Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 04:01
Behavioral task
behavioral1
Sample
NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe
-
Size
133KB
-
MD5
b0510e01c62ad8b2a8e48744b55d9260
-
SHA1
db4947c95ef256f531aebb035209e300f9041c0a
-
SHA256
f3996bd288f657dc9b2ce649d072d979899caf0c498b3c6a4dc6b0a620cc8df2
-
SHA512
a246f291a1e2581ca988fcaba1e8abb8db6d81be883c1235335b415a79cc70d6125615fe4a1d25ab2f3c9db14c200f7b33cb128a8eec484a4fda81c8b916a593
-
SSDEEP
3072:uFWMgRlHsEz6kpTKG7UDd0pCrQIFdFtLwzTa:j1jMEukpeG7Ux0ocIPF9wzG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnglcqio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdffah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijonfmbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffhakjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjpld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmoafdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midoph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acccdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbhgjoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimoce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppaclio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbgfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeoec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmmcbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Binhnomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ochamg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjlap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphddlfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flekihpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oggbfdog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beaohcmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmcbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeihiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmifkgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcdfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koiejemn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbmnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beobcdoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kicfijal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaldjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhbipdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggbfdog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libido32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgkpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppbejka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekimjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpgqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjldk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcila32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kallod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efopjbjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcqacfq.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0002000000022307-6.dat family_berbew behavioral2/files/0x0002000000022307-7.dat family_berbew behavioral2/files/0x0009000000022bf7-14.dat family_berbew behavioral2/files/0x0009000000022bf7-16.dat family_berbew behavioral2/files/0x0008000000022ce8-22.dat family_berbew behavioral2/files/0x0008000000022ce8-23.dat family_berbew behavioral2/files/0x0008000000022ce4-30.dat family_berbew behavioral2/files/0x0008000000022ce4-32.dat family_berbew behavioral2/files/0x0006000000022ced-38.dat family_berbew behavioral2/files/0x0006000000022ced-39.dat family_berbew behavioral2/files/0x0006000000022cef-46.dat family_berbew behavioral2/files/0x0006000000022cef-48.dat family_berbew behavioral2/files/0x0006000000022cf1-54.dat family_berbew behavioral2/files/0x0006000000022cf1-56.dat family_berbew behavioral2/files/0x0004000000022308-62.dat family_berbew behavioral2/files/0x0004000000022308-64.dat family_berbew behavioral2/files/0x0008000000022ce6-70.dat family_berbew behavioral2/files/0x0008000000022ce6-72.dat family_berbew behavioral2/files/0x0006000000022cf4-78.dat family_berbew behavioral2/files/0x0006000000022cf4-79.dat family_berbew behavioral2/files/0x0006000000022cf6-81.dat family_berbew behavioral2/files/0x0006000000022cf6-85.dat family_berbew behavioral2/files/0x0006000000022cf6-88.dat family_berbew behavioral2/files/0x0006000000022cf8-94.dat family_berbew behavioral2/files/0x0006000000022cf8-95.dat family_berbew behavioral2/files/0x0006000000022cfa-102.dat family_berbew behavioral2/files/0x0006000000022cfa-103.dat family_berbew behavioral2/files/0x0006000000022cfc-110.dat family_berbew behavioral2/files/0x0006000000022cfc-112.dat family_berbew behavioral2/files/0x0006000000022cfe-113.dat family_berbew behavioral2/files/0x0006000000022cfe-118.dat family_berbew behavioral2/files/0x0006000000022cfe-119.dat family_berbew behavioral2/files/0x0006000000022d00-126.dat family_berbew behavioral2/files/0x0006000000022d00-127.dat family_berbew behavioral2/files/0x0006000000022d02-134.dat family_berbew behavioral2/files/0x0006000000022d02-136.dat family_berbew behavioral2/files/0x0006000000022d04-137.dat family_berbew behavioral2/files/0x0006000000022d04-142.dat family_berbew behavioral2/files/0x0006000000022d04-144.dat family_berbew behavioral2/files/0x0006000000022d06-150.dat family_berbew behavioral2/files/0x0006000000022d06-151.dat family_berbew behavioral2/files/0x0006000000022d08-158.dat family_berbew behavioral2/files/0x0006000000022d08-159.dat family_berbew behavioral2/files/0x0006000000022d0a-166.dat family_berbew behavioral2/files/0x0006000000022d0a-168.dat family_berbew behavioral2/files/0x0006000000022d0c-174.dat family_berbew behavioral2/files/0x0006000000022d0c-176.dat family_berbew behavioral2/files/0x0006000000022d0e-181.dat family_berbew behavioral2/files/0x0006000000022d0e-184.dat family_berbew behavioral2/files/0x0006000000022d10-185.dat family_berbew behavioral2/files/0x0006000000022d10-190.dat family_berbew behavioral2/files/0x0006000000022d10-191.dat family_berbew behavioral2/files/0x0006000000022d12-198.dat family_berbew behavioral2/files/0x0006000000022d12-200.dat family_berbew behavioral2/files/0x0006000000022d14-206.dat family_berbew behavioral2/files/0x0006000000022d14-207.dat family_berbew behavioral2/files/0x0006000000022d16-209.dat family_berbew behavioral2/files/0x0006000000022d16-214.dat family_berbew behavioral2/files/0x0006000000022d16-216.dat family_berbew behavioral2/files/0x0006000000022d18-222.dat family_berbew behavioral2/files/0x0006000000022d18-224.dat family_berbew behavioral2/files/0x0006000000022d1a-230.dat family_berbew behavioral2/files/0x0006000000022d1a-231.dat family_berbew behavioral2/files/0x0006000000022d1c-238.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2788 Kcjjhdjb.exe 3316 Mpapnfhg.exe 1968 Mhoahh32.exe 4128 Noppeaed.exe 4220 Nmhijd32.exe 4444 Ncbafoge.exe 3880 Ocdnln32.exe 3912 Oifppdpd.exe 3772 Pqbala32.exe 3584 Pmkofa32.exe 4852 Qppaclio.exe 1708 Acccdj32.exe 1188 Abjmkf32.exe 2752 Bigbmpco.exe 1584 Bpedeiff.exe 2364 Binhnomg.exe 2708 Bmladm32.exe 4608 Cdmoafdb.exe 220 Cdolgfbp.exe 4976 Dkbgjo32.exe 4396 Ekimjn32.exe 4296 Egegjn32.exe 3956 Fcneeo32.exe 1824 Fnhbmgmk.exe 4240 Gcghkm32.exe 2080 Gclafmej.exe 2160 Gndbie32.exe 4340 Gkhbbi32.exe 3892 Hnkhjdle.exe 724 Hgeihiac.exe 324 Hkcbnh32.exe 1532 Ibpgqa32.exe 2724 Iccpniqp.exe 1248 Ilmedf32.exe 468 Jaljbmkd.exe 1196 Jjdokb32.exe 2084 Jbncbpqd.exe 1856 Jlidpe32.exe 372 Jbbmmo32.exe 3900 Kahinkaf.exe 4980 Kefbdjgm.exe 2236 Klbgfc32.exe 2804 Kaopoj32.exe 3944 Kaaldjil.exe 4652 Ldbefe32.exe 5028 Logicn32.exe 4328 Llkjmb32.exe 1668 Lbebilli.exe 1944 Lkqgno32.exe 3888 Lefkkg32.exe 3008 Lcjldk32.exe 1816 Lhgdmb32.exe 4780 Mdnebc32.exe 2100 Mcabej32.exe 3948 Mafofggd.exe 2472 Nchhfild.exe 1336 Ncmaai32.exe 2524 Nlefjnno.exe 4764 Odedipge.exe 4352 Ohcmpn32.exe 4344 Ochamg32.exe 1360 Oheienli.exe 4496 Ocknbglo.exe 2564 Okfbgiij.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Bpedeiff.exe File created C:\Windows\SysWOW64\Olkpol32.dll Lkqgno32.exe File created C:\Windows\SysWOW64\Icklacqn.dll Bihancje.exe File created C:\Windows\SysWOW64\Cpmifkgd.exe Cpipkl32.exe File opened for modification C:\Windows\SysWOW64\Flbhia32.exe Bkjpkg32.exe File created C:\Windows\SysWOW64\Lcmgbngb.dll Hnkhjdle.exe File created C:\Windows\SysWOW64\Daphho32.dll Nchhfild.exe File created C:\Windows\SysWOW64\Ddegdohc.dll Kfdklllb.exe File created C:\Windows\SysWOW64\Ipecicga.dll Bpedeiff.exe File opened for modification C:\Windows\SysWOW64\Pbimjb32.exe Pcbdcf32.exe File created C:\Windows\SysWOW64\Pdbiphhi.exe Pkjegb32.exe File created C:\Windows\SysWOW64\Gclafmej.exe Gcghkm32.exe File opened for modification C:\Windows\SysWOW64\Hqmggi32.exe Hfhbipdb.exe File created C:\Windows\SysWOW64\Bndjfjhl.exe Bihancje.exe File opened for modification C:\Windows\SysWOW64\Gphddlfp.exe Fcddkggf.exe File created C:\Windows\SysWOW64\Kifjip32.exe Jmamba32.exe File created C:\Windows\SysWOW64\Giahndcf.exe Golcak32.exe File created C:\Windows\SysWOW64\Jdockf32.dll Ncbafoge.exe File created C:\Windows\SysWOW64\Acccdj32.exe Qppaclio.exe File created C:\Windows\SysWOW64\Eljchpnl.exe Edlann32.exe File created C:\Windows\SysWOW64\Oifppdpd.exe Ocdnln32.exe File opened for modification C:\Windows\SysWOW64\Pcpgmf32.exe Okfbgiij.exe File created C:\Windows\SysWOW64\Jjhalkjc.exe Jelhcd32.exe File created C:\Windows\SysWOW64\Fpmeimpn.exe Enllgbcl.exe File opened for modification C:\Windows\SysWOW64\Fnhbmgmk.exe Fcneeo32.exe File created C:\Windows\SysWOW64\Eepbdodb.dll Jaljbmkd.exe File created C:\Windows\SysWOW64\Lbebilli.exe Llkjmb32.exe File created C:\Windows\SysWOW64\Mhinoa32.dll Qfgfpp32.exe File created C:\Windows\SysWOW64\Glqfgdpo.dll Mpapnfhg.exe File created C:\Windows\SysWOW64\Kihnhc32.dll Homcbo32.exe File created C:\Windows\SysWOW64\Ljhchc32.exe Lcnkli32.exe File created C:\Windows\SysWOW64\Gehice32.exe Gkcdfl32.exe File created C:\Windows\SysWOW64\Qfkoaf32.dll Jjefao32.exe File created C:\Windows\SysWOW64\Engdno32.dll Acccdj32.exe File created C:\Windows\SysWOW64\Efopjbjg.exe Eoekde32.exe File created C:\Windows\SysWOW64\Afdkfh32.exe Anncek32.exe File created C:\Windows\SysWOW64\Cemndbci.exe Cnbfgh32.exe File created C:\Windows\SysWOW64\Ofacao32.dll Aocmio32.exe File opened for modification C:\Windows\SysWOW64\Bfpkbfdi.exe Bpfcelml.exe File created C:\Windows\SysWOW64\Ahngmnnd.exe Anhcpeon.exe File created C:\Windows\SysWOW64\Mckfmq32.dll Defheg32.exe File opened for modification C:\Windows\SysWOW64\Anhcpeon.exe Akgjnj32.exe File created C:\Windows\SysWOW64\Hocjaj32.exe Hifaic32.exe File opened for modification C:\Windows\SysWOW64\Ilmedf32.exe Iccpniqp.exe File opened for modification C:\Windows\SysWOW64\Aaofedkl.exe Pgbkgmao.exe File created C:\Windows\SysWOW64\Amkejmgc.dll Cdjlap32.exe File opened for modification C:\Windows\SysWOW64\Gclimi32.exe Ghgeoq32.exe File created C:\Windows\SysWOW64\Lpgalc32.exe Ljjicl32.exe File opened for modification C:\Windows\SysWOW64\Jjhalkjc.exe Jelhcd32.exe File created C:\Windows\SysWOW64\Eiaofa32.dll Aiqkmd32.exe File created C:\Windows\SysWOW64\Cjgpdg32.dll Ghqeihbb.exe File created C:\Windows\SysWOW64\Jonlimkg.exe Jfehpg32.exe File created C:\Windows\SysWOW64\Okfbgiij.exe Ocknbglo.exe File created C:\Windows\SysWOW64\Oijflc32.dll Okfbgiij.exe File created C:\Windows\SysWOW64\Lccdghmc.exe Lmiljn32.exe File opened for modification C:\Windows\SysWOW64\Npjnbg32.exe Mpchbhjl.exe File created C:\Windows\SysWOW64\Kaaldjil.exe Kaopoj32.exe File created C:\Windows\SysWOW64\Elgide32.dll Bfabmmhe.exe File opened for modification C:\Windows\SysWOW64\Kppbejka.exe Kifjip32.exe File created C:\Windows\SysWOW64\Jdiebk32.dll Gggfme32.exe File created C:\Windows\SysWOW64\Gdmcki32.exe Gdkffi32.exe File created C:\Windows\SysWOW64\Jclnjo32.dll Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Lcjldk32.exe Lefkkg32.exe File opened for modification C:\Windows\SysWOW64\Cfcoblfb.exe Bipnihgi.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2188 1708 WerFault.exe 370 4072 1708 WerFault.exe 370 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll" Fnhbmgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll" Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcjldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mafofggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcmgqdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdbmoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqmggi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mginniij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnbfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Defheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anhcpeon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajodef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphddlfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gccmaack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gheodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bechccgd.dll" Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onempd32.dll" Lhmjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beefhclj.dll" Eemgkpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokpcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll" Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefmgogl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fghcqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlcmgqdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Digmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcinq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmhijd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoffjidl.dll" Gnanioad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmkdm32.dll" Kjdqhjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaaihpg.dll" Iccpniqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphddlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombkojfh.dll" Hfhbipdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefjanml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekimjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlidpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddegdohc.dll" Kfdklllb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffhakjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehifak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmbebgo.dll" Jelhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nheeabjo.dll" Lpgalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefjnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepplk32.dll" Hfcinq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgjhega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcommoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giahndcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll" Cmbpjfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemgkpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bihancje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcoblfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmdjkpo.dll" Fcddkggf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 2788 3272 NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe 91 PID 3272 wrote to memory of 2788 3272 NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe 91 PID 3272 wrote to memory of 2788 3272 NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe 91 PID 2788 wrote to memory of 3316 2788 Kcjjhdjb.exe 92 PID 2788 wrote to memory of 3316 2788 Kcjjhdjb.exe 92 PID 2788 wrote to memory of 3316 2788 Kcjjhdjb.exe 92 PID 3316 wrote to memory of 1968 3316 Mpapnfhg.exe 93 PID 3316 wrote to memory of 1968 3316 Mpapnfhg.exe 93 PID 3316 wrote to memory of 1968 3316 Mpapnfhg.exe 93 PID 1968 wrote to memory of 4128 1968 Mhoahh32.exe 94 PID 1968 wrote to memory of 4128 1968 Mhoahh32.exe 94 PID 1968 wrote to memory of 4128 1968 Mhoahh32.exe 94 PID 4128 wrote to memory of 4220 4128 Noppeaed.exe 95 PID 4128 wrote to memory of 4220 4128 Noppeaed.exe 95 PID 4128 wrote to memory of 4220 4128 Noppeaed.exe 95 PID 4220 wrote to memory of 4444 4220 Nmhijd32.exe 96 PID 4220 wrote to memory of 4444 4220 Nmhijd32.exe 96 PID 4220 wrote to memory of 4444 4220 Nmhijd32.exe 96 PID 4444 wrote to memory of 3880 4444 Ncbafoge.exe 97 PID 4444 wrote to memory of 3880 4444 Ncbafoge.exe 97 PID 4444 wrote to memory of 3880 4444 Ncbafoge.exe 97 PID 3880 wrote to memory of 3912 3880 Ocdnln32.exe 98 PID 3880 wrote to memory of 3912 3880 Ocdnln32.exe 98 PID 3880 wrote to memory of 3912 3880 Ocdnln32.exe 98 PID 3912 wrote to memory of 3772 3912 Oifppdpd.exe 99 PID 3912 wrote to memory of 3772 3912 Oifppdpd.exe 99 PID 3912 wrote to memory of 3772 3912 Oifppdpd.exe 99 PID 3772 wrote to memory of 3584 3772 Pqbala32.exe 100 PID 3772 wrote to memory of 3584 3772 Pqbala32.exe 100 PID 3772 wrote to memory of 3584 3772 Pqbala32.exe 100 PID 3584 wrote to memory of 4852 3584 Pmkofa32.exe 101 PID 3584 wrote to memory of 4852 3584 Pmkofa32.exe 101 PID 3584 wrote to memory of 4852 3584 Pmkofa32.exe 101 PID 4852 wrote to memory of 1708 4852 Qppaclio.exe 102 PID 4852 wrote to memory of 1708 4852 Qppaclio.exe 102 PID 4852 wrote to memory of 1708 4852 Qppaclio.exe 102 PID 1708 wrote to memory of 1188 1708 Acccdj32.exe 103 PID 1708 wrote to memory of 1188 1708 Acccdj32.exe 103 PID 1708 wrote to memory of 1188 1708 Acccdj32.exe 103 PID 1188 wrote to memory of 2752 1188 Abjmkf32.exe 104 PID 1188 wrote to memory of 2752 1188 Abjmkf32.exe 104 PID 1188 wrote to memory of 2752 1188 Abjmkf32.exe 104 PID 2752 wrote to memory of 1584 2752 Bigbmpco.exe 105 PID 2752 wrote to memory of 1584 2752 Bigbmpco.exe 105 PID 2752 wrote to memory of 1584 2752 Bigbmpco.exe 105 PID 1584 wrote to memory of 2364 1584 Bpedeiff.exe 106 PID 1584 wrote to memory of 2364 1584 Bpedeiff.exe 106 PID 1584 wrote to memory of 2364 1584 Bpedeiff.exe 106 PID 2364 wrote to memory of 2708 2364 Binhnomg.exe 107 PID 2364 wrote to memory of 2708 2364 Binhnomg.exe 107 PID 2364 wrote to memory of 2708 2364 Binhnomg.exe 107 PID 2708 wrote to memory of 4608 2708 Bmladm32.exe 108 PID 2708 wrote to memory of 4608 2708 Bmladm32.exe 108 PID 2708 wrote to memory of 4608 2708 Bmladm32.exe 108 PID 4608 wrote to memory of 220 4608 Cdmoafdb.exe 109 PID 4608 wrote to memory of 220 4608 Cdmoafdb.exe 109 PID 4608 wrote to memory of 220 4608 Cdmoafdb.exe 109 PID 220 wrote to memory of 4976 220 Cdolgfbp.exe 110 PID 220 wrote to memory of 4976 220 Cdolgfbp.exe 110 PID 220 wrote to memory of 4976 220 Cdolgfbp.exe 110 PID 4976 wrote to memory of 4396 4976 Dkbgjo32.exe 111 PID 4976 wrote to memory of 4396 4976 Dkbgjo32.exe 111 PID 4976 wrote to memory of 4396 4976 Dkbgjo32.exe 111 PID 4396 wrote to memory of 4296 4396 Ekimjn32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b0510e01c62ad8b2a8e48744b55d9260.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe23⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe27⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe28⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe35⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe37⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe38⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe40⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe41⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe42⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe46⤵PID:4996
-
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe47⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe48⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe50⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe54⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe55⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe56⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe59⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe62⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe64⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe68⤵PID:1852
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe69⤵
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe70⤵PID:1456
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe71⤵PID:2228
-
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe73⤵PID:2196
-
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe74⤵PID:820
-
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe75⤵PID:1528
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe77⤵PID:3284
-
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe78⤵PID:496
-
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe79⤵PID:3224
-
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe80⤵PID:1240
-
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe81⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe82⤵
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe83⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe85⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5228 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe87⤵PID:5268
-
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe90⤵PID:5400
-
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe91⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe92⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe93⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe95⤵PID:5616
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe96⤵PID:5660
-
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe97⤵
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe98⤵PID:5872
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe102⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe103⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe104⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe105⤵PID:5152
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe106⤵PID:5256
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe107⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe108⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5460 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe111⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe112⤵PID:5656
-
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe113⤵PID:648
-
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe114⤵PID:5880
-
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe115⤵PID:5936
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe116⤵PID:6024
-
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe118⤵PID:5140
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe119⤵PID:5260
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe121⤵PID:5432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-