Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 16:25
Behavioral task
behavioral1
Sample
NEAS.886fad53e501922a1e33eef86c6ae9e0.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.886fad53e501922a1e33eef86c6ae9e0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.886fad53e501922a1e33eef86c6ae9e0.exe
-
Size
96KB
-
MD5
886fad53e501922a1e33eef86c6ae9e0
-
SHA1
d3b7acb3280340d4f45dd07572ff4ede84a78794
-
SHA256
f7169a86fcde106533ab034c39c9316fc24e0b176d28b96eb1d878633cee132b
-
SHA512
3b1b52c2495416f5836f283a0f6758dd861159a418e446bc59638cd69beca32fd9ca320f487edd9ef96c133a616b76718c3162379d80454997a15febb5b33717
-
SSDEEP
1536:C2inti5Z1xKWQY6ROXAstL5UHrtc4fVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhg:raQ31xKVLe4fVqZ2fQkbn1vVAva63Hem
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaoiemi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpacmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkiaece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbofdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fojenfeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfenga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhdobb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knoonphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihimfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfefdpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgkcabd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiljpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibagpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgihppgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpfokfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmidbal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjobl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkedbmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnblmnfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjnkkjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henajkcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likcdpop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldeonbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgoflpal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoplop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akogio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihknibbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqdbhlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbafo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkqepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmclobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlldaape.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndoagfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fldnoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfocb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmiaimki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jncfmgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbofdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgimepmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnkobpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfehpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkedbmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlbpldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jamafidm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egoomnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdncfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhdhhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifodmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkkbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppblkffp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoobnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppkkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqafgk.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4204-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4204-1-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd1-7.dat family_berbew behavioral2/memory/4884-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd1-9.dat family_berbew behavioral2/files/0x0007000000022cd5-15.dat family_berbew behavioral2/memory/4204-17-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd5-16.dat family_berbew behavioral2/memory/4732-21-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cda-24.dat family_berbew behavioral2/files/0x0008000000022cda-26.dat family_berbew behavioral2/memory/1776-25-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdc-32.dat family_berbew behavioral2/memory/3004-33-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdc-34.dat family_berbew behavioral2/files/0x0008000000022ce0-40.dat family_berbew behavioral2/files/0x0008000000022ce0-41.dat family_berbew behavioral2/memory/3668-42-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce2-48.dat family_berbew behavioral2/memory/3296-49-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce2-50.dat family_berbew behavioral2/files/0x0006000000022ce4-55.dat family_berbew behavioral2/files/0x0006000000022ce4-58.dat family_berbew behavioral2/memory/1416-57-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce6-64.dat family_berbew behavioral2/memory/224-65-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce6-66.dat family_berbew behavioral2/files/0x0006000000022ce8-67.dat family_berbew behavioral2/files/0x0006000000022ce8-72.dat family_berbew behavioral2/memory/3500-73-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-74.dat family_berbew behavioral2/files/0x0006000000022cea-80.dat family_berbew behavioral2/files/0x0006000000022cea-81.dat family_berbew behavioral2/memory/4884-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4288-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-89.dat family_berbew behavioral2/files/0x0006000000022cec-91.dat family_berbew behavioral2/memory/540-94-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4732-90-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1776-100-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-99.dat family_berbew behavioral2/files/0x0006000000022cee-98.dat family_berbew behavioral2/memory/4060-105-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-107.dat family_berbew behavioral2/memory/3004-108-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/408-109-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-110.dat family_berbew behavioral2/files/0x0006000000022cf2-118.dat family_berbew behavioral2/memory/3668-117-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-116.dat family_berbew behavioral2/memory/4300-123-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-125.dat family_berbew behavioral2/memory/3296-126-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2608-128-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-127.dat family_berbew behavioral2/files/0x0006000000022cf6-134.dat family_berbew behavioral2/files/0x0006000000022cf6-136.dat family_berbew behavioral2/memory/1416-135-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2268-137-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-138.dat family_berbew behavioral2/files/0x0006000000022cf8-143.dat family_berbew behavioral2/memory/224-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-145.dat family_berbew behavioral2/memory/3364-146-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4884 Hgnlmdcp.exe 4732 Hfefdpfe.exe 1776 Hgebnc32.exe 3004 Iglhob32.exe 3668 Ijonfmbn.exe 3296 Jfkhfmdm.exe 1416 Kagbdenk.exe 224 Kfkamk32.exe 3500 Lmgfod32.exe 4288 Laglkb32.exe 540 Nkbfpeec.exe 4060 Oogdfc32.exe 408 Oddmoj32.exe 4300 Onakco32.exe 2608 Ogjpld32.exe 2268 Pgoigcip.exe 3364 Pnknim32.exe 1216 Pgeogb32.exe 3996 Qoocnpag.exe 4108 Aoapcood.exe 4888 Akhaipei.exe 4588 Aecbge32.exe 2996 Akogio32.exe 3912 Bbpeghpe.exe 384 Blkgen32.exe 376 Cnlpgibd.exe 1408 Cejaobel.exe 2328 Cfjnhe32.exe 1616 Dhgjll32.exe 2216 Fidbgm32.exe 5112 Gchflq32.exe 2528 Hjlaoioh.exe 3412 Hjpkjh32.exe 3636 Homcbo32.exe 2280 Iqmplbpl.exe 3992 Iqaiga32.exe 3860 Jfehpg32.exe 3096 Jckeokan.exe 4652 Jfokff32.exe 2152 Kpgoolbl.exe 3512 Kgcqlh32.exe 4232 Likcdpop.exe 1376 Lipmoo32.exe 3788 Libido32.exe 3712 Mdjjgggk.exe 1020 Mdaqhf32.exe 4724 Mphamg32.exe 3740 Ngklppei.exe 4984 Oinbgk32.exe 2908 Oknnanhj.exe 4436 Ohaokbfd.exe 4408 Onngci32.exe 4332 Opmcod32.exe 2056 Pkedbmab.exe 4528 Pgkegn32.exe 1248 Pjoknhbe.exe 1140 Pnlcdg32.exe 4460 Qnamofdf.exe 3420 Agiahlkf.exe 1108 Adpogp32.exe 836 Akopoi32.exe 4064 Bdlncn32.exe 3488 Dlkiaece.exe 2100 Dalkek32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkjoha32.dll Qibmoa32.exe File created C:\Windows\SysWOW64\Gackgo32.dll Aaflag32.exe File created C:\Windows\SysWOW64\Iiaogj32.dll Lqhdlc32.exe File created C:\Windows\SysWOW64\Mojffn32.dll Bgimepmd.exe File opened for modification C:\Windows\SysWOW64\Hpmhmbko.exe Halhpkbp.exe File created C:\Windows\SysWOW64\Lknocb32.exe Lqikfi32.exe File opened for modification C:\Windows\SysWOW64\Hidgko32.exe Hoobnf32.exe File created C:\Windows\SysWOW64\Pnfbpbof.dll Mejijcea.exe File created C:\Windows\SysWOW64\Pckakb32.dll Qpibke32.exe File opened for modification C:\Windows\SysWOW64\Ckghid32.exe Bejoqm32.exe File created C:\Windows\SysWOW64\Efnolmmb.dll Fealcc32.exe File opened for modification C:\Windows\SysWOW64\Jkfcigkm.exe Jbnopbdl.exe File opened for modification C:\Windows\SysWOW64\Kkmapc32.exe Ifhibhfc.exe File opened for modification C:\Windows\SysWOW64\Lgfojd32.exe Ldhbnhlm.exe File opened for modification C:\Windows\SysWOW64\Qkhjim32.exe Phgagb32.exe File opened for modification C:\Windows\SysWOW64\Chbcphph.exe Aafefq32.exe File created C:\Windows\SysWOW64\Eijiak32.exe Dflmep32.exe File opened for modification C:\Windows\SysWOW64\Oclkqihc.exe Onochbjl.exe File created C:\Windows\SysWOW64\Ialhdh32.exe Hmifcjif.exe File opened for modification C:\Windows\SysWOW64\Dhqaokcd.exe Dhndil32.exe File created C:\Windows\SysWOW64\Bhdbaihi.exe Acmfel32.exe File opened for modification C:\Windows\SysWOW64\Aaflag32.exe Aepklffh.exe File created C:\Windows\SysWOW64\Kqiiiidg.dll Dfefeq32.exe File created C:\Windows\SysWOW64\Jfnpdfgc.dll Hiomppkc.exe File created C:\Windows\SysWOW64\Ogeklh32.exe Oakbonkb.exe File created C:\Windows\SysWOW64\Kmiajk32.dll Cneknh32.exe File opened for modification C:\Windows\SysWOW64\Dbmfje32.exe Dkcnnk32.exe File created C:\Windows\SysWOW64\Acafdoho.dll Fobomglo.exe File created C:\Windows\SysWOW64\Lckegmne.dll Cfqmjajc.exe File created C:\Windows\SysWOW64\Elenoi32.dll Oakbonkb.exe File created C:\Windows\SysWOW64\Okeaak32.dll Qhhphebj.exe File created C:\Windows\SysWOW64\Nkbfpeec.exe Laglkb32.exe File created C:\Windows\SysWOW64\Npjlfcgj.dll Mmcnap32.exe File opened for modification C:\Windows\SysWOW64\Oflkqc32.exe Nmjdaoni.exe File created C:\Windows\SysWOW64\Lfdhhgmj.dll Pdfjcl32.exe File created C:\Windows\SysWOW64\Knpefnpd.dll Lalnfooo.exe File opened for modification C:\Windows\SysWOW64\Pajekb32.exe Plmmbkdf.exe File created C:\Windows\SysWOW64\Aegidp32.exe Agcikk32.exe File created C:\Windows\SysWOW64\Pgpmdh32.exe Nljopa32.exe File created C:\Windows\SysWOW64\Jfqlfp32.dll Jlcchn32.exe File created C:\Windows\SysWOW64\Oilmckml.exe Ncpejd32.exe File created C:\Windows\SysWOW64\Pmipdq32.exe Pdlbpldg.exe File created C:\Windows\SysWOW64\Kjhpdofp.dll Bjdkcd32.exe File opened for modification C:\Windows\SysWOW64\Amnlfk32.exe Ahacndjo.exe File created C:\Windows\SysWOW64\Banabi32.exe Bgimepmd.exe File created C:\Windows\SysWOW64\Pecknb32.dll Gbpenpdp.exe File created C:\Windows\SysWOW64\Mldbeh32.dll Bmhibi32.exe File opened for modification C:\Windows\SysWOW64\Pdfjcl32.exe Pnlafaio.exe File created C:\Windows\SysWOW64\Hgfaij32.exe Hmnmqdee.exe File opened for modification C:\Windows\SysWOW64\Ohhnln32.exe Ohfafn32.exe File created C:\Windows\SysWOW64\Fcigdpdl.dll Eonmkkmj.exe File created C:\Windows\SysWOW64\Mlddkdne.dll Poimigfm.exe File created C:\Windows\SysWOW64\Bhmbjb32.exe Bobalm32.exe File created C:\Windows\SysWOW64\Cbbpfpgf.dll Hiackied.exe File opened for modification C:\Windows\SysWOW64\Cdbmifdl.exe Cnhell32.exe File opened for modification C:\Windows\SysWOW64\Mallojmd.exe Mddbjg32.exe File created C:\Windows\SysWOW64\Nomcig32.exe Nhckmmeg.exe File created C:\Windows\SysWOW64\Elngjn32.dll Qpnegbpo.exe File created C:\Windows\SysWOW64\Pfkbkibi.dll Gbcffk32.exe File opened for modification C:\Windows\SysWOW64\Ghcjedcj.exe Fanbll32.exe File created C:\Windows\SysWOW64\Ablahjhj.exe Ahfmka32.exe File created C:\Windows\SysWOW64\Iiblcdil.exe Hihimfag.exe File opened for modification C:\Windows\SysWOW64\Lgephccp.exe Lknocb32.exe File created C:\Windows\SysWOW64\Doigjkgl.dll Mchpibng.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4800 6928 WerFault.exe 934 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpkblqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfnojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgpllm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdfll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lppbdmig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkdjkep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngklppei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfcigkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbcffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gempqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoebhpfd.dll" Niklip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipldpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaafdbjg.dll" Ggfgegho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djcbbmdl.dll" Mbbloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijonfmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmfldkei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpkblqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghn32.dll" Pblolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbfbj32.dll" Bgafin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgodh32.dll" Akopoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onlipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meknhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmbimbb.dll" Ckphamkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlafhkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apejofaj.dll" Cdbmifdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipniemf.dll" Mddbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklimgbb.dll" Ihpgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcoihmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdigkjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhhphebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbfbdgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beippj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkndbkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admndm32.dll" Noopof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeboli32.dll" Ojcpmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndnocba.dll" Ecblbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaabf32.dll" Kdfmcobk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpedckdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiajeoip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcggga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqikfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhfddeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkabp32.dll" Oobfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlhbja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiigqdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcphkhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoocnpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpibke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngekmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfofpd32.dll" Lnhadnpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henajkcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofckao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akogio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcqlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmicjphe.dll" Lgfojd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4884 4204 NEAS.886fad53e501922a1e33eef86c6ae9e0.exe 91 PID 4204 wrote to memory of 4884 4204 NEAS.886fad53e501922a1e33eef86c6ae9e0.exe 91 PID 4204 wrote to memory of 4884 4204 NEAS.886fad53e501922a1e33eef86c6ae9e0.exe 91 PID 4884 wrote to memory of 4732 4884 Hgnlmdcp.exe 92 PID 4884 wrote to memory of 4732 4884 Hgnlmdcp.exe 92 PID 4884 wrote to memory of 4732 4884 Hgnlmdcp.exe 92 PID 4732 wrote to memory of 1776 4732 Hfefdpfe.exe 93 PID 4732 wrote to memory of 1776 4732 Hfefdpfe.exe 93 PID 4732 wrote to memory of 1776 4732 Hfefdpfe.exe 93 PID 1776 wrote to memory of 3004 1776 Hgebnc32.exe 94 PID 1776 wrote to memory of 3004 1776 Hgebnc32.exe 94 PID 1776 wrote to memory of 3004 1776 Hgebnc32.exe 94 PID 3004 wrote to memory of 3668 3004 Iglhob32.exe 95 PID 3004 wrote to memory of 3668 3004 Iglhob32.exe 95 PID 3004 wrote to memory of 3668 3004 Iglhob32.exe 95 PID 3668 wrote to memory of 3296 3668 Ijonfmbn.exe 96 PID 3668 wrote to memory of 3296 3668 Ijonfmbn.exe 96 PID 3668 wrote to memory of 3296 3668 Ijonfmbn.exe 96 PID 3296 wrote to memory of 1416 3296 Jfkhfmdm.exe 97 PID 3296 wrote to memory of 1416 3296 Jfkhfmdm.exe 97 PID 3296 wrote to memory of 1416 3296 Jfkhfmdm.exe 97 PID 1416 wrote to memory of 224 1416 Kagbdenk.exe 98 PID 1416 wrote to memory of 224 1416 Kagbdenk.exe 98 PID 1416 wrote to memory of 224 1416 Kagbdenk.exe 98 PID 224 wrote to memory of 3500 224 Kfkamk32.exe 99 PID 224 wrote to memory of 3500 224 Kfkamk32.exe 99 PID 224 wrote to memory of 3500 224 Kfkamk32.exe 99 PID 3500 wrote to memory of 4288 3500 Lmgfod32.exe 100 PID 3500 wrote to memory of 4288 3500 Lmgfod32.exe 100 PID 3500 wrote to memory of 4288 3500 Lmgfod32.exe 100 PID 4288 wrote to memory of 540 4288 Laglkb32.exe 101 PID 4288 wrote to memory of 540 4288 Laglkb32.exe 101 PID 4288 wrote to memory of 540 4288 Laglkb32.exe 101 PID 540 wrote to memory of 4060 540 Nkbfpeec.exe 102 PID 540 wrote to memory of 4060 540 Nkbfpeec.exe 102 PID 540 wrote to memory of 4060 540 Nkbfpeec.exe 102 PID 4060 wrote to memory of 408 4060 Oogdfc32.exe 103 PID 4060 wrote to memory of 408 4060 Oogdfc32.exe 103 PID 4060 wrote to memory of 408 4060 Oogdfc32.exe 103 PID 408 wrote to memory of 4300 408 Oddmoj32.exe 104 PID 408 wrote to memory of 4300 408 Oddmoj32.exe 104 PID 408 wrote to memory of 4300 408 Oddmoj32.exe 104 PID 4300 wrote to memory of 2608 4300 Onakco32.exe 105 PID 4300 wrote to memory of 2608 4300 Onakco32.exe 105 PID 4300 wrote to memory of 2608 4300 Onakco32.exe 105 PID 2608 wrote to memory of 2268 2608 Ogjpld32.exe 106 PID 2608 wrote to memory of 2268 2608 Ogjpld32.exe 106 PID 2608 wrote to memory of 2268 2608 Ogjpld32.exe 106 PID 2268 wrote to memory of 3364 2268 Pgoigcip.exe 107 PID 2268 wrote to memory of 3364 2268 Pgoigcip.exe 107 PID 2268 wrote to memory of 3364 2268 Pgoigcip.exe 107 PID 3364 wrote to memory of 1216 3364 Pnknim32.exe 108 PID 3364 wrote to memory of 1216 3364 Pnknim32.exe 108 PID 3364 wrote to memory of 1216 3364 Pnknim32.exe 108 PID 1216 wrote to memory of 3996 1216 Pgeogb32.exe 109 PID 1216 wrote to memory of 3996 1216 Pgeogb32.exe 109 PID 1216 wrote to memory of 3996 1216 Pgeogb32.exe 109 PID 3996 wrote to memory of 4108 3996 Qoocnpag.exe 110 PID 3996 wrote to memory of 4108 3996 Qoocnpag.exe 110 PID 3996 wrote to memory of 4108 3996 Qoocnpag.exe 110 PID 4108 wrote to memory of 4888 4108 Aoapcood.exe 111 PID 4108 wrote to memory of 4888 4108 Aoapcood.exe 111 PID 4108 wrote to memory of 4888 4108 Aoapcood.exe 111 PID 4888 wrote to memory of 4588 4888 Akhaipei.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.886fad53e501922a1e33eef86c6ae9e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.886fad53e501922a1e33eef86c6ae9e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe25⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe26⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe27⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe28⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe29⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe30⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe31⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe32⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Hjlaoioh.exeC:\Windows\system32\Hjlaoioh.exe33⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe34⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe35⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe36⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe37⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Jfehpg32.exeC:\Windows\system32\Jfehpg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe39⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe40⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe41⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Likcdpop.exeC:\Windows\system32\Likcdpop.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe44⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Libido32.exeC:\Windows\system32\Libido32.exe45⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe46⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe47⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe50⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe51⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe52⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe53⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe54⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe56⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe57⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe58⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe59⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe60⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe61⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe63⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Dlkiaece.exeC:\Windows\system32\Dlkiaece.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Dalkek32.exeC:\Windows\system32\Dalkek32.exe65⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe66⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe67⤵PID:4520
-
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe68⤵PID:4584
-
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe69⤵PID:1128
-
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe71⤵PID:4656
-
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe72⤵PID:1596
-
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe73⤵PID:4604
-
C:\Windows\SysWOW64\Ieiajckh.exeC:\Windows\system32\Ieiajckh.exe74⤵PID:4328
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe75⤵PID:1144
-
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe76⤵PID:2500
-
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe77⤵PID:3432
-
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe78⤵PID:3804
-
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe79⤵
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Jbnopbdl.exeC:\Windows\system32\Jbnopbdl.exe80⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe81⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Kbinlp32.exeC:\Windows\system32\Kbinlp32.exe82⤵PID:4316
-
C:\Windows\SysWOW64\Kmobii32.exeC:\Windows\system32\Kmobii32.exe83⤵PID:3172
-
C:\Windows\SysWOW64\Ljjicl32.exeC:\Windows\system32\Ljjicl32.exe84⤵PID:5040
-
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe85⤵PID:1972
-
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe86⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe87⤵PID:3352
-
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe88⤵PID:1204
-
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe89⤵PID:4688
-
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4440 -
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe91⤵PID:5156
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe92⤵PID:5200
-
C:\Windows\SysWOW64\Ofalfi32.exeC:\Windows\system32\Ofalfi32.exe93⤵PID:5240
-
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe94⤵PID:5288
-
C:\Windows\SysWOW64\Obkiqi32.exeC:\Windows\system32\Obkiqi32.exe95⤵PID:5332
-
C:\Windows\SysWOW64\Pidamcgd.exeC:\Windows\system32\Pidamcgd.exe96⤵PID:5384
-
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5428 -
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe98⤵PID:5468
-
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe99⤵PID:5512
-
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe100⤵PID:5560
-
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe101⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Apaofk32.exeC:\Windows\system32\Apaofk32.exe102⤵PID:5648
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe103⤵PID:5704
-
C:\Windows\SysWOW64\Bmhibi32.exeC:\Windows\system32\Bmhibi32.exe104⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe105⤵PID:5792
-
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe106⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe107⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe108⤵PID:5916
-
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe110⤵PID:6004
-
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe111⤵PID:6048
-
C:\Windows\SysWOW64\Egoomnin.exeC:\Windows\system32\Egoomnin.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6092 -
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe113⤵PID:6132
-
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe114⤵PID:5140
-
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe115⤵PID:5212
-
C:\Windows\SysWOW64\Goipae32.exeC:\Windows\system32\Goipae32.exe116⤵PID:5272
-
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe117⤵PID:5376
-
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe118⤵PID:5408
-
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe119⤵PID:5492
-
C:\Windows\SysWOW64\Ikbfbdgf.exeC:\Windows\system32\Ikbfbdgf.exe120⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Ieoapl32.exeC:\Windows\system32\Ieoapl32.exe121⤵PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-