32.dll Jncfmgfi.exe File opened for modification C:\Windows\SysWOW64\Phjdggoj.exe Omdpio32.exe File created C:\Windows\SysWOW64\Apmhbf32.exe Akpojpic.exe File created C:\Windows\SysWOW64\Amegnd32.dll Enfceefi.exe File created C:\Windows\SysWOW64\Kifodcej.exe Kcmfgimm.exe File created C:\Windows\SysWOW64\Opdadpln.dll Omjfij32.exe File opened for modification C:\Windows\SysWOW64\Ofeggo32.exe Ookokeqd.exe File created C:\Windows\SysWOW64\Aimoqgqg.exe Abcgdm32.exe File created C:\Windows\SysWOW64\Kbejcm32.dll Dpcpei32.exe File opened for modification C:\Windows\SysWOW64\Pjkmhblk.exe Pdqelh32.exe File created C:\Windows\SysWOW64\Pfcchmlq.exe Ppiklc32.exe File opened for modification C:\Windows\SysWOW64\Khplnn32.exe Jaekkfcm.exe File created C:\Windows\SysWOW64\Onekeb32.exe Ogkcihgj.exe File opened for modification C:\Windows\SysWOW64\Lhlkep32.exe Laachfbe.exe File opened for modification C:\Windows\SysWOW64\Gfcnka32.exe Fpbpmhjb.exe File opened for modification C:\Windows\SysWOW64\Oolgbpei.exe Ohboeenl.exe File created C:\Windows\SysWOW64\Kdfjej32.exe Kknfmdko.exe File opened for modification C:\Windows\SysWOW64\Mndapl32.exe Mgjicb32.exe File created C:\Windows\SysWOW64\Pmgcidqm.exe Ohkkanbe.exe File created C:\Windows\SysWOW64\Lqhdlc32.exe Lnjgpgkf.exe File created C:\Windows\SysWOW64\Ehndhn32.exe Ebdlkdlp.exe File created C:\Windows\SysWOW64\Aehofbhf.dll Hefneq32.exe File created C:\Windows\SysWOW64\Ebkolf32.dll Jlclnhho.exe File opened for modification C:\Windows\SysWOW64\Oegejc32.exe Onnmmipj.exe File created C:\Windows\SysWOW64\Qejkfp32.exe Qkegiggl.exe File created C:\Windows\SysWOW64\Nqmfnp32.exe Njcnafpe.exe File created C:\Windows\SysWOW64\Ccacjgfb.exe Bpggbm32.exe File opened for modification C:\Windows\SysWOW64\Jkmgladi.exe Jecoog32.exe File created C:\Windows\SysWOW64\Jncfmgfi.exe Hdmecdlh.exe File created C:\Windows\SysWOW64\Ekpceh32.dll Nhhlog32.exe File opened for modification C:\Windows\SysWOW64\Jncobabm.exe Innfgb32.exe File created C:\Windows\SysWOW64\Kjccna32.exe Kdfjej32.exe File created C:\Windows\SysWOW64\Pjfloq32.dll Mccfnc32.exe File opened for modification C:\Windows\SysWOW64\Gejoib32.exe Gblbmg32.exe File created C:\Windows\SysWOW64\Fqblbo32.exe Edgbbo32.exe File created C:\Windows\SysWOW64\Ookokeqd.exe Oiagnk32.exe File created C:\Windows\SysWOW64\Ofeggo32.exe Ookokeqd.exe File created C:\Windows\SysWOW64\Qifiph32.exe Qakdke32.exe File opened for modification C:\Windows\SysWOW64\Omegdebp.exe Ohhnln32.exe File created C:\Windows\SysWOW64\Eggmqk32.exe Eeeaibid.exe File opened for modification C:\Windows\SysWOW64\Iiigqdfd.exe Hdmohnhl.exe File created C:\Windows\SysWOW64\Ilndon32.dll Lcbfmomc.exe File opened for modification C:\Windows\SysWOW64\Doojni32.exe Ddifaqcn.exe File created C:\Windows\SysWOW64\Ocdnedkp.exe Omjfij32.exe File opened for modification C:\Windows\SysWOW64\Fkflbb32.exe Dapkho32.exe File created C:\Windows\SysWOW64\Ncbcjefh.dll Nbefmopd.exe File created C:\Windows\SysWOW64\Pjbgla32.dll Gfjkce32.exe File opened for modification C:\Windows\SysWOW64\Hpgigj32.exe Himqjpme.exe File created C:\Windows\SysWOW64\Dlfbgp32.dll Iibclmkn.exe File created C:\Windows\SysWOW64\Akpbae32.dll Kflink32.exe File opened for modification C:\Windows\SysWOW64\Qhfcbfdl.exe Ppgeqijb.exe File opened for modification C:\Windows\SysWOW64\Adanbffk.exe Qfkqcb32.exe File opened for modification C:\Windows\SysWOW64\Bpkllo32.exe Bfchcijo.exe File created C:\Windows\SysWOW64\Fcojkgea.dll Qaofphbd.exe File created C:\Windows\SysWOW64\Qkgcog32.exe Qejkfp32.exe File created C:\Windows\SysWOW64\Mnanpfdo.exe Mggecl32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 5124 8832 WerFault.exe 506 9044 8832 WerFault.exe 506 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekpmljin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nelmik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkkfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkegiggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anobaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jekqgnno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfcnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaalfihk.dll" Laachfbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdhmjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kddnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alkidi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcqghgah.dll" Apjkmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgklqbim.dll" Ookokeqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgopofnb.dll" Jpdqlgdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehfepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpqghgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjldd32.dll" Ccacjgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illiee32.dll" Hdmecdlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcdm32.dll" Kknfmdko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekjdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddgqgej.dll" Nfenpafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjfnlho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhkdjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjbgla32.dll" Gfjkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoed32.dll" Illfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhafak32.dll" Ipjocgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manfgh32.dll" Bpkllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geohdago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abibbnjl.dll" Ogcnfheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndgndepc.dll" Pdqelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnhkpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necbhj32.dll" Jdhigk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfmalli.dll" Hingefqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccacjgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmmqbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildnhceg.dll" Qmepkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anobaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdoikhh.dll" Bokeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdkolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iliihipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcmongoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnghh32.dll" Jjoibadl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlipal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnanpfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ommjipel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopefnnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapijhaf.dll" Cahdhhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.a170d8a02830fa34939005b74975c0b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkghaec.dll" Cflkihbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pknqhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahiebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaegiab.dll" Cfmijkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhmjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbcnmogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpdqlgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkeonggf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4756 2784 NEAS.a170d8a02830fa34939005b74975c0b0.exe 96 PID 2784 wrote to memory of 4756 2784 NEAS.a170d8a02830fa34939005b74975c0b0.exe 96 PID 2784 wrote to memory of 4756 2784 NEAS.a170d8a02830fa34939005b74975c0b0.exe 96 PID 4756 wrote to memory of 3608 4756 Hoglbc32.exe 97 PID 4756 wrote to memory of 3608 4756 Hoglbc32.exe 97 PID 4756 wrote to memory of 3608 4756 Hoglbc32.exe 97 PID 3608 wrote to memory of 5024 3608 Dqfceoje.exe 98 PID 3608 wrote to memory of 5024 3608 Dqfceoje.exe 98 PID 3608 wrote to memory of 5024 3608 Dqfceoje.exe 98 PID 5024 wrote to memory of 1732 5024 Fcibchgq.exe 99 PID 5024 wrote to memory of 1732 5024 Fcibchgq.exe 99 PID 5024 wrote to memory of 1732 5024 Fcibchgq.exe 99 PID 1732 wrote to memory of 1124 1732 Fpbpmhjb.exe 100 PID 1732 wrote to memory of 1124 1732 Fpbpmhjb.exe 100 PID 1732 wrote to memory of 1124 1732 Fpbpmhjb.exe 100 PID 1124 wrote to memory of 1960 1124 Gfcnka32.exe 101 PID 1124 wrote to memory of 1960 1124 Gfcnka32.exe 101 PID 1124 wrote to memory of 1960 1124 Gfcnka32.exe 101 PID 1960 wrote to memory of 580 1960 Hpchdf32.exe 102 PID 1960 wrote to memory of 580 1960 Hpchdf32.exe 102 PID 1960 wrote to memory of 580 1960 Hpchdf32.exe 102 PID 580 wrote to memory of 2980 580 Ijpcbn32.exe 103 PID 580 wrote to memory of 2980 580 Ijpcbn32.exe 103 PID 580 wrote to memory of 2980 580 Ijpcbn32.exe 103 PID 2980 wrote to memory of 1388 2980 Ihkila32.exe 104 PID 2980 wrote to memory of 1388 2980 Ihkila32.exe 104 PID 2980 wrote to memory of 1388 2980 Ihkila32.exe 104 PID 1388 wrote to memory of 568 1388 Jaekkfcm.exe 105 PID 1388 wrote to memory of 568 1388 Jaekkfcm.exe 105 PID 1388 wrote to memory of 568 1388 Jaekkfcm.exe 105 PID 568 wrote to memory of 4996 568 Khplnn32.exe 107 PID 568 wrote to memory of 4996 568 Khplnn32.exe 107 PID 568 wrote to memory of 4996 568 Khplnn32.exe 107 PID 4996 wrote to memory of 236 4996 Lnfgmc32.exe 108 PID 4996 wrote to memory of 236 4996 Lnfgmc32.exe 108 PID 4996 wrote to memory of 236 4996 Lnfgmc32.exe 108 PID 236 wrote to memory of 4104 236 Bpggbm32.exe 109 PID 236 wrote to memory of 4104 236 Bpggbm32.exe 109 PID 236 wrote to memory of 4104 236 Bpggbm32.exe 109 PID 4104 wrote to memory of 3280 4104 Ccacjgfb.exe 110 PID 4104 wrote to memory of 3280 4104 Ccacjgfb.exe 110 PID 4104 wrote to memory of 3280 4104 Ccacjgfb.exe 110 PID 3280 wrote to memory of 3048 3280 Dpcpei32.exe 111 PID 3280 wrote to memory of 3048 3280 Dpcpei32.exe 111 PID 3280 wrote to memory of 3048 3280 Dpcpei32.exe 111 PID 3048 wrote to memory of 3472 3048 Elojej32.exe 112 PID 3048 wrote to memory of 3472 3048 Elojej32.exe 112 PID 3048 wrote to memory of 3472 3048 Elojej32.exe 112 PID 3472 wrote to memory of 60 3472 Fcfocb32.exe 113 PID 3472 wrote to memory of 60 3472 Fcfocb32.exe 113 PID 3472 wrote to memory of 60 3472 Fcfocb32.exe 113 PID 60 wrote to memory of 1944 60 Gjgmpkfl.exe 114 PID 60 wrote to memory of 1944 60 Gjgmpkfl.exe 114 PID 60 wrote to memory of 1944 60 Gjgmpkfl.exe 114 PID 1944 wrote to memory of 2860 1944 Gmfilfep.exe 115 PID 1944 wrote to memory of 2860 1944 Gmfilfep.exe 115 PID 1944 wrote to memory of 2860 1944 Gmfilfep.exe 115 PID 2860 wrote to memory of 2744 2860 Hmolbene.exe 116 PID 2860 wrote to memory of 2744 2860 Hmolbene.exe 116 PID 2860 wrote to memory of 2744 2860 Hmolbene.exe 116 PID 2744 wrote to memory of 3096 2744 Himche32.exe 117 PID 2744 wrote to memory of 3096 2744 Himche32.exe 117 PID 2744 wrote to memory of 3096 2744 Himche32.exe 117 PID 3096 wrote to memory of 1692 3096 Ibhdgjap.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a170d8a02830fa34939005b74975c0b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a170d8a02830fa34939005b74975c0b0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Dqfceoje.exeC:\Windows\system32\Dqfceoje.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Fcibchgq.exeC:\Windows\system32\Fcibchgq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Ihkila32.exeC:\Windows\system32\Ihkila32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Lnfgmc32.exeC:\Windows\system32\Lnfgmc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Elojej32.exeC:\Windows\system32\Elojej32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Fcfocb32.exeC:\Windows\system32\Fcfocb32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Gjgmpkfl.exeC:\Windows\system32\Gjgmpkfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Gmfilfep.exeC:\Windows\system32\Gmfilfep.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Hmolbene.exeC:\Windows\system32\Hmolbene.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Himche32.exeC:\Windows\system32\Himche32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ibhdgjap.exeC:\Windows\system32\Ibhdgjap.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Iffmmihf.exeC:\Windows\system32\Iffmmihf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Jmihpa32.exeC:\Windows\system32\Jmihpa32.exe24⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Jmnakqcc.exeC:\Windows\system32\Jmnakqcc.exe25⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Jdhigk32.exeC:\Windows\system32\Jdhigk32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Jdjfmjhm.exeC:\Windows\system32\Jdjfmjhm.exe27⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Kinefp32.exeC:\Windows\system32\Kinefp32.exe28⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Lkpnec32.exeC:\Windows\system32\Lkpnec32.exe29⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Eekanh32.exeC:\Windows\system32\Eekanh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hcimei32.exeC:\Windows\system32\Hcimei32.exe31⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Jbqpbbfi.exeC:\Windows\system32\Jbqpbbfi.exe32⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Jpdqlgdc.exeC:\Windows\system32\Jpdqlgdc.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Kpncbemh.exeC:\Windows\system32\Kpncbemh.exe34⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Mibpng32.exeC:\Windows\system32\Mibpng32.exe35⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Nebdighb.exeC:\Windows\system32\Nebdighb.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ofgmdf32.exeC:\Windows\system32\Ofgmdf32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Ogkcihgj.exeC:\Windows\system32\Ogkcihgj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Onekeb32.exeC:\Windows\system32\Onekeb32.exe39⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Pnlafaio.exeC:\Windows\system32\Pnlafaio.exe40⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Pmangnmg.exeC:\Windows\system32\Pmangnmg.exe41⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Qnhabp32.exeC:\Windows\system32\Qnhabp32.exe42⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Ddonnq32.exeC:\Windows\system32\Ddonnq32.exe43⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Ekpmljin.exeC:\Windows\system32\Ekpmljin.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Eeeaibid.exeC:\Windows\system32\Eeeaibid.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Eggmqk32.exeC:\Windows\system32\Eggmqk32.exe46⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Femgia32.exeC:\Windows\system32\Femgia32.exe47⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Fnoboc32.exeC:\Windows\system32\Fnoboc32.exe48⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Fggfghap.exeC:\Windows\system32\Fggfghap.exe49⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Gehfepio.exeC:\Windows\system32\Gehfepio.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Gkeonggf.exeC:\Windows\system32\Gkeonggf.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Hbhjqp32.exeC:\Windows\system32\Hbhjqp32.exe52⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Hgebif32.exeC:\Windows\system32\Hgebif32.exe53⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ifpemmdd.exeC:\Windows\system32\Ifpemmdd.exe54⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Inkjao32.exeC:\Windows\system32\Inkjao32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Jgmapcqe.exeC:\Windows\system32\Jgmapcqe.exe56⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Jecoog32.exeC:\Windows\system32\Jecoog32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Jkmgladi.exeC:\Windows\system32\Jkmgladi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Jbgoik32.exeC:\Windows\system32\Jbgoik32.exe59⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Jiageecb.exeC:\Windows\system32\Jiageecb.exe60⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Ajlngk32.exeC:\Windows\system32\Ajlngk32.exe61⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Bgnkamef.exeC:\Windows\system32\Bgnkamef.exe62⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bmkcjd32.exeC:\Windows\system32\Bmkcjd32.exe63⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Boipfp32.exeC:\Windows\system32\Boipfp32.exe64⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Bfchcijo.exeC:\Windows\system32\Bfchcijo.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Bpkllo32.exeC:\Windows\system32\Bpkllo32.exe66⤵
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Bidqddgp.exeC:\Windows\system32\Bidqddgp.exe67⤵PID:1564
-
C:\Windows\SysWOW64\Cppfgnlj.exeC:\Windows\system32\Cppfgnlj.exe68⤵PID:4540
-
C:\Windows\SysWOW64\Cflkihbd.exeC:\Windows\system32\Cflkihbd.exe69⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Dapkho32.exeC:\Windows\system32\Dapkho32.exe70⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Fkflbb32.exeC:\Windows\system32\Fkflbb32.exe71⤵PID:1608
-
C:\Windows\SysWOW64\Fpcdji32.exeC:\Windows\system32\Fpcdji32.exe72⤵PID:2216
-
C:\Windows\SysWOW64\Fhofffjo.exeC:\Windows\system32\Fhofffjo.exe73⤵PID:4728
-
C:\Windows\SysWOW64\Hncmfj32.exeC:\Windows\system32\Hncmfj32.exe74⤵PID:2360
-
C:\Windows\SysWOW64\Hdmecdlh.exeC:\Windows\system32\Hdmecdlh.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Jncfmgfi.exeC:\Windows\system32\Jncfmgfi.exe76⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Jqbbicel.exeC:\Windows\system32\Jqbbicel.exe77⤵PID:4124
-
C:\Windows\SysWOW64\Jglkfmmi.exeC:\Windows\system32\Jglkfmmi.exe78⤵PID:1840
-
C:\Windows\SysWOW64\Jnfcbg32.exeC:\Windows\system32\Jnfcbg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3640 -
C:\Windows\SysWOW64\Jhndepbi.exeC:\Windows\system32\Jhndepbi.exe80⤵PID:4104
-
C:\Windows\SysWOW64\Jnklnfpq.exeC:\Windows\system32\Jnklnfpq.exe81⤵PID:1088
-
C:\Windows\SysWOW64\Jqihjbod.exeC:\Windows\system32\Jqihjbod.exe82⤵PID:4244
-
C:\Windows\SysWOW64\Kgjggkqi.exeC:\Windows\system32\Kgjggkqi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Mniafbfn.exeC:\Windows\system32\Mniafbfn.exe84⤵PID:4380
-
C:\Windows\SysWOW64\Miofcked.exeC:\Windows\system32\Miofcked.exe85⤵PID:4336
-
C:\Windows\SysWOW64\Mjpbkc32.exeC:\Windows\system32\Mjpbkc32.exe86⤵PID:4920
-
C:\Windows\SysWOW64\Nlbkjf32.exeC:\Windows\system32\Nlbkjf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Nblcgpho.exeC:\Windows\system32\Nblcgpho.exe88⤵PID:1056
-
C:\Windows\SysWOW64\Nhhlog32.exeC:\Windows\system32\Nhhlog32.exe89⤵
- Drops file in System32 directory
PID:4992 -
C:\Windows\SysWOW64\Nelmik32.exeC:\Windows\system32\Nelmik32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Nlknqd32.exeC:\Windows\system32\Nlknqd32.exe91⤵PID:4892
-
C:\Windows\SysWOW64\Nbefmopd.exeC:\Windows\system32\Nbefmopd.exe92⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Ohboeenl.exeC:\Windows\system32\Ohboeenl.exe93⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Oolgbpei.exeC:\Windows\system32\Oolgbpei.exe94⤵PID:4532
-
C:\Windows\SysWOW64\Oiakpheo.exeC:\Windows\system32\Oiakpheo.exe95⤵PID:3892
-
C:\Windows\SysWOW64\Objphn32.exeC:\Windows\system32\Objphn32.exe96⤵PID:5048
-
C:\Windows\SysWOW64\Ooejhn32.exeC:\Windows\system32\Ooejhn32.exe97⤵PID:3396
-
C:\Windows\SysWOW64\Pcccol32.exeC:\Windows\system32\Pcccol32.exe98⤵PID:5044
-
C:\Windows\SysWOW64\Pimkkfka.exeC:\Windows\system32\Pimkkfka.exe99⤵
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\Pedlpgqe.exeC:\Windows\system32\Pedlpgqe.exe100⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Pibdff32.exeC:\Windows\system32\Pibdff32.exe101⤵PID:1792
-
C:\Windows\SysWOW64\Pidaleei.exeC:\Windows\system32\Pidaleei.exe102⤵PID:3600
-
C:\Windows\SysWOW64\Qaofphbd.exeC:\Windows\system32\Qaofphbd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4808 -
C:\Windows\SysWOW64\Qocfjlan.exeC:\Windows\system32\Qocfjlan.exe104⤵PID:2692
-
C:\Windows\SysWOW64\Qemoff32.exeC:\Windows\system32\Qemoff32.exe105⤵PID:3688
-
C:\Windows\SysWOW64\Ajndbd32.exeC:\Windows\system32\Ajndbd32.exe106⤵PID:2700
-
C:\Windows\SysWOW64\Bhjgdplo.exeC:\Windows\system32\Bhjgdplo.exe107⤵PID:4776
-
C:\Windows\SysWOW64\Bbbkmebo.exeC:\Windows\system32\Bbbkmebo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Bcddlhgo.exeC:\Windows\system32\Bcddlhgo.exe109⤵PID:5204
-
C:\Windows\SysWOW64\Bmliem32.exeC:\Windows\system32\Bmliem32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Bokeai32.exeC:\Windows\system32\Bokeai32.exe111⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Cmcoflhh.exeC:\Windows\system32\Cmcoflhh.exe112⤵PID:5336
-
C:\Windows\SysWOW64\Cjgpoq32.exeC:\Windows\system32\Cjgpoq32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5384 -
C:\Windows\SysWOW64\Doiabgqc.exeC:\Windows\system32\Doiabgqc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Djnfppqi.exeC:\Windows\system32\Djnfppqi.exe115⤵PID:5464
-
C:\Windows\SysWOW64\Dbikdbnd.exeC:\Windows\system32\Dbikdbnd.exe116⤵PID:5520
-
C:\Windows\SysWOW64\Glenpb32.exeC:\Windows\system32\Glenpb32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Gkhkdjli.exeC:\Windows\system32\Gkhkdjli.exe118⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Gbcohl32.exeC:\Windows\system32\Gbcohl32.exe119⤵PID:5652
-
C:\Windows\SysWOW64\Hingefqa.exeC:\Windows\system32\Hingefqa.exe120⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Hbflnl32.exeC:\Windows\system32\Hbflnl32.exe121⤵PID:5740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-