Analysis
-
max time kernel
170s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 20:48
Behavioral task
behavioral1
Sample
NEAS.a1c9ad1f675441af41777e82a523b070.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a1c9ad1f675441af41777e82a523b070.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a1c9ad1f675441af41777e82a523b070.exe
-
Size
78KB
-
MD5
a1c9ad1f675441af41777e82a523b070
-
SHA1
f0cb0cac921b17dd6ae44baa2248e94d96ead576
-
SHA256
59c4ae785e4767e60c67b7c9054335ce794ade3dccd475e7915e7b744d89c43c
-
SHA512
9f62191c5e123b17d07ba69c2ed26f9b9cd62372dc7013f406ca6780b370f5f31be8f38152c7cdc06acb55573ae6f2fddd458075c09a8bb8947e89a685c10382
-
SSDEEP
1536:rYBdzTWGhi/v1O13DdQnPsFn5qHB6veTWTIQEWiU6yf5oAnqDM+4yyF:Ej3WGhiW3DmPs55qkveVQEWiUCuq4cyF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjhlche.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqcilgji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caagofme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfcmnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjefao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnaqqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmmibga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqdbhlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.a1c9ad1f675441af41777e82a523b070.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offeahhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilglgfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpclnof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqcjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccajdmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkibqnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkidi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpclnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beaohcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbaabom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmpco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlipomli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akffjkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompfnoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofmndkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papnhbgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebalokn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojibgkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommjipel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeagjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjhlche.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcphkhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfiapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmomga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgmonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gablgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqdbhlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplkig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoadi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedjkkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emniheha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnief32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijedm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limpiomm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himqjpme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpckbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipihiaqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekahhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meobeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpffaib.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3404-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3404-1-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0009000000022cec-7.dat family_berbew behavioral2/memory/4636-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0009000000022cec-9.dat family_berbew behavioral2/files/0x000b000000022cf5-15.dat family_berbew behavioral2/files/0x000b000000022cf5-17.dat family_berbew behavioral2/memory/4132-16-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf7-23.dat family_berbew behavioral2/files/0x0008000000022cf7-25.dat family_berbew behavioral2/memory/2352-24-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cfa-26.dat family_berbew behavioral2/files/0x0008000000022cfa-31.dat family_berbew behavioral2/files/0x0008000000022cfa-33.dat family_berbew behavioral2/memory/2156-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-39.dat family_berbew behavioral2/files/0x0006000000022cfc-41.dat family_berbew behavioral2/memory/4508-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-47.dat family_berbew behavioral2/files/0x0006000000022cfe-49.dat family_berbew behavioral2/memory/404-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-50.dat family_berbew behavioral2/files/0x0006000000022d00-55.dat family_berbew behavioral2/memory/3888-57-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-56.dat family_berbew behavioral2/files/0x0006000000022d02-63.dat family_berbew behavioral2/files/0x0006000000022d02-65.dat family_berbew behavioral2/memory/764-64-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d04-71.dat family_berbew behavioral2/memory/2320-72-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d04-73.dat family_berbew behavioral2/files/0x0006000000022d06-79.dat family_berbew behavioral2/files/0x0006000000022d06-81.dat family_berbew behavioral2/memory/3404-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4404-82-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d08-83.dat family_berbew behavioral2/files/0x0006000000022d08-87.dat family_berbew behavioral2/memory/4576-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d08-90.dat family_berbew behavioral2/files/0x0006000000022d0a-92.dat family_berbew behavioral2/files/0x0006000000022d0a-95.dat family_berbew behavioral2/files/0x0006000000022d0a-98.dat family_berbew behavioral2/memory/1896-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-104.dat family_berbew behavioral2/files/0x0006000000022d0c-106.dat family_berbew behavioral2/memory/3868-105-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0e-107.dat family_berbew behavioral2/files/0x0006000000022d0e-112.dat family_berbew behavioral2/files/0x0006000000022d0e-114.dat family_berbew behavioral2/memory/1396-113-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d10-116.dat family_berbew behavioral2/files/0x0006000000022d10-120.dat family_berbew behavioral2/files/0x0006000000022d10-122.dat family_berbew behavioral2/memory/3436-121-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d12-128.dat family_berbew behavioral2/memory/1452-129-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d12-130.dat family_berbew behavioral2/files/0x0006000000022d14-136.dat family_berbew behavioral2/files/0x0006000000022d14-138.dat family_berbew behavioral2/memory/704-137-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-144.dat family_berbew behavioral2/files/0x0006000000022d16-146.dat family_berbew behavioral2/memory/4868-145-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d18-147.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4636 Akhaipei.exe 4132 Beaohcmf.exe 2352 Chddpn32.exe 2156 Dfngcdhi.exe 4508 Gllajf32.exe 404 Ghgljg32.exe 3888 Hcfcmnce.exe 764 Jqhphq32.exe 2320 Jihngboe.exe 4404 Kfhnme32.exe 4576 Lapopm32.exe 1896 Limpiomm.exe 3868 Lccdghmc.exe 1396 Mphamg32.exe 3436 Najjmjkg.exe 1452 Opmcod32.exe 704 Qkqdnkge.exe 4868 Agnkck32.exe 4864 Bhgjcmfi.exe 1020 Cjaiac32.exe 4484 Djipbbne.exe 3424 Dbdano32.exe 4932 Ehhpge32.exe 4308 Hohcmjic.exe 2632 Hkodak32.exe 3576 Jchaoe32.exe 3256 Jjefao32.exe 4256 Kiajck32.exe 1712 Mfhpilbc.exe 1808 Mbamcm32.exe 3984 Offeahhp.exe 4512 Pmefiakh.exe 4812 Pgbdmfnc.exe 1488 Apobakpn.exe 5060 Aphegjhc.exe 60 Ckiipa32.exe 4740 Cddjofbj.exe 2652 Dnfanjqp.exe 1924 Dqigee32.exe 5012 Ekahhn32.exe 2296 Ekeacmel.exe 4732 Eepbabjj.exe 760 Flmhclod.exe 2768 Fnbjpf32.exe 112 Flfjjkgi.exe 1660 Gonilenb.exe 868 Hkggfe32.exe 948 Haeino32.exe 3640 Hoiihcde.exe 2088 Hlmiagbo.exe 4788 Ilglgfjd.exe 4432 Jedjkkmo.exe 408 Jdiglgbg.exe 4208 Kleiid32.exe 748 Klgend32.exe 3864 Knhbflbp.exe 3592 Khnfce32.exe 5112 Kffphhmj.exe 4252 Locnlmoe.exe 1016 Lbgcch32.exe 4140 Meobeb32.exe 4572 Mpdgbkab.exe 3004 Nmmqgo32.exe 4996 Onjmjegg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmmqgo32.exe Mpdgbkab.exe File created C:\Windows\SysWOW64\Genbjogo.dll Bmeagjbo.exe File created C:\Windows\SysWOW64\Hcneiljl.dll Ipihiaqa.exe File created C:\Windows\SysWOW64\Maefnk32.exe Jaddpppa.exe File created C:\Windows\SysWOW64\Lbffphca.dll Fbplgbbb.exe File created C:\Windows\SysWOW64\Mabnlh32.exe Lkjehbaa.exe File opened for modification C:\Windows\SysWOW64\Nnbnaj32.exe Nhheepbk.exe File opened for modification C:\Windows\SysWOW64\Lapopm32.exe Kfhnme32.exe File created C:\Windows\SysWOW64\Cddjofbj.exe Ckiipa32.exe File created C:\Windows\SysWOW64\Qbjegg32.dll Knipik32.exe File created C:\Windows\SysWOW64\Fgoadi32.exe Fbbhla32.exe File created C:\Windows\SysWOW64\Paiqjieh.dll Mphamg32.exe File opened for modification C:\Windows\SysWOW64\Ccajdmin.exe Bckddn32.exe File opened for modification C:\Windows\SysWOW64\Dddlfa32.exe Cdpckbli.exe File opened for modification C:\Windows\SysWOW64\Hnaqqj32.exe Gngnjk32.exe File created C:\Windows\SysWOW64\Cponodge.exe Chblebll.exe File created C:\Windows\SysWOW64\Mdoeqnjb.dll Figgnm32.exe File created C:\Windows\SysWOW64\Edgccoai.dll Hkodak32.exe File created C:\Windows\SysWOW64\Gmmome32.exe Fihqfh32.exe File created C:\Windows\SysWOW64\Nllleapo.exe Mccofn32.exe File created C:\Windows\SysWOW64\Fojenfeg.exe Fafddb32.exe File created C:\Windows\SysWOW64\Nockfgao.exe Moobkh32.exe File opened for modification C:\Windows\SysWOW64\Djipbbne.exe Cjaiac32.exe File created C:\Windows\SysWOW64\Nejlok32.dll Ckiipa32.exe File opened for modification C:\Windows\SysWOW64\Flmqem32.exe Ffqhmf32.exe File created C:\Windows\SysWOW64\Pgbdmfnc.exe Pmefiakh.exe File opened for modification C:\Windows\SysWOW64\Locnlmoe.exe Kffphhmj.exe File opened for modification C:\Windows\SysWOW64\Offeahhp.exe Mbamcm32.exe File opened for modification C:\Windows\SysWOW64\Qgnief32.exe Qnfdlpqd.exe File created C:\Windows\SysWOW64\Pnhgep32.dll Iokocmnf.exe File created C:\Windows\SysWOW64\Fcejnpck.dll Gbjhelnp.exe File created C:\Windows\SysWOW64\Kfhnme32.exe Jihngboe.exe File created C:\Windows\SysWOW64\Donloloo.dll Cjaiac32.exe File opened for modification C:\Windows\SysWOW64\Lihpbl32.exe Lgcjmjho.exe File created C:\Windows\SysWOW64\Pgohgkgm.dll Amnlfk32.exe File created C:\Windows\SysWOW64\Bifblbad.exe Bbljoh32.exe File opened for modification C:\Windows\SysWOW64\Fkalmn32.exe Becipn32.exe File created C:\Windows\SysWOW64\Fqcilgji.exe Ejegdngb.exe File opened for modification C:\Windows\SysWOW64\Beaohcmf.exe Akhaipei.exe File created C:\Windows\SysWOW64\Hbdjbn32.dll Bocjdiol.exe File created C:\Windows\SysWOW64\Lppgkh32.dll Dkcnnk32.exe File created C:\Windows\SysWOW64\Jmhaek32.exe Fkalmn32.exe File created C:\Windows\SysWOW64\Cihjpd32.exe Bqkifb32.exe File created C:\Windows\SysWOW64\Pnfiia32.exe Pdqelh32.exe File opened for modification C:\Windows\SysWOW64\Nndjgjhe.exe Nnbnaj32.exe File created C:\Windows\SysWOW64\Ocjokijf.exe Ompfnoci.exe File opened for modification C:\Windows\SysWOW64\Jkplilgk.exe Jpjhlche.exe File created C:\Windows\SysWOW64\Odkaac32.exe Ncbaabom.exe File created C:\Windows\SysWOW64\Pcdjic32.exe Opqdbhlb.exe File created C:\Windows\SysWOW64\Ddifaqcn.exe Dkqahk32.exe File created C:\Windows\SysWOW64\Fkajoiok.exe Ekekcjih.exe File created C:\Windows\SysWOW64\Aaocfebe.dll Ekeacmel.exe File created C:\Windows\SysWOW64\Mlhahj32.dll Onjmjegg.exe File created C:\Windows\SysWOW64\Oeglogfo.dll Naaejj32.exe File opened for modification C:\Windows\SysWOW64\Peddhb32.exe Odkaac32.exe File opened for modification C:\Windows\SysWOW64\Fbmoabde.exe Fghkdjdo.exe File created C:\Windows\SysWOW64\Beaohcmf.exe Akhaipei.exe File created C:\Windows\SysWOW64\Fhbfdm32.dll Jjefao32.exe File created C:\Windows\SysWOW64\Eccoloed.dll Meobeb32.exe File created C:\Windows\SysWOW64\Ommjipel.exe Opiipkfb.exe File created C:\Windows\SysWOW64\Dojqcjgi.exe Dddlfa32.exe File opened for modification C:\Windows\SysWOW64\Gjmmfq32.exe Gablgk32.exe File opened for modification C:\Windows\SysWOW64\Pjmjnb32.exe Ppgeqijb.exe File created C:\Windows\SysWOW64\Lgcjmjho.exe Ljpideje.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 6192 1416 WerFault.exe 418 6296 1416 WerFault.exe 418 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdmmji.dll" Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjopqdfa.dll" Ilibmcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkljdjj.dll" Mfhpilbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphihnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdoiaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggcce32.dll" Qhlkbaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmdhmch.dll" Anmfkane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkdodffe.dll" Fbkblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkfmm32.dll" Fgoadi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnfdlpqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjijl32.dll" Locnlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbchkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhheepbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbdano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilglgfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdqelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihckfoa.dll" Najjmjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiimbin.dll" Ipplmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmile32.dll" Mbamcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjehbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabfcegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpgi32.dll" Gfcebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmheflog.dll" Bkibqnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bifblbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpcdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmomga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lglopjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipplmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.a1c9ad1f675441af41777e82a523b070.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djqbeonf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopefnnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loigap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfggm32.dll" Nockfgao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkpokhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifcqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmeagjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmfebnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibegpmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaalbnpg.dll" Dfngcdhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddngdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meibeo32.dll" Afmmibga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapeapja.dll" Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfpng32.dll" Qgnief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfoigo32.dll" Mlipomli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomqmoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgoadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opiipkfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ombcdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddjofbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knipik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqkifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclknkfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3404 wrote to memory of 4636 3404 NEAS.a1c9ad1f675441af41777e82a523b070.exe 92 PID 3404 wrote to memory of 4636 3404 NEAS.a1c9ad1f675441af41777e82a523b070.exe 92 PID 3404 wrote to memory of 4636 3404 NEAS.a1c9ad1f675441af41777e82a523b070.exe 92 PID 4636 wrote to memory of 4132 4636 Akhaipei.exe 93 PID 4636 wrote to memory of 4132 4636 Akhaipei.exe 93 PID 4636 wrote to memory of 4132 4636 Akhaipei.exe 93 PID 4132 wrote to memory of 2352 4132 Beaohcmf.exe 94 PID 4132 wrote to memory of 2352 4132 Beaohcmf.exe 94 PID 4132 wrote to memory of 2352 4132 Beaohcmf.exe 94 PID 2352 wrote to memory of 2156 2352 Chddpn32.exe 95 PID 2352 wrote to memory of 2156 2352 Chddpn32.exe 95 PID 2352 wrote to memory of 2156 2352 Chddpn32.exe 95 PID 2156 wrote to memory of 4508 2156 Dfngcdhi.exe 96 PID 2156 wrote to memory of 4508 2156 Dfngcdhi.exe 96 PID 2156 wrote to memory of 4508 2156 Dfngcdhi.exe 96 PID 4508 wrote to memory of 404 4508 Gllajf32.exe 97 PID 4508 wrote to memory of 404 4508 Gllajf32.exe 97 PID 4508 wrote to memory of 404 4508 Gllajf32.exe 97 PID 404 wrote to memory of 3888 404 Ghgljg32.exe 98 PID 404 wrote to memory of 3888 404 Ghgljg32.exe 98 PID 404 wrote to memory of 3888 404 Ghgljg32.exe 98 PID 3888 wrote to memory of 764 3888 Hcfcmnce.exe 99 PID 3888 wrote to memory of 764 3888 Hcfcmnce.exe 99 PID 3888 wrote to memory of 764 3888 Hcfcmnce.exe 99 PID 764 wrote to memory of 2320 764 Jqhphq32.exe 100 PID 764 wrote to memory of 2320 764 Jqhphq32.exe 100 PID 764 wrote to memory of 2320 764 Jqhphq32.exe 100 PID 2320 wrote to memory of 4404 2320 Jihngboe.exe 101 PID 2320 wrote to memory of 4404 2320 Jihngboe.exe 101 PID 2320 wrote to memory of 4404 2320 Jihngboe.exe 101 PID 4404 wrote to memory of 4576 4404 Kfhnme32.exe 102 PID 4404 wrote to memory of 4576 4404 Kfhnme32.exe 102 PID 4404 wrote to memory of 4576 4404 Kfhnme32.exe 102 PID 4576 wrote to memory of 1896 4576 Lapopm32.exe 103 PID 4576 wrote to memory of 1896 4576 Lapopm32.exe 103 PID 4576 wrote to memory of 1896 4576 Lapopm32.exe 103 PID 1896 wrote to memory of 3868 1896 Limpiomm.exe 104 PID 1896 wrote to memory of 3868 1896 Limpiomm.exe 104 PID 1896 wrote to memory of 3868 1896 Limpiomm.exe 104 PID 3868 wrote to memory of 1396 3868 Lccdghmc.exe 105 PID 3868 wrote to memory of 1396 3868 Lccdghmc.exe 105 PID 3868 wrote to memory of 1396 3868 Lccdghmc.exe 105 PID 1396 wrote to memory of 3436 1396 Mphamg32.exe 106 PID 1396 wrote to memory of 3436 1396 Mphamg32.exe 106 PID 1396 wrote to memory of 3436 1396 Mphamg32.exe 106 PID 3436 wrote to memory of 1452 3436 Najjmjkg.exe 107 PID 3436 wrote to memory of 1452 3436 Najjmjkg.exe 107 PID 3436 wrote to memory of 1452 3436 Najjmjkg.exe 107 PID 1452 wrote to memory of 704 1452 Opmcod32.exe 108 PID 1452 wrote to memory of 704 1452 Opmcod32.exe 108 PID 1452 wrote to memory of 704 1452 Opmcod32.exe 108 PID 704 wrote to memory of 4868 704 Qkqdnkge.exe 109 PID 704 wrote to memory of 4868 704 Qkqdnkge.exe 109 PID 704 wrote to memory of 4868 704 Qkqdnkge.exe 109 PID 4868 wrote to memory of 4864 4868 Agnkck32.exe 110 PID 4868 wrote to memory of 4864 4868 Agnkck32.exe 110 PID 4868 wrote to memory of 4864 4868 Agnkck32.exe 110 PID 4864 wrote to memory of 1020 4864 Bhgjcmfi.exe 111 PID 4864 wrote to memory of 1020 4864 Bhgjcmfi.exe 111 PID 4864 wrote to memory of 1020 4864 Bhgjcmfi.exe 111 PID 1020 wrote to memory of 4484 1020 Cjaiac32.exe 112 PID 1020 wrote to memory of 4484 1020 Cjaiac32.exe 112 PID 1020 wrote to memory of 4484 1020 Cjaiac32.exe 112 PID 4484 wrote to memory of 3424 4484 Djipbbne.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a1c9ad1f675441af41777e82a523b070.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a1c9ad1f675441af41777e82a523b070.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Hcfcmnce.exeC:\Windows\system32\Hcfcmnce.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Jqhphq32.exeC:\Windows\system32\Jqhphq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Lapopm32.exeC:\Windows\system32\Lapopm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Limpiomm.exeC:\Windows\system32\Limpiomm.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Najjmjkg.exeC:\Windows\system32\Najjmjkg.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Cjaiac32.exeC:\Windows\system32\Cjaiac32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe24⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe25⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Hkodak32.exeC:\Windows\system32\Hkodak32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe29⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Pmefiakh.exeC:\Windows\system32\Pmefiakh.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe34⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe35⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Aphegjhc.exeC:\Windows\system32\Aphegjhc.exe36⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4740 -
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe39⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe40⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe43⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe44⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Fnbjpf32.exeC:\Windows\system32\Fnbjpf32.exe45⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe46⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Gonilenb.exeC:\Windows\system32\Gonilenb.exe47⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe48⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe49⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe50⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe51⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Jedjkkmo.exeC:\Windows\system32\Jedjkkmo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe54⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Kleiid32.exeC:\Windows\system32\Kleiid32.exe55⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe56⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe57⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe58⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Locnlmoe.exeC:\Windows\system32\Locnlmoe.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Lbgcch32.exeC:\Windows\system32\Lbgcch32.exe61⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Meobeb32.exeC:\Windows\system32\Meobeb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Mpdgbkab.exeC:\Windows\system32\Mpdgbkab.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe64⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Ppgeff32.exeC:\Windows\system32\Ppgeff32.exe66⤵PID:1356
-
C:\Windows\SysWOW64\Qfcjhphd.exeC:\Windows\system32\Qfcjhphd.exe67⤵PID:2732
-
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe68⤵PID:3408
-
C:\Windows\SysWOW64\Bnnklg32.exeC:\Windows\system32\Bnnklg32.exe69⤵PID:2836
-
C:\Windows\SysWOW64\Bckddn32.exeC:\Windows\system32\Bckddn32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Eckfaj32.exeC:\Windows\system32\Eckfaj32.exe72⤵PID:208
-
C:\Windows\SysWOW64\Fpimgjbm.exeC:\Windows\system32\Fpimgjbm.exe73⤵PID:2348
-
C:\Windows\SysWOW64\Ffeaichg.exeC:\Windows\system32\Ffeaichg.exe74⤵PID:4488
-
C:\Windows\SysWOW64\Fmbflm32.exeC:\Windows\system32\Fmbflm32.exe75⤵PID:2020
-
C:\Windows\SysWOW64\Fggkifmg.exeC:\Windows\system32\Fggkifmg.exe76⤵PID:4264
-
C:\Windows\SysWOW64\Gablgk32.exeC:\Windows\system32\Gablgk32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Gjmmfq32.exeC:\Windows\system32\Gjmmfq32.exe78⤵PID:4180
-
C:\Windows\SysWOW64\Hhegjdag.exeC:\Windows\system32\Hhegjdag.exe79⤵PID:3616
-
C:\Windows\SysWOW64\Hfkdkqeo.exeC:\Windows\system32\Hfkdkqeo.exe80⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Iokocmnf.exeC:\Windows\system32\Iokocmnf.exe81⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Jpfnqc32.exeC:\Windows\system32\Jpfnqc32.exe82⤵PID:4340
-
C:\Windows\SysWOW64\Jpjhlche.exeC:\Windows\system32\Jpjhlche.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe84⤵PID:5200
-
C:\Windows\SysWOW64\Kpkqbq32.exeC:\Windows\system32\Kpkqbq32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe86⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Lnhdbc32.exeC:\Windows\system32\Lnhdbc32.exe87⤵PID:5344
-
C:\Windows\SysWOW64\Mbmbiqqp.exeC:\Windows\system32\Mbmbiqqp.exe88⤵PID:5464
-
C:\Windows\SysWOW64\Nofmndkd.exeC:\Windows\system32\Nofmndkd.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5508 -
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe90⤵PID:5580
-
C:\Windows\SysWOW64\Oapllk32.exeC:\Windows\system32\Oapllk32.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Qimfoe32.exeC:\Windows\system32\Qimfoe32.exe92⤵PID:5692
-
C:\Windows\SysWOW64\Beaced32.exeC:\Windows\system32\Beaced32.exe93⤵PID:5736
-
C:\Windows\SysWOW64\Bbljoh32.exeC:\Windows\system32\Bbljoh32.exe94⤵
- Drops file in System32 directory
PID:5776 -
C:\Windows\SysWOW64\Bifblbad.exeC:\Windows\system32\Bifblbad.exe95⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Bocjdiol.exeC:\Windows\system32\Bocjdiol.exe96⤵
- Drops file in System32 directory
PID:5860 -
C:\Windows\SysWOW64\Chebcmna.exeC:\Windows\system32\Chebcmna.exe97⤵PID:5892
-
C:\Windows\SysWOW64\Coojpg32.exeC:\Windows\system32\Coojpg32.exe98⤵PID:5952
-
C:\Windows\SysWOW64\Ebkbmqhb.exeC:\Windows\system32\Ebkbmqhb.exe99⤵PID:5988
-
C:\Windows\SysWOW64\Eckogc32.exeC:\Windows\system32\Eckogc32.exe100⤵PID:6032
-
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe101⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Fqcilgji.exeC:\Windows\system32\Fqcilgji.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6124 -
C:\Windows\SysWOW64\Fmapag32.exeC:\Windows\system32\Fmapag32.exe103⤵PID:5124
-
C:\Windows\SysWOW64\Fihqfh32.exeC:\Windows\system32\Fihqfh32.exe104⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Gmmome32.exeC:\Windows\system32\Gmmome32.exe105⤵PID:1772
-
C:\Windows\SysWOW64\Gbjhelnp.exeC:\Windows\system32\Gbjhelnp.exe106⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Hidpbf32.exeC:\Windows\system32\Hidpbf32.exe107⤵PID:4528
-
C:\Windows\SysWOW64\Hcidoo32.exeC:\Windows\system32\Hcidoo32.exe108⤵PID:5320
-
C:\Windows\SysWOW64\Himche32.exeC:\Windows\system32\Himche32.exe109⤵PID:5340
-
C:\Windows\SysWOW64\Jaddpppa.exeC:\Windows\system32\Jaddpppa.exe110⤵
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Maefnk32.exeC:\Windows\system32\Maefnk32.exe111⤵PID:1432
-
C:\Windows\SysWOW64\Mjednmla.exeC:\Windows\system32\Mjednmla.exe112⤵PID:876
-
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe113⤵PID:2288
-
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe114⤵PID:5644
-
C:\Windows\SysWOW64\Naaejj32.exeC:\Windows\system32\Naaejj32.exe115⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Ncbaabom.exeC:\Windows\system32\Ncbaabom.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Odkaac32.exeC:\Windows\system32\Odkaac32.exe117⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Peddhb32.exeC:\Windows\system32\Peddhb32.exe118⤵PID:5840
-
C:\Windows\SysWOW64\Papnhbgi.exeC:\Windows\system32\Papnhbgi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4720 -
C:\Windows\SysWOW64\Anpnmele.exeC:\Windows\system32\Anpnmele.exe120⤵PID:1020
-
C:\Windows\SysWOW64\Aaccdp32.exeC:\Windows\system32\Aaccdp32.exe121⤵PID:6012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-