Analysis
-
max time kernel
123s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 15:43
Behavioral task
behavioral1
Sample
NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe
-
Size
78KB
-
MD5
e505c4f6a19bfb9b830dfe891cb08ea1
-
SHA1
18470fcb3c81d26ffb3658a6cbfbbaf065dbc68a
-
SHA256
599d996ef432a3af12a861015f72b88bb4ac41ee04541a82c71e8c5004e1c4c4
-
SHA512
6b288920c25418f0e64bf679a1f81e25facd73f7669729f4b924038d18abe8e736788f0b2f01b38677bec6f774c29c5444b36ad0f2c8c393548b58f67da5f0e6
-
SSDEEP
1536:rbHO8x13w7bwYL7oQ/k0N4iL6yf5oAnqDM+4yyF:vFmbws7ibiLCuq4cyF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlldaape.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madjbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnpalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhjbjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akccje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemdkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjhccnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpckclld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbmhadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jleicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnendhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnifoaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkiobhac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebpipij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilpaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedlpgqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmhadm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmoekem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiknkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogdldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbiaigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfeeelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naecieef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjole32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiodib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqjqab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpledob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhfbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anobaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcicma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogklob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjckppa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjckppa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhpccnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmacoep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgddal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olaeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okedmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjijia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcgpalj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmioicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdeghfhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaegqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlldaape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfmdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhijjll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmllgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmgphma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndagao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkacoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgihppgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piikhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olcklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfokoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmllgjd.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/220-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/220-1-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022cfe-7.dat family_berbew behavioral2/files/0x0007000000022cfe-8.dat family_berbew behavioral2/memory/4148-9-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d00-15.dat family_berbew behavioral2/memory/1936-16-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d00-17.dat family_berbew behavioral2/files/0x0008000000022d02-23.dat family_berbew behavioral2/memory/1468-24-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022d02-25.dat family_berbew behavioral2/files/0x0008000000022d05-31.dat family_berbew behavioral2/files/0x0008000000022d05-33.dat family_berbew behavioral2/memory/4932-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d07-39.dat family_berbew behavioral2/memory/4832-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d07-40.dat family_berbew behavioral2/files/0x0006000000022d09-47.dat family_berbew behavioral2/files/0x0006000000022d09-49.dat family_berbew behavioral2/memory/2016-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0b-55.dat family_berbew behavioral2/files/0x0006000000022d0b-57.dat family_berbew behavioral2/memory/3420-56-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0e-58.dat family_berbew behavioral2/files/0x0006000000022d0e-63.dat family_berbew behavioral2/memory/632-64-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0e-65.dat family_berbew behavioral2/files/0x0006000000022d10-71.dat family_berbew behavioral2/memory/4736-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d10-72.dat family_berbew behavioral2/files/0x0006000000022d12-79.dat family_berbew behavioral2/memory/220-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d12-81.dat family_berbew behavioral2/memory/2604-86-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d14-88.dat family_berbew behavioral2/files/0x0006000000022d14-90.dat family_berbew behavioral2/memory/1820-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-91.dat family_berbew behavioral2/files/0x0006000000022d16-96.dat family_berbew behavioral2/memory/996-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-98.dat family_berbew behavioral2/files/0x0006000000022d18-104.dat family_berbew behavioral2/files/0x0006000000022d18-105.dat family_berbew behavioral2/memory/1324-106-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1a-112.dat family_berbew behavioral2/files/0x0006000000022d1a-114.dat family_berbew behavioral2/memory/4460-113-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1c-115.dat family_berbew behavioral2/files/0x0006000000022d1c-120.dat family_berbew behavioral2/memory/1396-122-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1c-121.dat family_berbew behavioral2/files/0x0006000000022d1e-128.dat family_berbew behavioral2/memory/1940-129-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1e-130.dat family_berbew behavioral2/files/0x0006000000022d20-136.dat family_berbew behavioral2/files/0x0006000000022d20-137.dat family_berbew behavioral2/memory/1660-138-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d22-144.dat family_berbew behavioral2/memory/776-146-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d22-145.dat family_berbew behavioral2/files/0x0006000000022d24-147.dat family_berbew behavioral2/files/0x0006000000022d24-152.dat family_berbew behavioral2/files/0x0006000000022d24-153.dat family_berbew behavioral2/memory/4544-154-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4148 Oaejhh32.exe 1936 Anffje32.exe 1468 Bjcmpepm.exe 4932 Bilcol32.exe 4832 Dndlba32.exe 2016 Eeomfioh.exe 3420 Fkgejncb.exe 632 Gehice32.exe 4736 Hohcmjic.exe 2604 Ikhghi32.exe 1820 Jbnopbdl.exe 996 Jmepcj32.exe 1324 Liofdigo.exe 4460 Mcicma32.exe 1396 Mppdbb32.exe 1940 Mminfech.exe 1660 Njokei32.exe 776 Nfhipj32.exe 4544 Oljkcpnb.exe 2932 Olqqdo32.exe 4452 Pdjeklfj.exe 4256 Piikhc32.exe 3100 Pdalkk32.exe 4852 Pdchakoo.exe 2244 Qgdabflp.exe 2836 Agfnhf32.exe 3152 Adjnaj32.exe 4596 Ajggjq32.exe 4580 Ajlpepbi.exe 3032 Bnlfqngm.exe 1732 Bjeckojo.exe 3928 Bdpqcg32.exe 2864 Cmkehicj.exe 3828 Cddjofbj.exe 4260 Ckclfp32.exe 2028 Dqdnjfpc.exe 1404 Ejhanj32.exe 4556 Elhnhm32.exe 4356 Eaegqc32.exe 3592 Flmhclod.exe 4064 Fhfenmbe.exe 4688 Hhkgpjqn.exe 456 Iefnjm32.exe 4676 Iemdkl32.exe 1352 Ikjmcc32.exe 5028 Jdiglgbg.exe 2220 Kdeghfhj.exe 2492 Kkooep32.exe 2400 Ldnjndpo.exe 4696 Miqlpbap.exe 3560 Mmodfqhf.exe 4500 Mfgiof32.exe 5048 Nlbnhkqo.exe 844 Olkqnjhd.exe 1204 Pfhklabb.exe 4572 Affgno32.exe 2676 Ccajdmin.exe 652 Cnndbecl.exe 4424 Ejaecdnc.exe 3812 Fqiiamjp.exe 2636 Fjanjb32.exe 556 Fcibchgq.exe 2240 Ggldde32.exe 4376 Hanlcjgh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Odfljp32.exe Oagpne32.exe File created C:\Windows\SysWOW64\Aaoiobea.dll Fbellhbi.exe File created C:\Windows\SysWOW64\Anffje32.exe Oaejhh32.exe File created C:\Windows\SysWOW64\Kdeghfhj.exe Jdiglgbg.exe File created C:\Windows\SysWOW64\Dgoiikfi.dll Edkddeag.exe File created C:\Windows\SysWOW64\Fmfhigmk.dll Ofijifbj.exe File created C:\Windows\SysWOW64\Gdjilphb.exe Glbakchp.exe File created C:\Windows\SysWOW64\Ipfkga32.dll Ddbbngjb.exe File created C:\Windows\SysWOW64\Amhlpb32.exe Alfpijll.exe File created C:\Windows\SysWOW64\Gnlmai32.exe Fiodib32.exe File created C:\Windows\SysWOW64\Cfkmdl32.exe Ckclacmi.exe File created C:\Windows\SysWOW64\Qjmllgjd.exe Peljha32.exe File created C:\Windows\SysWOW64\Dafhghgn.dll Eigohp32.exe File created C:\Windows\SysWOW64\Nbqmbo32.exe Nlfeeelm.exe File created C:\Windows\SysWOW64\Jgcanm32.dll Glpdecjb.exe File created C:\Windows\SysWOW64\Igdnkhoe.exe Iphihnjk.exe File created C:\Windows\SysWOW64\Ccnnmmbp.exe Bimkde32.exe File created C:\Windows\SysWOW64\Nhjbjp32.exe Napjnfik.exe File created C:\Windows\SysWOW64\Jihmfcil.dll Oclkqihc.exe File created C:\Windows\SysWOW64\Mgdklb32.exe Mgbnfb32.exe File created C:\Windows\SysWOW64\Ckegjm32.dll Hckjjh32.exe File opened for modification C:\Windows\SysWOW64\Imjddmpl.exe Icbpkg32.exe File opened for modification C:\Windows\SysWOW64\Chmnnamb.exe Cmgjpi32.exe File created C:\Windows\SysWOW64\Femgia32.exe Fkgbli32.exe File created C:\Windows\SysWOW64\Nhepeibn.dll Amdddkma.exe File created C:\Windows\SysWOW64\Hhlpkkmk.dll Plpqba32.exe File opened for modification C:\Windows\SysWOW64\Igdnkhoe.exe Iphihnjk.exe File created C:\Windows\SysWOW64\Pfcdmd32.dll Ojmhaklf.exe File opened for modification C:\Windows\SysWOW64\Iojbid32.exe Imieblgl.exe File opened for modification C:\Windows\SysWOW64\Icbpkg32.exe Hmhhnmao.exe File opened for modification C:\Windows\SysWOW64\Lnbkeclf.exe Licfgmpa.exe File created C:\Windows\SysWOW64\Mpofnj32.dll Dihllkal.exe File created C:\Windows\SysWOW64\Eplgod32.exe Eiaobjia.exe File created C:\Windows\SysWOW64\Lmbhqj32.exe Ljcldo32.exe File created C:\Windows\SysWOW64\Gmggpekm.exe Gbofmmmj.exe File created C:\Windows\SysWOW64\Kddnpj32.exe Jnjecp32.exe File opened for modification C:\Windows\SysWOW64\Hiajeoip.exe Holfhfij.exe File opened for modification C:\Windows\SysWOW64\Oqdnld32.exe Okgfdm32.exe File opened for modification C:\Windows\SysWOW64\Ckidoc32.exe Bblcda32.exe File opened for modification C:\Windows\SysWOW64\Kmfhelke.exe Kgipmdmn.exe File created C:\Windows\SysWOW64\Meknhh32.exe Mdjapphl.exe File opened for modification C:\Windows\SysWOW64\Cmcoflhh.exe Cjecjahd.exe File created C:\Windows\SysWOW64\Dhdkig32.exe Cbgbpp32.exe File created C:\Windows\SysWOW64\Acghpmin.dll Keoeel32.exe File created C:\Windows\SysWOW64\Gdaomobj.exe Gmggpekm.exe File created C:\Windows\SysWOW64\Hfhgdc32.exe Hlbcgj32.exe File created C:\Windows\SysWOW64\Ljgfchhl.dll Jleicg32.exe File opened for modification C:\Windows\SysWOW64\Mppdbb32.exe Mcicma32.exe File opened for modification C:\Windows\SysWOW64\Fjanjb32.exe Fqiiamjp.exe File created C:\Windows\SysWOW64\Pnifoaba.exe Ppgeqijb.exe File created C:\Windows\SysWOW64\Kmdqai32.exe Kifhkkci.exe File opened for modification C:\Windows\SysWOW64\Fkgbli32.exe Edmjpoli.exe File created C:\Windows\SysWOW64\Hkkgii32.exe Gdaomobj.exe File created C:\Windows\SysWOW64\Fdcjfg32.exe Fgpilc32.exe File opened for modification C:\Windows\SysWOW64\Fmancbji.exe Ffgegh32.exe File created C:\Windows\SysWOW64\Qbpfckie.dll Hmkiqn32.exe File opened for modification C:\Windows\SysWOW64\Fqiiamjp.exe Ejaecdnc.exe File opened for modification C:\Windows\SysWOW64\Nnkioq32.exe Mglhgg32.exe File created C:\Windows\SysWOW64\Ihkkah32.dll Nieggill.exe File created C:\Windows\SysWOW64\Ciebfc32.dll Ajndbd32.exe File created C:\Windows\SysWOW64\Cknqppmi.dll Lljked32.exe File opened for modification C:\Windows\SysWOW64\Hhihnihm.exe Hdlphjaf.exe File opened for modification C:\Windows\SysWOW64\Klimbf32.exe Keoeel32.exe File created C:\Windows\SysWOW64\Ajggjq32.exe Adjnaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 916 2480 WerFault.exe 946 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhpccnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijohoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amdddkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqind32.dll" Cnffjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hienee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmgjbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmafbj32.dll" Dehkbkip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blaolkoj.dll" Eefhcimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenifka.dll" Ifipmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peflco32.dll" Iildfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caadnc32.dll" Mjmokmji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnbjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfccchd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pecefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdchakoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcmeek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccefjja.dll" Gbofmmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjohiimm.dll" Kjccna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgjhicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phodlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnanpfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppopcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdkig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibgmldnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oplkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmnge32.dll" Ccnnmmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epjadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magnbnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adiknkco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaejhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geloma32.dll" Pdchakoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeffip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galcjkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpooimdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdqgcnml.dll" Eaegqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olcbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnheca32.dll" Cnbmolhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbmolhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehjhbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eigohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlijc32.dll" Hpmpgfhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojpmaqp.dll" Bddjijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnfjj32.dll" Aogkhjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqlffgdc.dll" Bmfjodgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcibchgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkmdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcblo32.dll" Ppjbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcihcbcl.dll" Dndlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjephe32.dll" Eahhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjdkc32.dll" Ocmchdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albipmnm.dll" Ejofacfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckidoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhdmplk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odmbkolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhlpb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 220 wrote to memory of 4148 220 NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe 91 PID 220 wrote to memory of 4148 220 NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe 91 PID 220 wrote to memory of 4148 220 NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe 91 PID 4148 wrote to memory of 1936 4148 Oaejhh32.exe 92 PID 4148 wrote to memory of 1936 4148 Oaejhh32.exe 92 PID 4148 wrote to memory of 1936 4148 Oaejhh32.exe 92 PID 1936 wrote to memory of 1468 1936 Anffje32.exe 93 PID 1936 wrote to memory of 1468 1936 Anffje32.exe 93 PID 1936 wrote to memory of 1468 1936 Anffje32.exe 93 PID 1468 wrote to memory of 4932 1468 Bjcmpepm.exe 94 PID 1468 wrote to memory of 4932 1468 Bjcmpepm.exe 94 PID 1468 wrote to memory of 4932 1468 Bjcmpepm.exe 94 PID 4932 wrote to memory of 4832 4932 Bilcol32.exe 95 PID 4932 wrote to memory of 4832 4932 Bilcol32.exe 95 PID 4932 wrote to memory of 4832 4932 Bilcol32.exe 95 PID 4832 wrote to memory of 2016 4832 Dndlba32.exe 96 PID 4832 wrote to memory of 2016 4832 Dndlba32.exe 96 PID 4832 wrote to memory of 2016 4832 Dndlba32.exe 96 PID 2016 wrote to memory of 3420 2016 Eeomfioh.exe 97 PID 2016 wrote to memory of 3420 2016 Eeomfioh.exe 97 PID 2016 wrote to memory of 3420 2016 Eeomfioh.exe 97 PID 3420 wrote to memory of 632 3420 Fkgejncb.exe 98 PID 3420 wrote to memory of 632 3420 Fkgejncb.exe 98 PID 3420 wrote to memory of 632 3420 Fkgejncb.exe 98 PID 632 wrote to memory of 4736 632 Gehice32.exe 99 PID 632 wrote to memory of 4736 632 Gehice32.exe 99 PID 632 wrote to memory of 4736 632 Gehice32.exe 99 PID 4736 wrote to memory of 2604 4736 Hohcmjic.exe 100 PID 4736 wrote to memory of 2604 4736 Hohcmjic.exe 100 PID 4736 wrote to memory of 2604 4736 Hohcmjic.exe 100 PID 2604 wrote to memory of 1820 2604 Ikhghi32.exe 101 PID 2604 wrote to memory of 1820 2604 Ikhghi32.exe 101 PID 2604 wrote to memory of 1820 2604 Ikhghi32.exe 101 PID 1820 wrote to memory of 996 1820 Jbnopbdl.exe 102 PID 1820 wrote to memory of 996 1820 Jbnopbdl.exe 102 PID 1820 wrote to memory of 996 1820 Jbnopbdl.exe 102 PID 996 wrote to memory of 1324 996 Jmepcj32.exe 103 PID 996 wrote to memory of 1324 996 Jmepcj32.exe 103 PID 996 wrote to memory of 1324 996 Jmepcj32.exe 103 PID 1324 wrote to memory of 4460 1324 Liofdigo.exe 104 PID 1324 wrote to memory of 4460 1324 Liofdigo.exe 104 PID 1324 wrote to memory of 4460 1324 Liofdigo.exe 104 PID 4460 wrote to memory of 1396 4460 Mcicma32.exe 105 PID 4460 wrote to memory of 1396 4460 Mcicma32.exe 105 PID 4460 wrote to memory of 1396 4460 Mcicma32.exe 105 PID 1396 wrote to memory of 1940 1396 Mppdbb32.exe 106 PID 1396 wrote to memory of 1940 1396 Mppdbb32.exe 106 PID 1396 wrote to memory of 1940 1396 Mppdbb32.exe 106 PID 1940 wrote to memory of 1660 1940 Mminfech.exe 107 PID 1940 wrote to memory of 1660 1940 Mminfech.exe 107 PID 1940 wrote to memory of 1660 1940 Mminfech.exe 107 PID 1660 wrote to memory of 776 1660 Njokei32.exe 108 PID 1660 wrote to memory of 776 1660 Njokei32.exe 108 PID 1660 wrote to memory of 776 1660 Njokei32.exe 108 PID 776 wrote to memory of 4544 776 Nfhipj32.exe 109 PID 776 wrote to memory of 4544 776 Nfhipj32.exe 109 PID 776 wrote to memory of 4544 776 Nfhipj32.exe 109 PID 4544 wrote to memory of 2932 4544 Oljkcpnb.exe 110 PID 4544 wrote to memory of 2932 4544 Oljkcpnb.exe 110 PID 4544 wrote to memory of 2932 4544 Oljkcpnb.exe 110 PID 2932 wrote to memory of 4452 2932 Olqqdo32.exe 111 PID 2932 wrote to memory of 4452 2932 Olqqdo32.exe 111 PID 2932 wrote to memory of 4452 2932 Olqqdo32.exe 111 PID 4452 wrote to memory of 4256 4452 Pdjeklfj.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e505c4f6a19bfb9b830dfe891cb08ea1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Oaejhh32.exeC:\Windows\system32\Oaejhh32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Jbnopbdl.exeC:\Windows\system32\Jbnopbdl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Mppdbb32.exeC:\Windows\system32\Mppdbb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Pdjeklfj.exeC:\Windows\system32\Pdjeklfj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe24⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe26⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Agfnhf32.exeC:\Windows\system32\Agfnhf32.exe27⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe29⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Ajlpepbi.exeC:\Windows\system32\Ajlpepbi.exe30⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Bnlfqngm.exeC:\Windows\system32\Bnlfqngm.exe31⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe32⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Bdpqcg32.exeC:\Windows\system32\Bdpqcg32.exe33⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe34⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe35⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe36⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe37⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ejhanj32.exeC:\Windows\system32\Ejhanj32.exe38⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe39⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe41⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe42⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Hhkgpjqn.exeC:\Windows\system32\Hhkgpjqn.exe43⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe44⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Iemdkl32.exeC:\Windows\system32\Iemdkl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Ikjmcc32.exeC:\Windows\system32\Ikjmcc32.exe46⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe49⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ldnjndpo.exeC:\Windows\system32\Ldnjndpo.exe50⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe51⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe52⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe53⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe54⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Olkqnjhd.exeC:\Windows\system32\Olkqnjhd.exe55⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Pfhklabb.exeC:\Windows\system32\Pfhklabb.exe56⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Affgno32.exeC:\Windows\system32\Affgno32.exe57⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe58⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Cnndbecl.exeC:\Windows\system32\Cnndbecl.exe59⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Ejaecdnc.exeC:\Windows\system32\Ejaecdnc.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Fqiiamjp.exeC:\Windows\system32\Fqiiamjp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe62⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Fcibchgq.exeC:\Windows\system32\Fcibchgq.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Ggldde32.exeC:\Windows\system32\Ggldde32.exe64⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe65⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Ifipmo32.exeC:\Windows\system32\Ifipmo32.exe66⤵
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Imbhiial.exeC:\Windows\system32\Imbhiial.exe67⤵PID:4268
-
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe68⤵PID:1648
-
C:\Windows\SysWOW64\Jggmnmmo.exeC:\Windows\system32\Jggmnmmo.exe69⤵PID:4608
-
C:\Windows\SysWOW64\Kdpfbp32.exeC:\Windows\system32\Kdpfbp32.exe70⤵PID:1076
-
C:\Windows\SysWOW64\Kpkqbq32.exeC:\Windows\system32\Kpkqbq32.exe71⤵PID:4484
-
C:\Windows\SysWOW64\Lqdcio32.exeC:\Windows\system32\Lqdcio32.exe72⤵PID:1924
-
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe73⤵PID:2172
-
C:\Windows\SysWOW64\Mglhgg32.exeC:\Windows\system32\Mglhgg32.exe74⤵
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Nnkioq32.exeC:\Windows\system32\Nnkioq32.exe75⤵PID:3664
-
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe76⤵
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Ooalibaf.exeC:\Windows\system32\Ooalibaf.exe77⤵PID:764
-
C:\Windows\SysWOW64\Plocob32.exeC:\Windows\system32\Plocob32.exe78⤵PID:4908
-
C:\Windows\SysWOW64\Piepnfnj.exeC:\Windows\system32\Piepnfnj.exe79⤵PID:3580
-
C:\Windows\SysWOW64\Qpfokpoo.exeC:\Windows\system32\Qpfokpoo.exe80⤵PID:3712
-
C:\Windows\SysWOW64\Qecgcfmf.exeC:\Windows\system32\Qecgcfmf.exe81⤵PID:4436
-
C:\Windows\SysWOW64\Aeofoe32.exeC:\Windows\system32\Aeofoe32.exe82⤵PID:2940
-
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe83⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Bbljoh32.exeC:\Windows\system32\Bbljoh32.exe84⤵PID:5220
-
C:\Windows\SysWOW64\Denlgq32.exeC:\Windows\system32\Denlgq32.exe85⤵PID:5268
-
C:\Windows\SysWOW64\Fmmffhnk.exeC:\Windows\system32\Fmmffhnk.exe86⤵PID:5304
-
C:\Windows\SysWOW64\Fcfocb32.exeC:\Windows\system32\Fcfocb32.exe87⤵PID:5376
-
C:\Windows\SysWOW64\Gbcaemdg.exeC:\Windows\system32\Gbcaemdg.exe88⤵PID:5412
-
C:\Windows\SysWOW64\Gmhfbf32.exeC:\Windows\system32\Gmhfbf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Gjapfjnb.exeC:\Windows\system32\Gjapfjnb.exe90⤵PID:5640
-
C:\Windows\SysWOW64\Hmioicek.exeC:\Windows\system32\Hmioicek.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Iffmmihf.exeC:\Windows\system32\Iffmmihf.exe92⤵PID:5800
-
C:\Windows\SysWOW64\Idljll32.exeC:\Windows\system32\Idljll32.exe93⤵PID:5844
-
C:\Windows\SysWOW64\Idnfal32.exeC:\Windows\system32\Idnfal32.exe94⤵PID:5888
-
C:\Windows\SysWOW64\Jbccbi32.exeC:\Windows\system32\Jbccbi32.exe95⤵PID:5932
-
C:\Windows\SysWOW64\Jmihpa32.exeC:\Windows\system32\Jmihpa32.exe96⤵PID:6008
-
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe97⤵PID:6060
-
C:\Windows\SysWOW64\Lcpledob.exeC:\Windows\system32\Lcpledob.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Lpcmoi32.exeC:\Windows\system32\Lpcmoi32.exe99⤵PID:4292
-
C:\Windows\SysWOW64\Mgbnfb32.exeC:\Windows\system32\Mgbnfb32.exe100⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Mgdklb32.exeC:\Windows\system32\Mgdklb32.exe101⤵PID:812
-
C:\Windows\SysWOW64\Mdhkefnj.exeC:\Windows\system32\Mdhkefnj.exe102⤵PID:228
-
C:\Windows\SysWOW64\Mdkhkflh.exeC:\Windows\system32\Mdkhkflh.exe103⤵PID:3384
-
C:\Windows\SysWOW64\Nnhfokoc.exeC:\Windows\system32\Nnhfokoc.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Njogdldg.exeC:\Windows\system32\Njogdldg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Ncgkma32.exeC:\Windows\system32\Ncgkma32.exe106⤵PID:5408
-
C:\Windows\SysWOW64\Oqmhlego.exeC:\Windows\system32\Oqmhlego.exe107⤵PID:5512
-
C:\Windows\SysWOW64\Ojfmdk32.exeC:\Windows\system32\Ojfmdk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Oqpeaeel.exeC:\Windows\system32\Oqpeaeel.exe109⤵PID:5628
-
C:\Windows\SysWOW64\Ojhijjll.exeC:\Windows\system32\Ojhijjll.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Odnngclb.exeC:\Windows\system32\Odnngclb.exe111⤵PID:5748
-
C:\Windows\SysWOW64\Okgfdm32.exeC:\Windows\system32\Okgfdm32.exe112⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Oqdnld32.exeC:\Windows\system32\Oqdnld32.exe113⤵PID:632
-
C:\Windows\SysWOW64\Pjalpida.exeC:\Windows\system32\Pjalpida.exe114⤵PID:2576
-
C:\Windows\SysWOW64\Peljha32.exeC:\Windows\system32\Peljha32.exe115⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Qjmllgjd.exeC:\Windows\system32\Qjmllgjd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4632 -
C:\Windows\SysWOW64\Qebpipij.exeC:\Windows\system32\Qebpipij.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Abkjnd32.exeC:\Windows\system32\Abkjnd32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Ahhbfkbf.exeC:\Windows\system32\Ahhbfkbf.exe119⤵PID:6040
-
C:\Windows\SysWOW64\Ahjoljqc.exeC:\Windows\system32\Ahjoljqc.exe120⤵PID:6116
-
C:\Windows\SysWOW64\Bonjnc32.exeC:\Windows\system32\Bonjnc32.exe121⤵PID:4944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-