Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 17:06
Behavioral task
behavioral1
Sample
NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe
-
Size
109KB
-
MD5
f3b2dab256f8e6b3a30117ac4ca59562
-
SHA1
e3c1080297f11d2f5c2478c92950f5602141c492
-
SHA256
6f18c2f9b89faf0e2dc46e6eb0365a8a763cc9a7b07738ccb5f441bb98c2c0de
-
SHA512
59973d025c54cad9c229b2ee7233cf57f89fd7eff2f7a74f37f0ebd9bce7ac34e36db779daabab2eb13584eee7af910d76872e213c6b5f7c1a97dcefe822b6b5
-
SSDEEP
3072:hODWDKnIl8G8TMhC3v2J9RLCqwzBu1DjHLMVDqqkSpR:0DWDKnSmaC3+J95wtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemcjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fielph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpekef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggpbjkpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehailbaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epagkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpolee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibffhhek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cabomkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqqdeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqopnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Medqcmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkiaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dannij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigonjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlglfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhngl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojomm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooagno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahfdjanb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelfmaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgcph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjgfcec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2612-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/memory/4068-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022dfb-14.dat family_berbew behavioral2/files/0x0008000000022dfb-15.dat family_berbew behavioral2/memory/4952-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e17-22.dat family_berbew behavioral2/files/0x0006000000022e17-23.dat family_berbew behavioral2/memory/544-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e19-25.dat family_berbew behavioral2/files/0x0006000000022e19-30.dat family_berbew behavioral2/files/0x0006000000022e19-31.dat family_berbew behavioral2/memory/2644-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1b-38.dat family_berbew behavioral2/files/0x0006000000022e1b-39.dat family_berbew behavioral2/memory/3384-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1d-46.dat family_berbew behavioral2/files/0x0006000000022e1d-47.dat family_berbew behavioral2/memory/3308-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-54.dat family_berbew behavioral2/files/0x0006000000022e1f-55.dat family_berbew behavioral2/memory/1796-56-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e21-62.dat family_berbew behavioral2/memory/4852-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e21-63.dat family_berbew behavioral2/files/0x0006000000022e24-71.dat family_berbew behavioral2/memory/1784-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-70.dat family_berbew behavioral2/files/0x0006000000022e26-78.dat family_berbew behavioral2/files/0x0006000000022e26-79.dat family_berbew behavioral2/memory/2320-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-86.dat family_berbew behavioral2/memory/4448-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-88.dat family_berbew behavioral2/files/0x0006000000022e2d-94.dat family_berbew behavioral2/files/0x0006000000022e2d-96.dat family_berbew behavioral2/memory/848-95-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022dfe-102.dat family_berbew behavioral2/memory/1136-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022dfe-103.dat family_berbew behavioral2/files/0x0006000000022e30-110.dat family_berbew behavioral2/memory/3936-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e30-111.dat family_berbew behavioral2/files/0x0006000000022e32-118.dat family_berbew behavioral2/files/0x0006000000022e32-119.dat family_berbew behavioral2/memory/2912-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e34-126.dat family_berbew behavioral2/memory/1160-127-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e34-128.dat family_berbew behavioral2/files/0x0006000000022e36-134.dat family_berbew behavioral2/memory/4344-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e36-135.dat family_berbew behavioral2/files/0x0006000000022e38-142.dat family_berbew behavioral2/memory/3972-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3b-150.dat family_berbew behavioral2/files/0x0006000000022e3b-151.dat family_berbew behavioral2/files/0x0006000000022e38-143.dat family_berbew behavioral2/memory/4696-155-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-158.dat family_berbew behavioral2/files/0x0006000000022e3d-160.dat family_berbew behavioral2/memory/872-159-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3f-167.dat family_berbew behavioral2/files/0x0006000000022e3f-169.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4068 Pjjhbl32.exe 4952 Pdpmpdbd.exe 544 Pfaigm32.exe 2644 Qmkadgpo.exe 3384 Qfcfml32.exe 3308 Qqijje32.exe 1796 Qgcbgo32.exe 4852 Aqkgpedc.exe 1784 Ageolo32.exe 2320 Ambgef32.exe 4448 Anadoi32.exe 848 Afmhck32.exe 1136 Acqimo32.exe 3936 Ajkaii32.exe 2912 Aepefb32.exe 1160 Bnhjohkb.exe 4344 Bfdodjhm.exe 3972 Beeoaapl.exe 4696 Bgcknmop.exe 872 Bnmcjg32.exe 1652 Bfhhoi32.exe 3668 Beihma32.exe 3348 Bfkedibe.exe 392 Bmemac32.exe 2284 Cfmajipb.exe 3896 Cmgjgcgo.exe 3784 Cdcoim32.exe 4392 Cnicfe32.exe 416 Ceckcp32.exe 652 Cajlhqjp.exe 2720 Cnnlaehj.exe 3560 Cegdnopg.exe 3376 Dfiafg32.exe 1324 Ddmaok32.exe 2404 Dhkjej32.exe 4960 Dmgbnq32.exe 1264 Ddakjkqi.exe 2648 Dkkcge32.exe 4580 Dddhpjof.exe 3604 Doilmc32.exe 2292 Edfdej32.exe 2996 Emcbio32.exe 4712 Hgjljpkm.exe 448 Hnddgjbj.exe 4460 Hdnldd32.exe 2552 Hocqam32.exe 2528 Hkjafn32.exe 4616 Hbdjchgn.exe 5100 Hgabkoee.exe 1788 Ibffhhek.exe 3884 Igcoqocb.exe 4324 Ibicnh32.exe 3812 Igfkfo32.exe 3108 Inpccihl.exe 2548 Iiehpahb.exe 1052 Inbqhhfj.exe 3756 Iigdfa32.exe 1804 Ifleoe32.exe 4560 Jkhngl32.exe 3124 Jfnbdecg.exe 2280 Jnifigpa.exe 1896 Jiokfpph.exe 4896 Jnkcogno.exe 3452 Jgdhgmep.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Clghpklj.dll Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Ibicnh32.exe Igcoqocb.exe File created C:\Windows\SysWOW64\Mlklkgei.exe Mimpolee.exe File created C:\Windows\SysWOW64\Hkeaqi32.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Aqkgpedc.exe Qgcbgo32.exe File opened for modification C:\Windows\SysWOW64\Boklbi32.exe Biadeoce.exe File created C:\Windows\SysWOW64\Cabomkll.exe Cjhfpa32.exe File opened for modification C:\Windows\SysWOW64\Ehjlaaig.exe Eaqdegaj.exe File created C:\Windows\SysWOW64\Chmbeqne.dll Mmkkmc32.exe File created C:\Windows\SysWOW64\Kmdpiacg.dll Bllbaa32.exe File created C:\Windows\SysWOW64\Bgkiaj32.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Ihidlk32.dll Bfdodjhm.exe File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Okahepfa.dll Locbfd32.exe File created C:\Windows\SysWOW64\Mimpolee.exe Lfodbqfa.exe File created C:\Windows\SysWOW64\Anoabcka.dll Mplafeil.exe File opened for modification C:\Windows\SysWOW64\Mpqkad32.exe Mhicpg32.exe File created C:\Windows\SysWOW64\Nlglfe32.exe Nemcjk32.exe File created C:\Windows\SysWOW64\Cadlbk32.exe Cimcan32.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Cghane32.dll Ckhecmcf.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Oeehkn32.exe File created C:\Windows\SysWOW64\Nemcjk32.exe Mbognp32.exe File created C:\Windows\SysWOW64\Dqdhfd32.dll Ppmcdq32.exe File created C:\Windows\SysWOW64\Jbidda32.dll Bfqkddfd.exe File created C:\Windows\SysWOW64\Fpplna32.dll Bihjfnmm.exe File created C:\Windows\SysWOW64\Injcmc32.exe Iklgah32.exe File created C:\Windows\SysWOW64\Qdbdcg32.exe Qachgk32.exe File created C:\Windows\SysWOW64\Jgqpjb32.dll Lidmhmnp.exe File created C:\Windows\SysWOW64\Gnjjfegi.exe Ggpbjkpl.exe File opened for modification C:\Windows\SysWOW64\Mgobel32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Gmigpf32.dll Qlgpod32.exe File created C:\Windows\SysWOW64\Jomnmjjb.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Lfeljd32.exe File created C:\Windows\SysWOW64\Bgcknmop.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Mlklkgei.exe Mimpolee.exe File created C:\Windows\SysWOW64\Nipekiep.exe Ngaionfl.exe File opened for modification C:\Windows\SysWOW64\Cgqqdeod.exe Cpihcgoa.exe File created C:\Windows\SysWOW64\Ggpbjkpl.exe Gpfjma32.exe File opened for modification C:\Windows\SysWOW64\Pefabkej.exe Plmmif32.exe File created C:\Windows\SysWOW64\Ieoacg32.dll Adfnofpd.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cdcoim32.exe File created C:\Windows\SysWOW64\Hcdikecn.dll Oigllh32.exe File created C:\Windows\SysWOW64\Kmaopfjm.exe Jgeghp32.exe File created C:\Windows\SysWOW64\Bmnogj32.dll Olanmgig.exe File created C:\Windows\SysWOW64\Nceefd32.exe Ncchae32.exe File created C:\Windows\SysWOW64\Kfqgab32.exe Klkcdj32.exe File created C:\Windows\SysWOW64\Dapkni32.exe Diicml32.exe File opened for modification C:\Windows\SysWOW64\Opadhb32.exe Oigllh32.exe File created C:\Windows\SysWOW64\Hpomcp32.exe Hjedffig.exe File opened for modification C:\Windows\SysWOW64\Plmmif32.exe Pecellgl.exe File created C:\Windows\SysWOW64\Fnkhbo32.dll Nohehq32.exe File created C:\Windows\SysWOW64\Ebnlkf32.dll Pflibgil.exe File created C:\Windows\SysWOW64\Pmcclm32.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Ckhecmcf.exe Chiigadc.exe File opened for modification C:\Windows\SysWOW64\Nipekiep.exe Ngaionfl.exe File created C:\Windows\SysWOW64\Dmdjce32.dll Kppici32.exe File created C:\Windows\SysWOW64\Lbcnlf32.dll Aggegh32.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Pnfiplog.exe File created C:\Windows\SysWOW64\Empbnb32.dll Pdpmpdbd.exe File created C:\Windows\SysWOW64\Lddkje32.dll Phhhhc32.exe File opened for modification C:\Windows\SysWOW64\Dclkee32.exe Dannij32.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Meiioonj.exe File created C:\Windows\SysWOW64\Jiibaffb.dll Cbbnpg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1648 2980 WerFault.exe 523 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll" Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlglfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkmnpkk.dll" Ahfdjanb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbknkcnm.dll" Nlglfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfqgab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnijaa32.dll" Ifleoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgcph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phhhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" Aqkgpedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibicnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjqmmc32.dll" Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhfob32.dll" Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eigonjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbemad32.dll" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombmjmoh.dll" Hgabkoee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpieqeko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll" Ahippdbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgjljpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhdjbno.dll" Bebjdgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnifigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokhnl32.dll" Lejnmncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoabcka.dll" Mplafeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppmcdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Aekddhcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepdhaek.dll" Cgjjdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epjajeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achhaode.dll" Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbjnbqhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oidofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcklla32.dll" Ehailbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Plmmif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll" Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpdboimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhlpqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfeljd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 4068 2612 NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe 86 PID 2612 wrote to memory of 4068 2612 NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe 86 PID 2612 wrote to memory of 4068 2612 NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe 86 PID 4068 wrote to memory of 4952 4068 Pjjhbl32.exe 87 PID 4068 wrote to memory of 4952 4068 Pjjhbl32.exe 87 PID 4068 wrote to memory of 4952 4068 Pjjhbl32.exe 87 PID 4952 wrote to memory of 544 4952 Pdpmpdbd.exe 88 PID 4952 wrote to memory of 544 4952 Pdpmpdbd.exe 88 PID 4952 wrote to memory of 544 4952 Pdpmpdbd.exe 88 PID 544 wrote to memory of 2644 544 Pfaigm32.exe 89 PID 544 wrote to memory of 2644 544 Pfaigm32.exe 89 PID 544 wrote to memory of 2644 544 Pfaigm32.exe 89 PID 2644 wrote to memory of 3384 2644 Qmkadgpo.exe 90 PID 2644 wrote to memory of 3384 2644 Qmkadgpo.exe 90 PID 2644 wrote to memory of 3384 2644 Qmkadgpo.exe 90 PID 3384 wrote to memory of 3308 3384 Qfcfml32.exe 91 PID 3384 wrote to memory of 3308 3384 Qfcfml32.exe 91 PID 3384 wrote to memory of 3308 3384 Qfcfml32.exe 91 PID 3308 wrote to memory of 1796 3308 Qqijje32.exe 92 PID 3308 wrote to memory of 1796 3308 Qqijje32.exe 92 PID 3308 wrote to memory of 1796 3308 Qqijje32.exe 92 PID 1796 wrote to memory of 4852 1796 Qgcbgo32.exe 93 PID 1796 wrote to memory of 4852 1796 Qgcbgo32.exe 93 PID 1796 wrote to memory of 4852 1796 Qgcbgo32.exe 93 PID 4852 wrote to memory of 1784 4852 Aqkgpedc.exe 94 PID 4852 wrote to memory of 1784 4852 Aqkgpedc.exe 94 PID 4852 wrote to memory of 1784 4852 Aqkgpedc.exe 94 PID 1784 wrote to memory of 2320 1784 Ageolo32.exe 95 PID 1784 wrote to memory of 2320 1784 Ageolo32.exe 95 PID 1784 wrote to memory of 2320 1784 Ageolo32.exe 95 PID 2320 wrote to memory of 4448 2320 Ambgef32.exe 97 PID 2320 wrote to memory of 4448 2320 Ambgef32.exe 97 PID 2320 wrote to memory of 4448 2320 Ambgef32.exe 97 PID 4448 wrote to memory of 848 4448 Anadoi32.exe 98 PID 4448 wrote to memory of 848 4448 Anadoi32.exe 98 PID 4448 wrote to memory of 848 4448 Anadoi32.exe 98 PID 848 wrote to memory of 1136 848 Afmhck32.exe 99 PID 848 wrote to memory of 1136 848 Afmhck32.exe 99 PID 848 wrote to memory of 1136 848 Afmhck32.exe 99 PID 1136 wrote to memory of 3936 1136 Acqimo32.exe 100 PID 1136 wrote to memory of 3936 1136 Acqimo32.exe 100 PID 1136 wrote to memory of 3936 1136 Acqimo32.exe 100 PID 3936 wrote to memory of 2912 3936 Ajkaii32.exe 101 PID 3936 wrote to memory of 2912 3936 Ajkaii32.exe 101 PID 3936 wrote to memory of 2912 3936 Ajkaii32.exe 101 PID 2912 wrote to memory of 1160 2912 Aepefb32.exe 102 PID 2912 wrote to memory of 1160 2912 Aepefb32.exe 102 PID 2912 wrote to memory of 1160 2912 Aepefb32.exe 102 PID 1160 wrote to memory of 4344 1160 Bnhjohkb.exe 103 PID 1160 wrote to memory of 4344 1160 Bnhjohkb.exe 103 PID 1160 wrote to memory of 4344 1160 Bnhjohkb.exe 103 PID 4344 wrote to memory of 3972 4344 Bfdodjhm.exe 104 PID 4344 wrote to memory of 3972 4344 Bfdodjhm.exe 104 PID 4344 wrote to memory of 3972 4344 Bfdodjhm.exe 104 PID 3972 wrote to memory of 4696 3972 Beeoaapl.exe 105 PID 3972 wrote to memory of 4696 3972 Beeoaapl.exe 105 PID 3972 wrote to memory of 4696 3972 Beeoaapl.exe 105 PID 4696 wrote to memory of 872 4696 Bgcknmop.exe 106 PID 4696 wrote to memory of 872 4696 Bgcknmop.exe 106 PID 4696 wrote to memory of 872 4696 Bgcknmop.exe 106 PID 872 wrote to memory of 1652 872 Bnmcjg32.exe 107 PID 872 wrote to memory of 1652 872 Bnmcjg32.exe 107 PID 872 wrote to memory of 1652 872 Bnmcjg32.exe 107 PID 1652 wrote to memory of 3668 1652 Bfhhoi32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f3b2dab256f8e6b3a30117ac4ca59562.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe23⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe24⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe25⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe26⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe29⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:416 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe31⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe32⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe34⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe35⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe39⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe42⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe43⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe45⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe46⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe47⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe48⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe54⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe55⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe57⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe58⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe61⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe63⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe65⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe66⤵PID:2388
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe67⤵PID:1380
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe68⤵PID:1604
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe69⤵PID:1376
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe70⤵
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe71⤵PID:4996
-
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe72⤵PID:4632
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe73⤵PID:5104
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe74⤵PID:724
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe75⤵
- Modifies registry class
PID:3352 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe76⤵PID:4028
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe77⤵PID:3532
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe78⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe79⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe80⤵PID:2496
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe81⤵PID:5136
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe82⤵PID:5180
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe83⤵PID:5224
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe84⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe85⤵PID:5312
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe86⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe87⤵PID:5404
-
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe88⤵PID:5444
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe89⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe90⤵PID:5532
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe92⤵PID:5624
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe94⤵PID:5704
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe95⤵PID:5752
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe97⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe99⤵PID:5932
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe100⤵PID:5976
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe102⤵PID:6064
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe103⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe104⤵PID:5124
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe105⤵PID:5176
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe106⤵PID:5256
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe108⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe109⤵PID:5480
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe110⤵PID:5540
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe111⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe112⤵PID:5688
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe113⤵
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe114⤵PID:5824
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe115⤵
- Drops file in System32 directory
PID:5896 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe118⤵PID:6116
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe119⤵PID:5168
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe120⤵
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe121⤵PID:5384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-