Analysis
-
max time kernel
132s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2023 23:26
Behavioral task
behavioral1
Sample
NEAS.a9094df63c2d950e9160c2db33247cc0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a9094df63c2d950e9160c2db33247cc0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a9094df63c2d950e9160c2db33247cc0.exe
-
Size
482KB
-
MD5
a9094df63c2d950e9160c2db33247cc0
-
SHA1
277b7819e920262b283964f3198921fa519366f2
-
SHA256
14b5d2c289324add7bc011f30e2c4a2e1fd2416d120b37987889f0e70deaee02
-
SHA512
c2e244d9243a9f43cf83d311d03c03f7a9c05088c4cdb1e0acd07bbd6685daba17d7d5ca36928dd13695d4741d5fabc4a13cd4b2e38b23ac95d9352a9fa787b9
-
SSDEEP
12288:M6Lz8JSLrpV6yYP4rbpV6yYPg058KpV6yYP8OThj:X4JSLrW4XWleKW8OThj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adadbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdpmmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmqnaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmginjki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnpcjplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjahchpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omnqhbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fakfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihfpabbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iobecl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpjhlche.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhkkfod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhgfaha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmqekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebfhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcofbifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bipcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bodano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dofgklcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbmlbig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjbddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccipelcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifcnjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghfnej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifghmae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndbefkjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngipjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkiapn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmheph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbfjljhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfkna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galonj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldiiio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghaghfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmdeink.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moomgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfnooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekdolkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alelkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enfcjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmginjki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmecba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgplai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdfmcobk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminfech.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oknnanhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiahlkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihbpalh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lonnfg32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022cff-6.dat family_berbew behavioral2/files/0x0006000000022cff-8.dat family_berbew behavioral2/files/0x0006000000022d06-14.dat family_berbew behavioral2/files/0x0006000000022d06-16.dat family_berbew behavioral2/files/0x0006000000022d08-22.dat family_berbew behavioral2/files/0x0006000000022d08-24.dat family_berbew behavioral2/files/0x0006000000022d0a-25.dat family_berbew behavioral2/files/0x0006000000022d0a-30.dat family_berbew behavioral2/files/0x0006000000022d0a-31.dat family_berbew behavioral2/files/0x0006000000022d0f-38.dat family_berbew behavioral2/files/0x0006000000022d0f-40.dat family_berbew behavioral2/files/0x0006000000022d11-45.dat family_berbew behavioral2/files/0x0007000000022d01-55.dat family_berbew behavioral2/files/0x0007000000022d01-57.dat family_berbew behavioral2/files/0x0006000000022d11-47.dat family_berbew behavioral2/files/0x0007000000022d03-63.dat family_berbew behavioral2/files/0x0007000000022d03-65.dat family_berbew behavioral2/files/0x0008000000022d05-66.dat family_berbew behavioral2/files/0x0008000000022d05-70.dat family_berbew behavioral2/files/0x0008000000022d05-73.dat family_berbew behavioral2/files/0x0008000000022d0e-79.dat family_berbew behavioral2/files/0x0008000000022d0e-81.dat family_berbew behavioral2/files/0x0006000000022d16-87.dat family_berbew behavioral2/files/0x0006000000022d16-88.dat family_berbew behavioral2/files/0x0006000000022d18-96.dat family_berbew behavioral2/files/0x0006000000022d1a-106.dat family_berbew behavioral2/files/0x0006000000022d1d-115.dat family_berbew behavioral2/files/0x0006000000022d1d-114.dat family_berbew behavioral2/files/0x0006000000022d1a-105.dat family_berbew behavioral2/files/0x0006000000022d18-97.dat family_berbew behavioral2/files/0x0006000000022d1f-123.dat family_berbew behavioral2/files/0x0006000000022d1f-124.dat family_berbew behavioral2/files/0x0006000000022d21-132.dat family_berbew behavioral2/files/0x0006000000022d21-134.dat family_berbew behavioral2/files/0x0006000000022d23-136.dat family_berbew behavioral2/files/0x0006000000022d23-140.dat family_berbew behavioral2/files/0x0006000000022d23-142.dat family_berbew behavioral2/files/0x0006000000022d25-150.dat family_berbew behavioral2/files/0x0006000000022d25-153.dat family_berbew behavioral2/files/0x0006000000022d2a-159.dat family_berbew behavioral2/files/0x0006000000022d2a-161.dat family_berbew behavioral2/files/0x0006000000022d2b-163.dat family_berbew behavioral2/files/0x0006000000022d2b-168.dat family_berbew behavioral2/files/0x0006000000022d2b-170.dat family_berbew behavioral2/files/0x0006000000022d2d-177.dat family_berbew behavioral2/files/0x0006000000022d2d-179.dat family_berbew behavioral2/files/0x0006000000022d2f-185.dat family_berbew behavioral2/files/0x0006000000022d2f-186.dat family_berbew behavioral2/files/0x0006000000022d31-193.dat family_berbew behavioral2/files/0x0006000000022d31-195.dat family_berbew behavioral2/files/0x0006000000022d33-202.dat family_berbew behavioral2/files/0x0006000000022d33-205.dat family_berbew behavioral2/files/0x0006000000022d36-211.dat family_berbew behavioral2/files/0x0006000000022d36-213.dat family_berbew behavioral2/files/0x0006000000022d38-220.dat family_berbew behavioral2/files/0x0006000000022d38-222.dat family_berbew behavioral2/files/0x0006000000022d3a-229.dat family_berbew behavioral2/files/0x0006000000022d3a-231.dat family_berbew behavioral2/files/0x0006000000022d41-238.dat family_berbew behavioral2/files/0x0006000000022d41-239.dat family_berbew behavioral2/files/0x0006000000022d46-246.dat family_berbew behavioral2/files/0x0006000000022d46-248.dat family_berbew behavioral2/files/0x0006000000022d49-256.dat family_berbew behavioral2/files/0x0006000000022d49-257.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2416 Cfljnejl.exe 4080 Didjqoae.exe 916 Efhjjcpo.exe 2864 Ebcdjc32.exe 3804 Hljnkdnk.exe 1728 Imfmgcdn.exe 3828 Jicdlc32.exe 4364 Jjcqffkm.exe 4260 Kplijk32.exe 4360 Kifjip32.exe 2476 Malnklgg.exe 4532 Njmejp32.exe 3544 Nhafcd32.exe 3744 Nhcbidcd.exe 3352 Ngipjp32.exe 1652 Omgabj32.exe 1316 Oknnanhj.exe 1124 Phfhfa32.exe 1364 Pjjaci32.exe 3116 Pjahchpb.exe 1072 Qajlje32.exe 2812 Agiahlkf.exe 3000 Akgjnj32.exe 3884 Aqfolqna.exe 2336 Bjcmpepm.exe 2328 Bglgdi32.exe 1968 Bgodjiio.exe 4736 Cqiehnml.exe 4596 Cjdfgc32.exe 4164 Cnboma32.exe 2488 Dgmpkg32.exe 492 Dgomaf32.exe 776 Ebnddn32.exe 4896 Ehofhdli.exe 676 Focakm32.exe 664 Fkiapn32.exe 1152 Gbhpajlj.exe 4152 Glpdjpbj.exe 4124 Hcofbifb.exe 2168 Hlgjko32.exe 4956 Jjpmfpid.exe 2420 Jomeoggk.exe 4408 Jfikaqme.exe 3132 Jcmkjeko.exe 5036 Jmepcj32.exe 2396 Kfndlphp.exe 3364 Kofheeoq.exe 980 Kjlmbnof.exe 3584 Koiejemn.exe 3644 Kbinlp32.exe 4300 Komoed32.exe 4764 Kifcnjpi.exe 2404 Lkflpe32.exe 3468 Lijlii32.exe 4580 Lmheph32.exe 4136 Lcbmlbig.exe 3808 Liofdigo.exe 1524 Lfcfnm32.exe 1852 Llpofd32.exe 1956 Mfeccm32.exe 4728 Mlgegcng.exe 816 Mbamcm32.exe 4648 Mlialb32.exe 1400 Mbcjimda.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fmbflm32.exe Ffhnocfd.exe File created C:\Windows\SysWOW64\Iddehb32.dll Didjqoae.exe File created C:\Windows\SysWOW64\Oegbgf32.dll Mminfech.exe File opened for modification C:\Windows\SysWOW64\Pghaghfn.exe Ppoijn32.exe File opened for modification C:\Windows\SysWOW64\Jekpljgg.exe Joahop32.exe File opened for modification C:\Windows\SysWOW64\Kfndlphp.exe Jmepcj32.exe File opened for modification C:\Windows\SysWOW64\Bnobfn32.exe Bjqjpp32.exe File opened for modification C:\Windows\SysWOW64\Fmmmqnaf.exe Fgqehgco.exe File created C:\Windows\SysWOW64\Oiphhg32.dll Lijlii32.exe File created C:\Windows\SysWOW64\Enigjh32.exe Eepbabjj.exe File created C:\Windows\SysWOW64\Egpofhkf.dll Aepmjk32.exe File created C:\Windows\SysWOW64\Lkenkhec.exe Lonnfg32.exe File opened for modification C:\Windows\SysWOW64\Kdpmmf32.exe Kleiid32.exe File created C:\Windows\SysWOW64\Cqncbfbf.dll Mkhkblii.exe File created C:\Windows\SysWOW64\Mdloelpc.exe Mkcjlf32.exe File created C:\Windows\SysWOW64\Ppccemjk.exe Pgknlg32.exe File opened for modification C:\Windows\SysWOW64\Fcjimnjl.exe Fjbddh32.exe File opened for modification C:\Windows\SysWOW64\Ieoapl32.exe Ikjmcc32.exe File created C:\Windows\SysWOW64\Lgcnle32.dll Jdkdbgpd.exe File created C:\Windows\SysWOW64\Eepbabjj.exe Ejkndijd.exe File created C:\Windows\SysWOW64\Npckji32.dll Pohilc32.exe File created C:\Windows\SysWOW64\Mhfmom32.dll Jjcqffkm.exe File opened for modification C:\Windows\SysWOW64\Ehofhdli.exe Ebnddn32.exe File created C:\Windows\SysWOW64\Llpofd32.exe Lfcfnm32.exe File opened for modification C:\Windows\SysWOW64\Omnqhbap.exe Odelpm32.exe File opened for modification C:\Windows\SysWOW64\Kifcnjpi.exe Komoed32.exe File opened for modification C:\Windows\SysWOW64\Ndphpk32.exe Mhihkjfj.exe File opened for modification C:\Windows\SysWOW64\Dokqfl32.exe Dnjdncio.exe File created C:\Windows\SysWOW64\Dbkpkdlk.dll Enfcjb32.exe File created C:\Windows\SysWOW64\Nofmndkd.exe Ndphpk32.exe File created C:\Windows\SysWOW64\Komhkn32.exe Khbpndnp.exe File created C:\Windows\SysWOW64\Gbechqgb.dll Lhelddln.exe File created C:\Windows\SysWOW64\Qibfdkgh.exe Qbhnga32.exe File created C:\Windows\SysWOW64\Chhmjaaq.dll Abodhpic.exe File created C:\Windows\SysWOW64\Igpgak32.dll Dgmpkg32.exe File created C:\Windows\SysWOW64\Anjikoip.exe Adadbi32.exe File created C:\Windows\SysWOW64\Fjbddh32.exe Enigjh32.exe File created C:\Windows\SysWOW64\Pmecdbbh.dll Iaahjmkn.exe File opened for modification C:\Windows\SysWOW64\Fgqehgco.exe Fnhppa32.exe File created C:\Windows\SysWOW64\Oecopk32.dll Qlpcpffl.exe File created C:\Windows\SysWOW64\Dkkaqcod.dll Fjbddh32.exe File opened for modification C:\Windows\SysWOW64\Cgbppknb.exe Cllkcbnl.exe File created C:\Windows\SysWOW64\Pabgnqhk.dll Knhkkfod.exe File created C:\Windows\SysWOW64\Ckclfp32.exe Cjcolm32.exe File created C:\Windows\SysWOW64\Bekmei32.exe Blchmdff.exe File created C:\Windows\SysWOW64\Aoebjc32.dll Mbpoop32.exe File created C:\Windows\SysWOW64\Gmlngkld.dll Mgebfhcl.exe File opened for modification C:\Windows\SysWOW64\Mbcjimda.exe Mlialb32.exe File created C:\Windows\SysWOW64\Nlpabkba.exe Nfpled32.exe File created C:\Windows\SysWOW64\Njjnnm32.dll Agojdnng.exe File created C:\Windows\SysWOW64\Ipenifka.dll Ihfpabbd.exe File created C:\Windows\SysWOW64\Ejhaop32.dll Dgomaf32.exe File created C:\Windows\SysWOW64\Fhklgafl.dll Dodjemee.exe File created C:\Windows\SysWOW64\Bqdechnf.exe Bkglkapo.exe File opened for modification C:\Windows\SysWOW64\Egjebn32.exe Emdaee32.exe File created C:\Windows\SysWOW64\Epgpajdp.exe Enfcjb32.exe File created C:\Windows\SysWOW64\Haeadi32.exe Hfonfp32.exe File created C:\Windows\SysWOW64\Hbljohcp.dll Hmginjki.exe File created C:\Windows\SysWOW64\Bcllmi32.dll Ngipjp32.exe File created C:\Windows\SysWOW64\Haaamjgi.dll Qipqibmf.exe File opened for modification C:\Windows\SysWOW64\Glmqjj32.exe Ghohdk32.exe File opened for modification C:\Windows\SysWOW64\Fnacfp32.exe Fmbflm32.exe File opened for modification C:\Windows\SysWOW64\Jgiiclkl.exe Jmqekg32.exe File created C:\Windows\SysWOW64\Plpjjm32.dll Cfljnejl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9128 8996 WerFault.exe 409 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhcbidcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Komoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acbhhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmcfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifejakcn.dll" Djlkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnpmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beiopegj.dll" Jekpljgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoocbakd.dll" Kbfjljhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmhglopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmjnelk.dll" Nhafcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdahfjfm.dll" Pifghmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foqacehl.dll" Gpelchhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pghaghfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bckknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfhqcqb.dll" Bnaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fakfglhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ladpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijlii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopcnnoc.dll" Aekdolkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjahchpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddndonph.dll" Jomeoggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppafpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knhkkfod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpjhlche.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkaqcod.dll" Fjbddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diahic32.dll" Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pifghmae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dflflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhfobnm.dll" Cjcolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppajem32.dll" Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgebfhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkcjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgdcp32.dll" Oinkmdml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaamjgi.dll" Qipqibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjpoelb.dll" Aidcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqbjnc32.dll" Lkflpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gplbcgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddehlk.dll" Mhpeelnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agiahlkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egjebn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kleiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgidn32.dll" Cpfkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idmafc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koggehff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmbamdkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aekdolkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfnbbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhihkjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjjaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekakihaj.dll" Koiejemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qckbggad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldibcl32.dll" Lkenkhec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfpahcln.dll" Emdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdpmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkiapn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldlbmob.dll" Nfabok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmlhd32.dll" Omdnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghohdk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3504 wrote to memory of 2416 3504 NEAS.a9094df63c2d950e9160c2db33247cc0.exe 91 PID 3504 wrote to memory of 2416 3504 NEAS.a9094df63c2d950e9160c2db33247cc0.exe 91 PID 3504 wrote to memory of 2416 3504 NEAS.a9094df63c2d950e9160c2db33247cc0.exe 91 PID 2416 wrote to memory of 4080 2416 Cfljnejl.exe 93 PID 2416 wrote to memory of 4080 2416 Cfljnejl.exe 93 PID 2416 wrote to memory of 4080 2416 Cfljnejl.exe 93 PID 4080 wrote to memory of 916 4080 Didjqoae.exe 94 PID 4080 wrote to memory of 916 4080 Didjqoae.exe 94 PID 4080 wrote to memory of 916 4080 Didjqoae.exe 94 PID 916 wrote to memory of 2864 916 Efhjjcpo.exe 95 PID 916 wrote to memory of 2864 916 Efhjjcpo.exe 95 PID 916 wrote to memory of 2864 916 Efhjjcpo.exe 95 PID 2864 wrote to memory of 3804 2864 Ebcdjc32.exe 96 PID 2864 wrote to memory of 3804 2864 Ebcdjc32.exe 96 PID 2864 wrote to memory of 3804 2864 Ebcdjc32.exe 96 PID 3804 wrote to memory of 1728 3804 Hljnkdnk.exe 97 PID 3804 wrote to memory of 1728 3804 Hljnkdnk.exe 97 PID 3804 wrote to memory of 1728 3804 Hljnkdnk.exe 97 PID 1728 wrote to memory of 3828 1728 Imfmgcdn.exe 98 PID 1728 wrote to memory of 3828 1728 Imfmgcdn.exe 98 PID 1728 wrote to memory of 3828 1728 Imfmgcdn.exe 98 PID 3828 wrote to memory of 4364 3828 Jicdlc32.exe 99 PID 3828 wrote to memory of 4364 3828 Jicdlc32.exe 99 PID 3828 wrote to memory of 4364 3828 Jicdlc32.exe 99 PID 4364 wrote to memory of 4260 4364 Jjcqffkm.exe 100 PID 4364 wrote to memory of 4260 4364 Jjcqffkm.exe 100 PID 4364 wrote to memory of 4260 4364 Jjcqffkm.exe 100 PID 4260 wrote to memory of 4360 4260 Kplijk32.exe 101 PID 4260 wrote to memory of 4360 4260 Kplijk32.exe 101 PID 4260 wrote to memory of 4360 4260 Kplijk32.exe 101 PID 4360 wrote to memory of 2476 4360 Kifjip32.exe 104 PID 4360 wrote to memory of 2476 4360 Kifjip32.exe 104 PID 4360 wrote to memory of 2476 4360 Kifjip32.exe 104 PID 2476 wrote to memory of 4532 2476 Malnklgg.exe 105 PID 2476 wrote to memory of 4532 2476 Malnklgg.exe 105 PID 2476 wrote to memory of 4532 2476 Malnklgg.exe 105 PID 4532 wrote to memory of 3544 4532 Njmejp32.exe 106 PID 4532 wrote to memory of 3544 4532 Njmejp32.exe 106 PID 4532 wrote to memory of 3544 4532 Njmejp32.exe 106 PID 3544 wrote to memory of 3744 3544 Nhafcd32.exe 107 PID 3544 wrote to memory of 3744 3544 Nhafcd32.exe 107 PID 3544 wrote to memory of 3744 3544 Nhafcd32.exe 107 PID 3744 wrote to memory of 3352 3744 Nhcbidcd.exe 108 PID 3744 wrote to memory of 3352 3744 Nhcbidcd.exe 108 PID 3744 wrote to memory of 3352 3744 Nhcbidcd.exe 108 PID 3352 wrote to memory of 1652 3352 Ngipjp32.exe 109 PID 3352 wrote to memory of 1652 3352 Ngipjp32.exe 109 PID 3352 wrote to memory of 1652 3352 Ngipjp32.exe 109 PID 1652 wrote to memory of 1316 1652 Omgabj32.exe 110 PID 1652 wrote to memory of 1316 1652 Omgabj32.exe 110 PID 1652 wrote to memory of 1316 1652 Omgabj32.exe 110 PID 1316 wrote to memory of 1124 1316 Oknnanhj.exe 111 PID 1316 wrote to memory of 1124 1316 Oknnanhj.exe 111 PID 1316 wrote to memory of 1124 1316 Oknnanhj.exe 111 PID 1124 wrote to memory of 1364 1124 Phfhfa32.exe 112 PID 1124 wrote to memory of 1364 1124 Phfhfa32.exe 112 PID 1124 wrote to memory of 1364 1124 Phfhfa32.exe 112 PID 1364 wrote to memory of 3116 1364 Pjjaci32.exe 113 PID 1364 wrote to memory of 3116 1364 Pjjaci32.exe 113 PID 1364 wrote to memory of 3116 1364 Pjjaci32.exe 113 PID 3116 wrote to memory of 1072 3116 Pjahchpb.exe 114 PID 3116 wrote to memory of 1072 3116 Pjahchpb.exe 114 PID 3116 wrote to memory of 1072 3116 Pjahchpb.exe 114 PID 1072 wrote to memory of 2812 1072 Qajlje32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a9094df63c2d950e9160c2db33247cc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a9094df63c2d950e9160c2db33247cc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Hljnkdnk.exeC:\Windows\system32\Hljnkdnk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Imfmgcdn.exeC:\Windows\system32\Imfmgcdn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Jicdlc32.exeC:\Windows\system32\Jicdlc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Jjcqffkm.exeC:\Windows\system32\Jjcqffkm.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Kifjip32.exeC:\Windows\system32\Kifjip32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Malnklgg.exeC:\Windows\system32\Malnklgg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Nhafcd32.exeC:\Windows\system32\Nhafcd32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Phfhfa32.exeC:\Windows\system32\Phfhfa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Akgjnj32.exeC:\Windows\system32\Akgjnj32.exe24⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe26⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe27⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Bgodjiio.exeC:\Windows\system32\Bgodjiio.exe28⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe29⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe30⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe31⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:492 -
C:\Windows\SysWOW64\Ebnddn32.exeC:\Windows\system32\Ebnddn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe35⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Focakm32.exeC:\Windows\system32\Focakm32.exe36⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe38⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe39⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Hcofbifb.exeC:\Windows\system32\Hcofbifb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe41⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe42⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe44⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe45⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe47⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe48⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe49⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Koiejemn.exeC:\Windows\system32\Koiejemn.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Kbinlp32.exeC:\Windows\system32\Kbinlp32.exe51⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Kifcnjpi.exeC:\Windows\system32\Kifcnjpi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe58⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Lfcfnm32.exeC:\Windows\system32\Lfcfnm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Mfeccm32.exeC:\Windows\system32\Mfeccm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe62⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe63⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4648 -
C:\Windows\SysWOW64\Mbcjimda.exeC:\Windows\system32\Mbcjimda.exe65⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe67⤵
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe68⤵PID:1792
-
C:\Windows\SysWOW64\Nlbdba32.exeC:\Windows\system32\Nlbdba32.exe69⤵PID:3464
-
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe70⤵
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe71⤵
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe72⤵PID:1456
-
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe73⤵PID:3956
-
C:\Windows\SysWOW64\Oinkmdml.exeC:\Windows\system32\Oinkmdml.exe74⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe75⤵PID:3536
-
C:\Windows\SysWOW64\Odelpm32.exeC:\Windows\system32\Odelpm32.exe76⤵
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Obkiqi32.exeC:\Windows\system32\Obkiqi32.exe78⤵PID:5168
-
C:\Windows\SysWOW64\Ppoijn32.exeC:\Windows\system32\Ppoijn32.exe79⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Pghaghfn.exeC:\Windows\system32\Pghaghfn.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe81⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe82⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe83⤵PID:5404
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe84⤵PID:5448
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe85⤵PID:5488
-
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe86⤵PID:5532
-
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe87⤵PID:5572
-
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe89⤵PID:5660
-
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe90⤵PID:5700
-
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe91⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe92⤵PID:5780
-
C:\Windows\SysWOW64\Acmomgoa.exeC:\Windows\system32\Acmomgoa.exe93⤵PID:5824
-
C:\Windows\SysWOW64\Acpkbf32.exeC:\Windows\system32\Acpkbf32.exe94⤵PID:5868
-
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe95⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Ajlpepbi.exeC:\Windows\system32\Ajlpepbi.exe96⤵PID:5952
-
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe98⤵PID:6036
-
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe99⤵PID:6076
-
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe100⤵
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Bnobfn32.exeC:\Windows\system32\Bnobfn32.exe101⤵PID:5128
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe102⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Bnaolm32.exeC:\Windows\system32\Bnaolm32.exe103⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe104⤵PID:5352
-
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe105⤵PID:5420
-
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe106⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe107⤵PID:5560
-
C:\Windows\SysWOW64\Cgnmpbec.exeC:\Windows\system32\Cgnmpbec.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe109⤵PID:5688
-
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe110⤵PID:5772
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe111⤵PID:5852
-
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe112⤵PID:5900
-
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Dcgcaq32.exeC:\Windows\system32\Dcgcaq32.exe115⤵PID:2072
-
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Egjebn32.exeC:\Windows\system32\Egjebn32.exe117⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe118⤵PID:5436
-
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe119⤵PID:5556
-
C:\Windows\SysWOW64\Ejkndijd.exeC:\Windows\system32\Ejkndijd.exe120⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe121⤵
- Drops file in System32 directory
PID:5856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-