Analysis
-
max time kernel
178s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 03:23
Behavioral task
behavioral1
Sample
NEAS.de11c0c743a305c458f9c853b939d8b0.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.de11c0c743a305c458f9c853b939d8b0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.de11c0c743a305c458f9c853b939d8b0.exe
-
Size
109KB
-
MD5
de11c0c743a305c458f9c853b939d8b0
-
SHA1
0cb7bb4dd455f87a07a1e3c75d79da8f79a8fe6f
-
SHA256
0f07cc29f8713c3af04f7f505c243229918999a37d6d2341e6b627b59a83f165
-
SHA512
e76b4a9d4e1b89a2079919484170ea8fc1d6e28cfff26e277b5e43a8f8cc44dae3f60ff4cee38750e1eee6106673c87e646338b4131fc020f745d6d36e3572ac
-
SSDEEP
3072:PXa6xKRkstapJrz6pUJ9HLCqwzBu1DjHLMVDqqkSp:PK6xEks0b0UJ97wtu1DjrFqh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdqffaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giinjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcikagij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcoepkdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmhejk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcoapami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjkipdpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhejk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccbanfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijnqld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcobjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdcfidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmdeink.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdepaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmqjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilpfgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfdbknda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afboll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckkilhjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihicah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhkghofb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnbqjjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplimpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkpfjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menpgmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlldaape.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbkbbkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkdbgpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqifkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knabne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhinq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnifekmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqpdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loaafnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjgdplo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdophj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acilkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cifmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oookbega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmnmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokeai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjejqcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbpoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpqjaanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldbjah32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2300-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/memory/5036-12-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ddc-14.dat family_berbew behavioral2/memory/1472-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ddc-15.dat family_berbew behavioral2/files/0x0006000000022dde-24.dat family_berbew behavioral2/memory/4572-23-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022dde-22.dat family_berbew behavioral2/files/0x0007000000022dd6-31.dat family_berbew behavioral2/memory/4068-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022dd6-30.dat family_berbew behavioral2/files/0x0006000000022de1-38.dat family_berbew behavioral2/memory/316-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022de1-40.dat family_berbew behavioral2/files/0x0006000000022de3-46.dat family_berbew behavioral2/files/0x0006000000022de3-48.dat family_berbew behavioral2/memory/3396-47-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022de5-54.dat family_berbew behavioral2/memory/4584-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022de5-56.dat family_berbew behavioral2/files/0x0006000000022de7-62.dat family_berbew behavioral2/files/0x0006000000022de7-63.dat family_berbew behavioral2/memory/3844-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022de9-70.dat family_berbew behavioral2/files/0x0006000000022de9-72.dat family_berbew behavioral2/memory/2592-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022deb-77.dat family_berbew behavioral2/memory/3700-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ded-86.dat family_berbew behavioral2/files/0x0006000000022deb-79.dat family_berbew behavioral2/files/0x0006000000022ded-87.dat family_berbew behavioral2/memory/2288-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022def-94.dat family_berbew behavioral2/memory/2136-95-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022def-96.dat family_berbew behavioral2/files/0x0006000000022df1-102.dat family_berbew behavioral2/memory/2788-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022df1-103.dat family_berbew behavioral2/files/0x0006000000022df3-110.dat family_berbew behavioral2/memory/4124-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022df3-111.dat family_berbew behavioral2/files/0x0006000000022df5-118.dat family_berbew behavioral2/files/0x0006000000022df5-120.dat family_berbew behavioral2/memory/2212-119-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022df7-127.dat family_berbew behavioral2/files/0x0006000000022df7-126.dat family_berbew behavioral2/memory/2044-130-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfc-134.dat family_berbew behavioral2/files/0x0006000000022dfc-135.dat family_berbew behavioral2/memory/3660-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfe-142.dat family_berbew behavioral2/files/0x0006000000022dfe-144.dat family_berbew behavioral2/memory/2564-143-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e00-150.dat family_berbew behavioral2/files/0x0006000000022e00-151.dat family_berbew behavioral2/memory/4500-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e02-158.dat family_berbew behavioral2/files/0x0006000000022e02-160.dat family_berbew behavioral2/memory/2936-159-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e05-166.dat family_berbew behavioral2/memory/2356-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e05-167.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5036 Fligqhga.exe 1472 Fealin32.exe 4572 Fpgpgfmh.exe 4068 Fmkqpkla.exe 316 Fnlmhc32.exe 3396 Flpmagqi.exe 4584 Glbjggof.exe 3844 Gifkpknp.exe 2592 Gppcmeem.exe 3700 Gmdcfidg.exe 2288 Gbalopbn.exe 2136 Gmfplibd.exe 2788 Geaepk32.exe 4124 Gpgind32.exe 2212 Hipmfjee.exe 2044 Holfoqcm.exe 3660 Hlpfhe32.exe 2564 Hidgai32.exe 4500 Hfhgkmpj.exe 2936 Hmbphg32.exe 2356 Hiipmhmk.exe 1252 Hoeieolb.exe 4492 Ibcaknbi.exe 4984 Iinjhh32.exe 3484 Iedjmioj.exe 4908 Ipjoja32.exe 2692 Ioolkncg.exe 4360 Iidphgcn.exe 3428 Joahqn32.exe 2848 Jekqmhia.exe 1088 Jleijb32.exe 4512 Jgkmgk32.exe 680 Jmeede32.exe 932 Jcanll32.exe 4076 Jilfifme.exe 2780 Jcdjbk32.exe 1764 Jokkgl32.exe 3384 Jedccfqg.exe 3060 Jlolpq32.exe 3776 Kgdpni32.exe 4916 Kgflcifg.exe 4444 Kpoalo32.exe 4484 Kflide32.exe 3180 Lqhdbm32.exe 3688 Lgbloglj.exe 2196 Llodgnja.exe 4884 Lcimdh32.exe 3940 Ljceqb32.exe 2800 Lqmmmmph.exe 4200 Lnangaoa.exe 3408 Lobjni32.exe 1836 Ljhnlb32.exe 408 Modgdicm.exe 1312 Mjjkaabc.exe 3604 Mqdcnl32.exe 4636 Mfqlfb32.exe 4024 Moipoh32.exe 2664 Mnmmboed.exe 5092 Mcifkf32.exe 2596 Nqmfdj32.exe 4740 Nnafno32.exe 4048 Ncnofeof.exe 1832 Njhgbp32.exe 1536 Nglhld32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hqghqpnl.exe Hnhkdd32.exe File created C:\Windows\SysWOW64\Chknpnap.dll Bbbkbbkg.exe File created C:\Windows\SysWOW64\Ckcbaf32.exe Ciefek32.exe File created C:\Windows\SysWOW64\Aqpcbbed.dll Kdeghfhj.exe File created C:\Windows\SysWOW64\Fpdmob32.dll Fmlnomif.exe File opened for modification C:\Windows\SysWOW64\Aaiiffjj.exe Akoqjl32.exe File opened for modification C:\Windows\SysWOW64\Gbmigm32.exe Gpnmka32.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Adcjop32.exe File created C:\Windows\SysWOW64\Bblnengb.dll Hkcbnh32.exe File created C:\Windows\SysWOW64\Mcoepkdo.exe Mkgmoncl.exe File opened for modification C:\Windows\SysWOW64\Nhpijldj.exe Nebmnqdf.exe File created C:\Windows\SysWOW64\Fdlcehhn.exe Eangimij.exe File opened for modification C:\Windows\SysWOW64\Eijiak32.exe Dcnqid32.exe File created C:\Windows\SysWOW64\Folnlh32.dll Mcifkf32.exe File created C:\Windows\SysWOW64\Mpnnek32.exe Midfiq32.exe File opened for modification C:\Windows\SysWOW64\Ebejpp32.exe Elkbcf32.exe File created C:\Windows\SysWOW64\Hnbbpd32.dll Lehaad32.exe File created C:\Windows\SysWOW64\Dcaboojd.dll Bfqkmj32.exe File created C:\Windows\SysWOW64\Nogcjmhj.dll Hkpgooim.exe File opened for modification C:\Windows\SysWOW64\Okpkaqmp.exe Oioojh32.exe File created C:\Windows\SysWOW64\Qjefmq32.dll Akffjkme.exe File created C:\Windows\SysWOW64\Ehgjinca.dll Gmdjjemp.exe File opened for modification C:\Windows\SysWOW64\Hplimpdi.exe Hibape32.exe File created C:\Windows\SysWOW64\Cijpkmml.exe Cbphncfo.exe File opened for modification C:\Windows\SysWOW64\Jaemilci.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Bbpolb32.exe Adbkmo32.exe File created C:\Windows\SysWOW64\Lignkpal.dll Lhjeoc32.exe File created C:\Windows\SysWOW64\Phkioc32.dll Nqifkl32.exe File created C:\Windows\SysWOW64\Fabqdl32.exe Filicodb.exe File created C:\Windows\SysWOW64\Bjeefpma.dll Fibocnnj.exe File opened for modification C:\Windows\SysWOW64\Galcjkmj.exe Gielinlg.exe File opened for modification C:\Windows\SysWOW64\Ckhlgilp.exe Cijpkmml.exe File opened for modification C:\Windows\SysWOW64\Lgephccp.exe Ldgclgcl.exe File created C:\Windows\SysWOW64\Cilmpmki.exe Cfnqdale.exe File created C:\Windows\SysWOW64\Gaccbaeq.exe Fndgfffm.exe File created C:\Windows\SysWOW64\Aghdco32.exe Aeigilml.exe File created C:\Windows\SysWOW64\Aoodae32.dll Mhppcn32.exe File created C:\Windows\SysWOW64\Nhpijldj.exe Nebmnqdf.exe File created C:\Windows\SysWOW64\Cabofaaj.exe Cjhfjg32.exe File created C:\Windows\SysWOW64\Hpaibe32.exe Hncmfj32.exe File created C:\Windows\SysWOW64\Hakdcjep.dll Pefhfgoc.exe File created C:\Windows\SysWOW64\Ihbcjk32.dll Mmmqbb32.exe File created C:\Windows\SysWOW64\Celipg32.dll Iapjgo32.exe File created C:\Windows\SysWOW64\Eapmedef.exe Dgqblp32.exe File created C:\Windows\SysWOW64\Jhpjbgne.exe Jogeia32.exe File opened for modification C:\Windows\SysWOW64\Jakkplbc.exe Jlnbhe32.exe File created C:\Windows\SysWOW64\Oocdme32.exe Oiglen32.exe File created C:\Windows\SysWOW64\Hncmfj32.exe Hgieipmo.exe File created C:\Windows\SysWOW64\Iloimopp.exe Ijqmacpl.exe File created C:\Windows\SysWOW64\Jaemilci.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Lfahkn32.dll Jakkplbc.exe File created C:\Windows\SysWOW64\Dejnbf32.dll Inombh32.exe File created C:\Windows\SysWOW64\Gffnijfd.dll Mabnlh32.exe File created C:\Windows\SysWOW64\Ifmfdg32.dll Cfogohpa.exe File opened for modification C:\Windows\SysWOW64\Nlknqd32.exe Neafdjak.exe File opened for modification C:\Windows\SysWOW64\Jjeflc32.exe Jcknpi32.exe File opened for modification C:\Windows\SysWOW64\Gmfplibd.exe Gbalopbn.exe File opened for modification C:\Windows\SysWOW64\Kdophj32.exe Bekfkc32.exe File created C:\Windows\SysWOW64\Gjnnoldm.exe Ggpbcaei.exe File opened for modification C:\Windows\SysWOW64\Jjopmh32.exe Jhndepbi.exe File created C:\Windows\SysWOW64\Pgmnogpn.dll Bhjgdplo.exe File created C:\Windows\SysWOW64\Kekcjc32.dll Gkdaij32.exe File created C:\Windows\SysWOW64\Bkhcpkkb.exe Bhjgdplo.exe File created C:\Windows\SysWOW64\Ipbehfom.dll Kflide32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12968 12784 WerFault.exe 973 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdcg32.dll" Fikbhiaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icoodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfaolpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhgja32.dll" Jcknpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqkkcghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhkaf32.dll" Khnfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqlimneb.dll" Nhpijldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adelne32.dll" Kaehepeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhafoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhqmdoef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbiamd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdphnmjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqinng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgcmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjdedepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmodfqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcbdph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpjp32.dll" Lklbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjgncihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfjfkhe.dll" Fgbfbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inmplh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icachjbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkimae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pihdnloc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cilmpmki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fndgfffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khknaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pamikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqclce32.dll" Pjgellfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggpbcaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghaofkn.dll" Poajdlcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcd32.dll" Jdmgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcedmkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmpbnhf.dll" Dmdhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmqjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egflpjbk.dll" Mhmmchpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iepaieii.dll" Cmblhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglomin.dll" Oeicopoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hglaookl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkaiilp.dll" Jjfngi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laffpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agndidce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pihdnloc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iejgelej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcdjic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afigdbde.dll" Kglcmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjicah32.dll" Mlbpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aneppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhbnqi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 5036 2300 NEAS.de11c0c743a305c458f9c853b939d8b0.exe 87 PID 2300 wrote to memory of 5036 2300 NEAS.de11c0c743a305c458f9c853b939d8b0.exe 87 PID 2300 wrote to memory of 5036 2300 NEAS.de11c0c743a305c458f9c853b939d8b0.exe 87 PID 5036 wrote to memory of 1472 5036 Fligqhga.exe 88 PID 5036 wrote to memory of 1472 5036 Fligqhga.exe 88 PID 5036 wrote to memory of 1472 5036 Fligqhga.exe 88 PID 1472 wrote to memory of 4572 1472 Fealin32.exe 90 PID 1472 wrote to memory of 4572 1472 Fealin32.exe 90 PID 1472 wrote to memory of 4572 1472 Fealin32.exe 90 PID 4572 wrote to memory of 4068 4572 Fpgpgfmh.exe 91 PID 4572 wrote to memory of 4068 4572 Fpgpgfmh.exe 91 PID 4572 wrote to memory of 4068 4572 Fpgpgfmh.exe 91 PID 4068 wrote to memory of 316 4068 Fmkqpkla.exe 92 PID 4068 wrote to memory of 316 4068 Fmkqpkla.exe 92 PID 4068 wrote to memory of 316 4068 Fmkqpkla.exe 92 PID 316 wrote to memory of 3396 316 Fnlmhc32.exe 93 PID 316 wrote to memory of 3396 316 Fnlmhc32.exe 93 PID 316 wrote to memory of 3396 316 Fnlmhc32.exe 93 PID 3396 wrote to memory of 4584 3396 Flpmagqi.exe 94 PID 3396 wrote to memory of 4584 3396 Flpmagqi.exe 94 PID 3396 wrote to memory of 4584 3396 Flpmagqi.exe 94 PID 4584 wrote to memory of 3844 4584 Glbjggof.exe 95 PID 4584 wrote to memory of 3844 4584 Glbjggof.exe 95 PID 4584 wrote to memory of 3844 4584 Glbjggof.exe 95 PID 3844 wrote to memory of 2592 3844 Gifkpknp.exe 96 PID 3844 wrote to memory of 2592 3844 Gifkpknp.exe 96 PID 3844 wrote to memory of 2592 3844 Gifkpknp.exe 96 PID 2592 wrote to memory of 3700 2592 Gppcmeem.exe 97 PID 2592 wrote to memory of 3700 2592 Gppcmeem.exe 97 PID 2592 wrote to memory of 3700 2592 Gppcmeem.exe 97 PID 3700 wrote to memory of 2288 3700 Gmdcfidg.exe 98 PID 3700 wrote to memory of 2288 3700 Gmdcfidg.exe 98 PID 3700 wrote to memory of 2288 3700 Gmdcfidg.exe 98 PID 2288 wrote to memory of 2136 2288 Gbalopbn.exe 99 PID 2288 wrote to memory of 2136 2288 Gbalopbn.exe 99 PID 2288 wrote to memory of 2136 2288 Gbalopbn.exe 99 PID 2136 wrote to memory of 2788 2136 Gmfplibd.exe 100 PID 2136 wrote to memory of 2788 2136 Gmfplibd.exe 100 PID 2136 wrote to memory of 2788 2136 Gmfplibd.exe 100 PID 2788 wrote to memory of 4124 2788 Geaepk32.exe 102 PID 2788 wrote to memory of 4124 2788 Geaepk32.exe 102 PID 2788 wrote to memory of 4124 2788 Geaepk32.exe 102 PID 4124 wrote to memory of 2212 4124 Gpgind32.exe 103 PID 4124 wrote to memory of 2212 4124 Gpgind32.exe 103 PID 4124 wrote to memory of 2212 4124 Gpgind32.exe 103 PID 2212 wrote to memory of 2044 2212 Hipmfjee.exe 104 PID 2212 wrote to memory of 2044 2212 Hipmfjee.exe 104 PID 2212 wrote to memory of 2044 2212 Hipmfjee.exe 104 PID 2044 wrote to memory of 3660 2044 Holfoqcm.exe 105 PID 2044 wrote to memory of 3660 2044 Holfoqcm.exe 105 PID 2044 wrote to memory of 3660 2044 Holfoqcm.exe 105 PID 3660 wrote to memory of 2564 3660 Hlpfhe32.exe 106 PID 3660 wrote to memory of 2564 3660 Hlpfhe32.exe 106 PID 3660 wrote to memory of 2564 3660 Hlpfhe32.exe 106 PID 2564 wrote to memory of 4500 2564 Hidgai32.exe 107 PID 2564 wrote to memory of 4500 2564 Hidgai32.exe 107 PID 2564 wrote to memory of 4500 2564 Hidgai32.exe 107 PID 4500 wrote to memory of 2936 4500 Hfhgkmpj.exe 108 PID 4500 wrote to memory of 2936 4500 Hfhgkmpj.exe 108 PID 4500 wrote to memory of 2936 4500 Hfhgkmpj.exe 108 PID 2936 wrote to memory of 2356 2936 Hmbphg32.exe 109 PID 2936 wrote to memory of 2356 2936 Hmbphg32.exe 109 PID 2936 wrote to memory of 2356 2936 Hmbphg32.exe 109 PID 2356 wrote to memory of 1252 2356 Hiipmhmk.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.de11c0c743a305c458f9c853b939d8b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.de11c0c743a305c458f9c853b939d8b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe23⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe24⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe25⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe26⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe27⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe28⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe29⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe30⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe31⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe32⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe33⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe34⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe35⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe37⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe38⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe39⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe40⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe41⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe42⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe45⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe46⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe47⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe49⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe51⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe53⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe54⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe55⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe57⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe58⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe59⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe61⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe62⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe63⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe64⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe65⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe66⤵PID:3596
-
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe68⤵PID:1248
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe69⤵PID:4404
-
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe70⤵
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe71⤵PID:4344
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe72⤵PID:4588
-
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe74⤵PID:1332
-
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe75⤵PID:3732
-
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe76⤵PID:1020
-
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe77⤵PID:4144
-
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe78⤵PID:396
-
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe79⤵PID:4612
-
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe80⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe81⤵PID:5168
-
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe82⤵PID:5216
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe84⤵PID:5304
-
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe85⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe86⤵PID:5392
-
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe87⤵PID:5436
-
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe88⤵PID:5480
-
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe89⤵PID:5524
-
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe90⤵PID:5568
-
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe91⤵PID:5612
-
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe92⤵PID:5656
-
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe93⤵PID:5700
-
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe94⤵PID:5740
-
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe95⤵PID:5788
-
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe96⤵PID:5832
-
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe97⤵PID:5876
-
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe98⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe99⤵PID:5956
-
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe100⤵PID:6008
-
C:\Windows\SysWOW64\Akpoaj32.exeC:\Windows\system32\Akpoaj32.exe101⤵PID:6052
-
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe102⤵PID:6096
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe103⤵PID:6140
-
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5152 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe105⤵PID:5240
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe106⤵PID:5328
-
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe107⤵PID:5376
-
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe108⤵PID:5472
-
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe109⤵PID:5508
-
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe110⤵PID:5600
-
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe111⤵PID:5664
-
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe112⤵PID:5724
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe113⤵PID:5780
-
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe114⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe115⤵PID:5964
-
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe116⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe117⤵PID:6116
-
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe118⤵
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe119⤵PID:5292
-
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe120⤵PID:5460
-
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe121⤵
- Modifies registry class
PID:5556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-