Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 08:25
Behavioral task
behavioral1
Sample
NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe
-
Size
96KB
-
MD5
74fb9f6ef600f12c42af75b4e0307ce0
-
SHA1
e55a10660970be72f50ff2be76843b2a4b80ac24
-
SHA256
f6e55ac539f85b3f0995f5f6790eff4db42b60e21083924f714912a7ae6971f5
-
SHA512
c6caee98ba2be82b7f04dd0a469ee2f7ffe38fcba451a9405b6e1119a80e99993b0780060b5dd0a7cdee1a2ddc3924126e93369d310a9641a6812ff10209e7cd
-
SSDEEP
1536:iPc/IqFK8qBS+0qLkshPQAGiZTQ4NfVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhg:i0/IgNxIDGi5Q4JVqZ2fQkbn1vVAva61
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpccp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcffoben.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpbgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmccecfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammeebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilhcmpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dememj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgmjdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degdgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjbgooi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elojej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loecgfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpebjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejamdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgndikgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibdeegc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocamk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocoqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajekb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhkgeij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcncodki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecialmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eceoanpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebiffc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihkgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goediekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnnkaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cninnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeofoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiohhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjikd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdjgbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deehbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepklffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoaed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfilfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejepfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopefnnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkbcopl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adanbffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amibklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifckkhfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joamlacj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmhaklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlhme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmnlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebekgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feifgnki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjbgooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkhme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijdcljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdgjlgb.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4144-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4144-1-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdc-8.dat family_berbew behavioral2/files/0x0006000000022cdc-7.dat family_berbew behavioral2/memory/2132-9-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000b000000022be1-15.dat family_berbew behavioral2/memory/2056-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000b000000022be1-17.dat family_berbew behavioral2/files/0x000b000000022be7-23.dat family_berbew behavioral2/files/0x000b000000022be7-25.dat family_berbew behavioral2/memory/4172-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd6-26.dat family_berbew behavioral2/files/0x0008000000022cd6-31.dat family_berbew behavioral2/memory/3720-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd6-33.dat family_berbew behavioral2/files/0x0007000000022cd8-39.dat family_berbew behavioral2/memory/2276-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd8-41.dat family_berbew behavioral2/files/0x0007000000022cd3-47.dat family_berbew behavioral2/memory/4144-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/400-49-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd3-50.dat family_berbew behavioral2/files/0x0008000000022cdd-57.dat family_berbew behavioral2/memory/1960-58-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdd-56.dat family_berbew behavioral2/files/0x0006000000022cdf-64.dat family_berbew behavioral2/memory/1596-66-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdf-65.dat family_berbew behavioral2/files/0x0006000000022ce1-72.dat family_berbew behavioral2/memory/2196-73-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-74.dat family_berbew behavioral2/files/0x0006000000022ce3-80.dat family_berbew behavioral2/memory/3044-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce3-81.dat family_berbew behavioral2/files/0x0006000000022ce6-87.dat family_berbew behavioral2/files/0x0006000000022ce6-90.dat family_berbew behavioral2/memory/2608-91-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2132-89-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-96.dat family_berbew behavioral2/memory/2056-98-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-99.dat family_berbew behavioral2/memory/2424-100-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4172-107-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-105.dat family_berbew behavioral2/memory/3508-109-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-108.dat family_berbew behavioral2/files/0x0006000000022cec-115.dat family_berbew behavioral2/files/0x0006000000022cec-116.dat family_berbew behavioral2/memory/3720-117-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4768-122-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-124.dat family_berbew behavioral2/files/0x0006000000022cee-126.dat family_berbew behavioral2/memory/2276-125-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4164-127-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-133.dat family_berbew behavioral2/files/0x0006000000022cf0-135.dat family_berbew behavioral2/memory/2760-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/400-134-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-142.dat family_berbew behavioral2/files/0x0006000000022cf2-143.dat family_berbew behavioral2/memory/1960-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4888-145-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-150.dat family_berbew behavioral2/memory/1596-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2132 Kkpnga32.exe 2056 Kaopoj32.exe 4172 Khkdad32.exe 3720 Ldkhlcnb.exe 2276 Mcabej32.exe 400 Nkeipk32.exe 1960 Nbdkhe32.exe 1596 Obfhmd32.exe 2196 Oloipmfd.exe 3044 Obnnnc32.exe 2608 Pecpknke.exe 2424 Pmmeak32.exe 3508 Qcncodki.exe 4768 Aecialmb.exe 4164 Ammnhilb.exe 2760 Bcicjbal.exe 4888 Bihhhi32.exe 860 Beoimjce.exe 3452 Bipnihgi.exe 2124 Cpqlfa32.exe 4744 Cepadh32.exe 2772 Dfonnk32.exe 2576 Dipgpf32.exe 3804 Dibdeegc.exe 1792 Didqkeeq.exe 4528 Egknji32.exe 2204 Ffnglc32.exe 1660 Gjcfcakn.exe 4688 Gnckooob.exe 1940 Hcembe32.exe 3064 Hjcojo32.exe 4188 Iggocbke.exe 4800 Ienlbf32.exe 872 Ijmapm32.exe 1512 Igqbiacj.exe 3352 Jmbdmg32.exe 4312 Jjfdfl32.exe 5092 Jeneidji.exe 712 Jaefne32.exe 2852 Kceoppmo.exe 5044 Kjbdbjbi.exe 2272 Lennpb32.exe 4352 Maaoaa32.exe 4340 Onakco32.exe 3992 Pdnpeh32.exe 1796 Pocdba32.exe 2384 Pnmjomlg.exe 4348 Aiqkmd32.exe 2284 Aokcjngj.exe 4788 Cpmifkgd.exe 1968 Cpbbak32.exe 3824 Cfljnejl.exe 2004 Eimlgnij.exe 512 Feifgnki.exe 2824 Ginenk32.exe 3888 Hjieii32.exe 2500 Hjlaoioh.exe 1336 Hcipcnac.exe 3568 Hjbhph32.exe 4192 Ijedehgm.exe 4236 Iobmmoed.exe 4716 Iqaiga32.exe 4456 Ifckkhfi.exe 4604 Jjqdafmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aqijdk32.exe Agqekeeb.exe File created C:\Windows\SysWOW64\Nbefmopd.exe Nbcjhobg.exe File created C:\Windows\SysWOW64\Hgfaij32.exe Hplimpdi.exe File opened for modification C:\Windows\SysWOW64\Pajekb32.exe Pkpmnh32.exe File created C:\Windows\SysWOW64\Npgmjl32.exe Nfohafad.exe File created C:\Windows\SysWOW64\Apeagd32.exe Abjkmqni.exe File created C:\Windows\SysWOW64\Ckladcoa.exe Chmehhpn.exe File created C:\Windows\SysWOW64\Jhpckehm.dll Gdbmalja.exe File created C:\Windows\SysWOW64\Pgihppgo.exe Plcdbghi.exe File created C:\Windows\SysWOW64\Jledol32.dll Gmcdolbn.exe File created C:\Windows\SysWOW64\Hplimpdi.exe Hdehho32.exe File created C:\Windows\SysWOW64\Onighcgh.dll Pnmjomlg.exe File created C:\Windows\SysWOW64\Cohdoh32.exe Chnlbndj.exe File created C:\Windows\SysWOW64\Ljmmai32.dll Qepccqlm.exe File opened for modification C:\Windows\SysWOW64\Phekliab.exe Pgdodq32.exe File created C:\Windows\SysWOW64\Ejmkpkcb.dll Gehbcb32.exe File created C:\Windows\SysWOW64\Gflhie32.exe Glgckl32.exe File created C:\Windows\SysWOW64\Nfdngd32.dll Blbodh32.exe File opened for modification C:\Windows\SysWOW64\Dfonnk32.exe Cepadh32.exe File created C:\Windows\SysWOW64\Ckqoapgd.exe Cnmoglij.exe File opened for modification C:\Windows\SysWOW64\Gdppllld.exe Gglpbh32.exe File created C:\Windows\SysWOW64\Idpbhc32.exe Iaaflh32.exe File created C:\Windows\SysWOW64\Afinbdon.exe Aoofej32.exe File created C:\Windows\SysWOW64\Dhpljd32.dll Diccal32.exe File opened for modification C:\Windows\SysWOW64\Lklbnb32.exe Lnhadnpe.exe File created C:\Windows\SysWOW64\Dbojnmhg.dll Mjlhpgfn.exe File opened for modification C:\Windows\SysWOW64\Bnclamqe.exe Bjeckojo.exe File opened for modification C:\Windows\SysWOW64\Clqncl32.exe Cibagpgg.exe File created C:\Windows\SysWOW64\Peljha32.exe Pbmnlf32.exe File created C:\Windows\SysWOW64\Adockl32.exe Anbkbe32.exe File opened for modification C:\Windows\SysWOW64\Lfckjnjh.exe Lmkfah32.exe File created C:\Windows\SysWOW64\Glenpb32.exe Gdjilphb.exe File created C:\Windows\SysWOW64\Pbmnlf32.exe Pghiomqi.exe File created C:\Windows\SysWOW64\Ljeqcm32.dll Iecmcpoj.exe File created C:\Windows\SysWOW64\Nqmfnp32.exe Njcnafpe.exe File created C:\Windows\SysWOW64\Lhmklo32.dll Chiipg32.exe File created C:\Windows\SysWOW64\Lmaafcml.exe Lqjqab32.exe File created C:\Windows\SysWOW64\Egknji32.exe Didqkeeq.exe File created C:\Windows\SysWOW64\Dlhmea32.dll Ijedehgm.exe File created C:\Windows\SysWOW64\Imbaobmp.exe Ipnaen32.exe File opened for modification C:\Windows\SysWOW64\Igcojdhp.exe Ifbbbl32.exe File created C:\Windows\SysWOW64\Mokhmm32.dll Nlglpkpi.exe File created C:\Windows\SysWOW64\Nalpbf32.exe Mgclja32.exe File created C:\Windows\SysWOW64\Fqblbo32.exe Fkfcjh32.exe File created C:\Windows\SysWOW64\Cbmdnmdf.exe Cdicdi32.exe File created C:\Windows\SysWOW64\Lkfeeo32.exe Lfimmhkg.exe File created C:\Windows\SysWOW64\Ebfmab32.dll Mplapkoj.exe File opened for modification C:\Windows\SysWOW64\Iaaflh32.exe Hkgnpn32.exe File created C:\Windows\SysWOW64\Macdgn32.exe Mlflog32.exe File created C:\Windows\SysWOW64\Bbiamd32.exe Bkmmkj32.exe File created C:\Windows\SysWOW64\Pajekb32.exe Pkpmnh32.exe File opened for modification C:\Windows\SysWOW64\Iomcqa32.exe Idgocigi.exe File opened for modification C:\Windows\SysWOW64\Dkmebh32.exe Cofemg32.exe File created C:\Windows\SysWOW64\Bihhhi32.exe Bcicjbal.exe File created C:\Windows\SysWOW64\Akhghk32.dll Pdnpeh32.exe File created C:\Windows\SysWOW64\Fdmepl32.dll Ekeacmel.exe File created C:\Windows\SysWOW64\Ekiplf32.dll Apeagd32.exe File created C:\Windows\SysWOW64\Mdmmih32.dll Alioloje.exe File created C:\Windows\SysWOW64\Mgimmkgp.exe Mlciobhj.exe File created C:\Windows\SysWOW64\Efepln32.exe Emmkci32.exe File opened for modification C:\Windows\SysWOW64\Gbnhhp32.exe Gghdkg32.exe File created C:\Windows\SysWOW64\Ffnglc32.exe Egknji32.exe File opened for modification C:\Windows\SysWOW64\Kkdoje32.exe Kkabefqp.exe File created C:\Windows\SysWOW64\Aeofoe32.exe Apbngn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8684 5572 WerFault.exe 1045 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dememj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pappijpj.dll" Gikkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihccpqcl.dll" Bncllqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmbobfa.dll" Njmejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfilfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghiomqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heapmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikcdfbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhoildi.dll" Knoonphp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpankd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoonmc32.dll" Pnifoaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oigdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcneca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlipg32.dll" Fooecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mngepb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekkgkig.dll" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdgkich.dll" Ckladcoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmabpmjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhbfh32.dll" Bkobfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfqcm32.dll" Jmnomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihjhq32.dll" Ebejem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdihgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdhkefnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enomic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmiaimki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoofej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnbhc32.dll" Gnqflhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnjlkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdjgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnlhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqnnomfq.dll" Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andlfi32.dll" Ckqoapgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjkek32.dll" Ahiiqafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcdkdpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmhaklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allkjcqn.dll" Lennpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pekkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmbbajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbbmc32.dll" Bkgleegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obqopddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhpjohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgopofnb.dll" Jfeoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmeic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdicdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehofbhf.dll" Hbhbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdgq32.dll" Ddkbfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmeapbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbajlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eohmdhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihkjl32.dll" Fofiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgppaga.dll" Dgpgplej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opjnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plndma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipnaen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcimclb.dll" Jkbfafel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgijc32.dll" Bdpanj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4144 wrote to memory of 2132 4144 NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe 92 PID 4144 wrote to memory of 2132 4144 NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe 92 PID 4144 wrote to memory of 2132 4144 NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe 92 PID 2132 wrote to memory of 2056 2132 Kkpnga32.exe 93 PID 2132 wrote to memory of 2056 2132 Kkpnga32.exe 93 PID 2132 wrote to memory of 2056 2132 Kkpnga32.exe 93 PID 2056 wrote to memory of 4172 2056 Kaopoj32.exe 94 PID 2056 wrote to memory of 4172 2056 Kaopoj32.exe 94 PID 2056 wrote to memory of 4172 2056 Kaopoj32.exe 94 PID 4172 wrote to memory of 3720 4172 Khkdad32.exe 95 PID 4172 wrote to memory of 3720 4172 Khkdad32.exe 95 PID 4172 wrote to memory of 3720 4172 Khkdad32.exe 95 PID 3720 wrote to memory of 2276 3720 Ldkhlcnb.exe 96 PID 3720 wrote to memory of 2276 3720 Ldkhlcnb.exe 96 PID 3720 wrote to memory of 2276 3720 Ldkhlcnb.exe 96 PID 2276 wrote to memory of 400 2276 Mcabej32.exe 97 PID 2276 wrote to memory of 400 2276 Mcabej32.exe 97 PID 2276 wrote to memory of 400 2276 Mcabej32.exe 97 PID 400 wrote to memory of 1960 400 Nkeipk32.exe 98 PID 400 wrote to memory of 1960 400 Nkeipk32.exe 98 PID 400 wrote to memory of 1960 400 Nkeipk32.exe 98 PID 1960 wrote to memory of 1596 1960 Nbdkhe32.exe 99 PID 1960 wrote to memory of 1596 1960 Nbdkhe32.exe 99 PID 1960 wrote to memory of 1596 1960 Nbdkhe32.exe 99 PID 1596 wrote to memory of 2196 1596 Obfhmd32.exe 100 PID 1596 wrote to memory of 2196 1596 Obfhmd32.exe 100 PID 1596 wrote to memory of 2196 1596 Obfhmd32.exe 100 PID 2196 wrote to memory of 3044 2196 Oloipmfd.exe 101 PID 2196 wrote to memory of 3044 2196 Oloipmfd.exe 101 PID 2196 wrote to memory of 3044 2196 Oloipmfd.exe 101 PID 3044 wrote to memory of 2608 3044 Obnnnc32.exe 102 PID 3044 wrote to memory of 2608 3044 Obnnnc32.exe 102 PID 3044 wrote to memory of 2608 3044 Obnnnc32.exe 102 PID 2608 wrote to memory of 2424 2608 Pecpknke.exe 103 PID 2608 wrote to memory of 2424 2608 Pecpknke.exe 103 PID 2608 wrote to memory of 2424 2608 Pecpknke.exe 103 PID 2424 wrote to memory of 3508 2424 Pmmeak32.exe 104 PID 2424 wrote to memory of 3508 2424 Pmmeak32.exe 104 PID 2424 wrote to memory of 3508 2424 Pmmeak32.exe 104 PID 3508 wrote to memory of 4768 3508 Qcncodki.exe 105 PID 3508 wrote to memory of 4768 3508 Qcncodki.exe 105 PID 3508 wrote to memory of 4768 3508 Qcncodki.exe 105 PID 4768 wrote to memory of 4164 4768 Aecialmb.exe 106 PID 4768 wrote to memory of 4164 4768 Aecialmb.exe 106 PID 4768 wrote to memory of 4164 4768 Aecialmb.exe 106 PID 4164 wrote to memory of 2760 4164 Ammnhilb.exe 107 PID 4164 wrote to memory of 2760 4164 Ammnhilb.exe 107 PID 4164 wrote to memory of 2760 4164 Ammnhilb.exe 107 PID 2760 wrote to memory of 4888 2760 Bcicjbal.exe 108 PID 2760 wrote to memory of 4888 2760 Bcicjbal.exe 108 PID 2760 wrote to memory of 4888 2760 Bcicjbal.exe 108 PID 4888 wrote to memory of 860 4888 Bihhhi32.exe 109 PID 4888 wrote to memory of 860 4888 Bihhhi32.exe 109 PID 4888 wrote to memory of 860 4888 Bihhhi32.exe 109 PID 860 wrote to memory of 3452 860 Beoimjce.exe 110 PID 860 wrote to memory of 3452 860 Beoimjce.exe 110 PID 860 wrote to memory of 3452 860 Beoimjce.exe 110 PID 3452 wrote to memory of 2124 3452 Bipnihgi.exe 111 PID 3452 wrote to memory of 2124 3452 Bipnihgi.exe 111 PID 3452 wrote to memory of 2124 3452 Bipnihgi.exe 111 PID 2124 wrote to memory of 4744 2124 Cpqlfa32.exe 112 PID 2124 wrote to memory of 4744 2124 Cpqlfa32.exe 112 PID 2124 wrote to memory of 4744 2124 Cpqlfa32.exe 112 PID 4744 wrote to memory of 2772 4744 Cepadh32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.74fb9f6ef600f12c42af75b4e0307ce0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe23⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe24⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe28⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe29⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe30⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe31⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe32⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe33⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe34⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe35⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe36⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe37⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe38⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe39⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe40⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe41⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe42⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe44⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe45⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe47⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe49⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe50⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe51⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe52⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe53⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Feifgnki.exeC:\Windows\system32\Feifgnki.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe56⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe57⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Hjlaoioh.exeC:\Windows\system32\Hjlaoioh.exe58⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe59⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe60⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe62⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe63⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ifckkhfi.exeC:\Windows\system32\Ifckkhfi.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Jjqdafmp.exeC:\Windows\system32\Jjqdafmp.exe65⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe66⤵PID:2104
-
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe67⤵PID:4208
-
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe68⤵PID:3504
-
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe69⤵PID:1776
-
C:\Windows\SysWOW64\Mffjnc32.exeC:\Windows\system32\Mffjnc32.exe70⤵PID:4964
-
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe71⤵PID:1948
-
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe72⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe73⤵PID:5140
-
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe74⤵PID:5188
-
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe75⤵PID:5240
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe76⤵PID:5280
-
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe77⤵PID:5320
-
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe78⤵PID:5380
-
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe79⤵PID:5424
-
C:\Windows\SysWOW64\Dalkek32.exeC:\Windows\system32\Dalkek32.exe80⤵PID:5476
-
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe81⤵PID:5516
-
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe82⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe83⤵PID:5688
-
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe84⤵PID:5724
-
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe85⤵PID:5788
-
C:\Windows\SysWOW64\Goamlkpk.exeC:\Windows\system32\Goamlkpk.exe86⤵PID:5836
-
C:\Windows\SysWOW64\Hligqnjp.exeC:\Windows\system32\Hligqnjp.exe87⤵PID:5884
-
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe88⤵PID:5928
-
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe89⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe90⤵PID:6012
-
C:\Windows\SysWOW64\Mjjbjjdd.exeC:\Windows\system32\Mjjbjjdd.exe91⤵PID:6108
-
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe92⤵PID:4396
-
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe93⤵PID:968
-
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe94⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe95⤵PID:5544
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe96⤵PID:5704
-
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe97⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Ckqoapgd.exeC:\Windows\system32\Ckqoapgd.exe98⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe99⤵PID:2636
-
C:\Windows\SysWOW64\Dcnqkb32.exeC:\Windows\system32\Dcnqkb32.exe100⤵PID:936
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe101⤵PID:5968
-
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3480 -
C:\Windows\SysWOW64\Dqgjoenq.exeC:\Windows\system32\Dqgjoenq.exe103⤵PID:1452
-
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe104⤵PID:6140
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe105⤵PID:5328
-
C:\Windows\SysWOW64\Dgcoaock.exeC:\Windows\system32\Dgcoaock.exe106⤵PID:2196
-
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe107⤵PID:3944
-
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe108⤵PID:4856
-
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe109⤵PID:3920
-
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe110⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Egoomnin.exeC:\Windows\system32\Egoomnin.exe111⤵PID:1960
-
C:\Windows\SysWOW64\Fcepbooa.exeC:\Windows\system32\Fcepbooa.exe112⤵PID:2760
-
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe113⤵PID:5712
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe114⤵PID:5808
-
C:\Windows\SysWOW64\Fjikeg32.exeC:\Windows\system32\Fjikeg32.exe115⤵PID:5920
-
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe116⤵PID:5948
-
C:\Windows\SysWOW64\Gdkbdllj.exeC:\Windows\system32\Gdkbdllj.exe117⤵PID:2180
-
C:\Windows\SysWOW64\Hopfadlp.exeC:\Windows\system32\Hopfadlp.exe118⤵PID:4696
-
C:\Windows\SysWOW64\Kadnfkji.exeC:\Windows\system32\Kadnfkji.exe119⤵PID:1552
-
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe120⤵PID:2772
-
C:\Windows\SysWOW64\Knphfklg.exeC:\Windows\system32\Knphfklg.exe121⤵PID:4620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-