Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:20
Behavioral task
behavioral1
Sample
NEAS.55bfc2cd03573e17387de2ca087f4c40.exe
Resource
win7-20230831-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.55bfc2cd03573e17387de2ca087f4c40.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.55bfc2cd03573e17387de2ca087f4c40.exe
-
Size
143KB
-
MD5
55bfc2cd03573e17387de2ca087f4c40
-
SHA1
ced10dd4b2b56719ec25075b9c80a00b9d7c8ea8
-
SHA256
16b29223b50e34d357adefe18e7764f7aae24cb9c42d5d7fd0934505d9dba890
-
SHA512
60287d0763ff5e9378f130741116df73746d22b041e8f25b2fdc30f99859ef0d25c9e66c44915881de5ee1fb0ab04d800e26a24634829bba8753976ec602ba54
-
SSDEEP
1536:nWpw6Ho4x6O9oGI3dc36RjUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:WS6Hr6ONYj3N93bsGfhv0vt3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonmkkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhbnhlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpangnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niklip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooaghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfljqia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibdeegc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debfpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfkiock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmebm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khihld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfilkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpjihee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biadoeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcghlnih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidlqhgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfokoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehkbkip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqfokblg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heochp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfpghccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lacihleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidlqhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odbgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekngqqol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdlcbjfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgggaamn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpjdepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moglkikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfneamlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgnmcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafbhkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdaonmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blchmdff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkacoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlihek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgalidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohnhdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgoejapi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahonbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbljoafi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdcom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchmdff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhogppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjdki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbimjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmnomi.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2336-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022ddf-5.dat family_berbew behavioral2/files/0x0007000000022ddf-8.dat family_berbew behavioral2/memory/5096-7-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022df1-14.dat family_berbew behavioral2/files/0x0006000000022df1-16.dat family_berbew behavioral2/memory/4816-15-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022df3-22.dat family_berbew behavioral2/memory/1796-23-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022df3-24.dat family_berbew behavioral2/files/0x0007000000022deb-30.dat family_berbew behavioral2/files/0x0007000000022deb-32.dat family_berbew behavioral2/memory/4796-31-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022df6-38.dat family_berbew behavioral2/files/0x0006000000022df6-39.dat family_berbew behavioral2/memory/1636-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022df8-46.dat family_berbew behavioral2/files/0x0006000000022df8-48.dat family_berbew behavioral2/memory/2316-47-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022de9-54.dat family_berbew behavioral2/memory/452-55-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022de9-56.dat family_berbew behavioral2/files/0x0006000000022dfa-57.dat family_berbew behavioral2/files/0x0006000000022dfa-62.dat family_berbew behavioral2/memory/1508-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfa-63.dat family_berbew behavioral2/files/0x0006000000022dfc-70.dat family_berbew behavioral2/memory/5048-72-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfc-71.dat family_berbew behavioral2/files/0x0006000000022dfe-78.dat family_berbew behavioral2/files/0x0006000000022dfe-80.dat family_berbew behavioral2/memory/4868-79-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e00-87.dat family_berbew behavioral2/memory/4668-88-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e00-86.dat family_berbew behavioral2/files/0x0006000000022e03-95.dat family_berbew behavioral2/files/0x0006000000022e03-94.dat family_berbew behavioral2/memory/3996-96-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022e05-102.dat family_berbew behavioral2/files/0x0007000000022e05-104.dat family_berbew behavioral2/memory/1244-103-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e07-110.dat family_berbew behavioral2/files/0x0006000000022e07-111.dat family_berbew behavioral2/memory/916-112-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e09-118.dat family_berbew behavioral2/memory/5088-119-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e09-120.dat family_berbew behavioral2/files/0x0006000000022e0b-126.dat family_berbew behavioral2/files/0x0006000000022e0b-128.dat family_berbew behavioral2/memory/4348-127-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0d-134.dat family_berbew behavioral2/files/0x0006000000022e0d-136.dat family_berbew behavioral2/memory/3020-135-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0f-137.dat family_berbew behavioral2/files/0x0006000000022e0f-142.dat family_berbew behavioral2/files/0x0006000000022e0f-144.dat family_berbew behavioral2/memory/3420-143-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e11-150.dat family_berbew behavioral2/files/0x0006000000022e11-151.dat family_berbew behavioral2/memory/1568-152-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e13-158.dat family_berbew behavioral2/memory/3976-159-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022e13-160.dat family_berbew behavioral2/files/0x0006000000022e15-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5096 Bfolacnc.exe 4816 Khihld32.exe 1796 Lacijjgi.exe 4796 Ldfoad32.exe 1636 Llngbabj.exe 2316 Llpchaqg.exe 452 Mclhjkfa.exe 1508 Mcoepkdo.exe 5048 Mlgjhp32.exe 4868 Mepnaf32.exe 4668 Mddkbbfg.exe 3996 Mcfkpjng.exe 1244 Nhbciqln.exe 916 Nefdbekh.exe 5088 Ncjdki32.exe 4348 Nfknmd32.exe 3020 Nocbfjmc.exe 3420 Nfpghccm.exe 1568 Okmpqjad.exe 3976 Ofbdncaj.exe 216 Ofdqcc32.exe 4540 Odjmdocp.exe 4584 Ofijnbkb.exe 1824 Pkholi32.exe 4116 Pofhbgmn.exe 4124 Pcdqhecd.exe 1348 Pbimjb32.exe 648 Pbljoafi.exe 1852 Qckfid32.exe 3692 Qpbgnecp.exe 4560 Aijlgkjq.exe 4880 Acgfec32.exe 728 Apngjd32.exe 4800 Bldgoeog.exe 4696 Bfjllnnm.exe 3040 Blgddd32.exe 2116 Bbcignbo.exe 5020 Bfabmmhe.exe 884 Cbhbbn32.exe 5028 Cmmgof32.exe 4372 Cdgolq32.exe 3360 Cehlcikj.exe 4544 Cekhihig.exe 4140 Cpqlfa32.exe 2124 Ciiaogon.exe 4884 Ciknefmk.exe 3248 Dpefaq32.exe 4368 Debnjgcp.exe 3744 Dbfoclai.exe 1988 Dibdeegc.exe 3700 Epeohn32.exe 4452 Egpgehnb.exe 4016 Eippgckc.exe 1496 Ecidpiad.exe 4520 Fpmeimpn.exe 3628 Fjeibc32.exe 5060 Feljgd32.exe 3364 Fjjcmbci.exe 744 Fcbgfhii.exe 4060 Fnglcqio.exe 2248 Gojnfb32.exe 1748 Npcaie32.exe 1652 Giahndcf.exe 4764 Debfpd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcdqhecd.exe Pofhbgmn.exe File created C:\Windows\SysWOW64\Nqklfe32.exe Nkncno32.exe File opened for modification C:\Windows\SysWOW64\Ehpjdepi.exe Dafbhkhl.exe File created C:\Windows\SysWOW64\Ogence32.dll Fomhnmgp.exe File created C:\Windows\SysWOW64\Hlmibiga.dll Fbkdjh32.exe File created C:\Windows\SysWOW64\Oekpdoll.exe Ooaghe32.exe File opened for modification C:\Windows\SysWOW64\Dememj32.exe Dkgqpaed.exe File created C:\Windows\SysWOW64\Meadgc32.exe Moglkikl.exe File opened for modification C:\Windows\SysWOW64\Ooaghe32.exe Oeicopoo.exe File opened for modification C:\Windows\SysWOW64\Fcbgfhii.exe Fjjcmbci.exe File created C:\Windows\SysWOW64\Pjidgaoa.dll Bpaacblm.exe File created C:\Windows\SysWOW64\Mjnnmn32.exe Lacihleo.exe File opened for modification C:\Windows\SysWOW64\Dlpgiebo.exe Cefolk32.exe File opened for modification C:\Windows\SysWOW64\Edihof32.exe Eefhcimp.exe File created C:\Windows\SysWOW64\Jcaohogk.dll Fhngfcdi.exe File created C:\Windows\SysWOW64\Dilnnbjn.dll Ajfhhp32.exe File created C:\Windows\SysWOW64\Ibnoch32.dll Bfabmmhe.exe File opened for modification C:\Windows\SysWOW64\Mknjgajl.exe Mcgbfcij.exe File opened for modification C:\Windows\SysWOW64\Ogljcokf.exe Oboakhmo.exe File opened for modification C:\Windows\SysWOW64\Ffpjihee.exe Flgfqb32.exe File created C:\Windows\SysWOW64\Ejjgok32.dll Fhemfbnq.exe File opened for modification C:\Windows\SysWOW64\Fpmeimpn.exe Ecidpiad.exe File created C:\Windows\SysWOW64\Opmmoa32.dll Nnhfokoc.exe File opened for modification C:\Windows\SysWOW64\Bjbnndgl.exe Bbgiibja.exe File created C:\Windows\SysWOW64\Eippgckc.exe Egpgehnb.exe File created C:\Windows\SysWOW64\Aenpeoom.exe Ajikhfpg.exe File created C:\Windows\SysWOW64\Loeoei32.exe Badipiae.exe File opened for modification C:\Windows\SysWOW64\Pbimjb32.exe Pcdqhecd.exe File opened for modification C:\Windows\SysWOW64\Bgfpdmho.exe Boohcpgm.exe File opened for modification C:\Windows\SysWOW64\Kcdmifip.exe Kdophj32.exe File created C:\Windows\SysWOW64\Paeeon32.dll Aenpeoom.exe File opened for modification C:\Windows\SysWOW64\Dqajjp32.exe Dncnnd32.exe File opened for modification C:\Windows\SysWOW64\Gmhogppb.exe Gdqgfbop.exe File created C:\Windows\SysWOW64\Pcdqhecd.exe Pofhbgmn.exe File created C:\Windows\SysWOW64\Ifefggbd.dll Behbkmgb.exe File opened for modification C:\Windows\SysWOW64\Gcagdj32.exe Gmhogppb.exe File created C:\Windows\SysWOW64\Hfgjad32.exe Hkaedk32.exe File opened for modification C:\Windows\SysWOW64\Hoonjjgk.exe Hfgjad32.exe File opened for modification C:\Windows\SysWOW64\Niipdpae.exe Nppkkj32.exe File opened for modification C:\Windows\SysWOW64\Fdgdpdgj.exe Fcfhhk32.exe File created C:\Windows\SysWOW64\Aokken32.dll Acnlqe32.exe File created C:\Windows\SysWOW64\Pmhqef32.dll Mfaqafjl.exe File opened for modification C:\Windows\SysWOW64\Qckfid32.exe Pbljoafi.exe File opened for modification C:\Windows\SysWOW64\Giahndcf.exe Npcaie32.exe File created C:\Windows\SysWOW64\Fpikla32.dll Hcfqoici.exe File opened for modification C:\Windows\SysWOW64\Blgddd32.exe Bfjllnnm.exe File opened for modification C:\Windows\SysWOW64\Debfpd32.exe Giahndcf.exe File created C:\Windows\SysWOW64\Bomknp32.exe Bpjkbcbe.exe File opened for modification C:\Windows\SysWOW64\Pbfglg32.exe Odbgbb32.exe File opened for modification C:\Windows\SysWOW64\Eleikb32.exe Eaoenjqa.exe File created C:\Windows\SysWOW64\Kikdpb32.dll Pfgopnbo.exe File created C:\Windows\SysWOW64\Qpbgnecp.exe Qckfid32.exe File opened for modification C:\Windows\SysWOW64\Kfhbifgq.exe Jaimko32.exe File created C:\Windows\SysWOW64\Dpammgnc.dll Dkjmea32.exe File created C:\Windows\SysWOW64\Qqamieno.exe Pcmloa32.exe File opened for modification C:\Windows\SysWOW64\Bldgoeog.exe Apngjd32.exe File created C:\Windows\SysWOW64\Debnjgcp.exe Dpefaq32.exe File created C:\Windows\SysWOW64\Gbpnegbo.exe Gkffhmka.exe File created C:\Windows\SysWOW64\Kmjigl32.dll Fjjcmbci.exe File created C:\Windows\SysWOW64\Kieeoj32.dll Kkmapc32.exe File created C:\Windows\SysWOW64\Aijlgkjq.exe Qpbgnecp.exe File created C:\Windows\SysWOW64\Hnejfn32.dll Aljefena.exe File opened for modification C:\Windows\SysWOW64\Ngnnbq32.exe Ndpafe32.exe File opened for modification C:\Windows\SysWOW64\Nqklfe32.exe Nkncno32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apngjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciknefmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlpgiebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dememj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggempll.dll" Bidlqhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocldhqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkgpamj.dll" Pabknbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noaoagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenpeoom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgiibja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekqcfpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkjkh32.dll" Feljgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndakp32.dll" Cefolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnpija.dll" Ekqcfpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpdbfpg.dll" Gbpnegbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaghho32.dll" Oepipo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogqi32.dll" Acgfec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfcojj.dll" Fpmeimpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pegqmbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonjbeab.dll" Pjdifibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpnegbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okmpqjad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjdifibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcfqoici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdbknda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfnnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbljoafi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnglcqio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpelbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcagjndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbnndgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daolgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjejj32.dll" Dogfkpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpjdepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llngbabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bidlqhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgifhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjagh32.dll" Dlcaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lacijjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnnmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecmcpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflbdckm.dll" Andqnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capbaacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlhei32.dll" Bcfkiock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqcmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoebkabl.dll" Daolgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdpdgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbkdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmbohp.dll" Bqfokblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eippgckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bibpkiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcpcehko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpijldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahonbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkncp32.dll" Kcdmifip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkmdemc.dll" Gkffhmka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgalidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpcehko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceoqioq.dll" Opqdbhlb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 5096 2336 NEAS.55bfc2cd03573e17387de2ca087f4c40.exe 89 PID 2336 wrote to memory of 5096 2336 NEAS.55bfc2cd03573e17387de2ca087f4c40.exe 89 PID 2336 wrote to memory of 5096 2336 NEAS.55bfc2cd03573e17387de2ca087f4c40.exe 89 PID 5096 wrote to memory of 4816 5096 Bfolacnc.exe 90 PID 5096 wrote to memory of 4816 5096 Bfolacnc.exe 90 PID 5096 wrote to memory of 4816 5096 Bfolacnc.exe 90 PID 4816 wrote to memory of 1796 4816 Khihld32.exe 91 PID 4816 wrote to memory of 1796 4816 Khihld32.exe 91 PID 4816 wrote to memory of 1796 4816 Khihld32.exe 91 PID 1796 wrote to memory of 4796 1796 Lacijjgi.exe 92 PID 1796 wrote to memory of 4796 1796 Lacijjgi.exe 92 PID 1796 wrote to memory of 4796 1796 Lacijjgi.exe 92 PID 4796 wrote to memory of 1636 4796 Ldfoad32.exe 93 PID 4796 wrote to memory of 1636 4796 Ldfoad32.exe 93 PID 4796 wrote to memory of 1636 4796 Ldfoad32.exe 93 PID 1636 wrote to memory of 2316 1636 Llngbabj.exe 94 PID 1636 wrote to memory of 2316 1636 Llngbabj.exe 94 PID 1636 wrote to memory of 2316 1636 Llngbabj.exe 94 PID 2316 wrote to memory of 452 2316 Llpchaqg.exe 95 PID 2316 wrote to memory of 452 2316 Llpchaqg.exe 95 PID 2316 wrote to memory of 452 2316 Llpchaqg.exe 95 PID 452 wrote to memory of 1508 452 Mclhjkfa.exe 96 PID 452 wrote to memory of 1508 452 Mclhjkfa.exe 96 PID 452 wrote to memory of 1508 452 Mclhjkfa.exe 96 PID 1508 wrote to memory of 5048 1508 Mcoepkdo.exe 97 PID 1508 wrote to memory of 5048 1508 Mcoepkdo.exe 97 PID 1508 wrote to memory of 5048 1508 Mcoepkdo.exe 97 PID 5048 wrote to memory of 4868 5048 Mlgjhp32.exe 98 PID 5048 wrote to memory of 4868 5048 Mlgjhp32.exe 98 PID 5048 wrote to memory of 4868 5048 Mlgjhp32.exe 98 PID 4868 wrote to memory of 4668 4868 Mepnaf32.exe 99 PID 4868 wrote to memory of 4668 4868 Mepnaf32.exe 99 PID 4868 wrote to memory of 4668 4868 Mepnaf32.exe 99 PID 4668 wrote to memory of 3996 4668 Mddkbbfg.exe 100 PID 4668 wrote to memory of 3996 4668 Mddkbbfg.exe 100 PID 4668 wrote to memory of 3996 4668 Mddkbbfg.exe 100 PID 3996 wrote to memory of 1244 3996 Mcfkpjng.exe 101 PID 3996 wrote to memory of 1244 3996 Mcfkpjng.exe 101 PID 3996 wrote to memory of 1244 3996 Mcfkpjng.exe 101 PID 1244 wrote to memory of 916 1244 Nhbciqln.exe 102 PID 1244 wrote to memory of 916 1244 Nhbciqln.exe 102 PID 1244 wrote to memory of 916 1244 Nhbciqln.exe 102 PID 916 wrote to memory of 5088 916 Nefdbekh.exe 103 PID 916 wrote to memory of 5088 916 Nefdbekh.exe 103 PID 916 wrote to memory of 5088 916 Nefdbekh.exe 103 PID 5088 wrote to memory of 4348 5088 Ncjdki32.exe 104 PID 5088 wrote to memory of 4348 5088 Ncjdki32.exe 104 PID 5088 wrote to memory of 4348 5088 Ncjdki32.exe 104 PID 4348 wrote to memory of 3020 4348 Nfknmd32.exe 105 PID 4348 wrote to memory of 3020 4348 Nfknmd32.exe 105 PID 4348 wrote to memory of 3020 4348 Nfknmd32.exe 105 PID 3020 wrote to memory of 3420 3020 Nocbfjmc.exe 106 PID 3020 wrote to memory of 3420 3020 Nocbfjmc.exe 106 PID 3020 wrote to memory of 3420 3020 Nocbfjmc.exe 106 PID 3420 wrote to memory of 1568 3420 Nfpghccm.exe 107 PID 3420 wrote to memory of 1568 3420 Nfpghccm.exe 107 PID 3420 wrote to memory of 1568 3420 Nfpghccm.exe 107 PID 1568 wrote to memory of 3976 1568 Okmpqjad.exe 108 PID 1568 wrote to memory of 3976 1568 Okmpqjad.exe 108 PID 1568 wrote to memory of 3976 1568 Okmpqjad.exe 108 PID 3976 wrote to memory of 216 3976 Ofbdncaj.exe 109 PID 3976 wrote to memory of 216 3976 Ofbdncaj.exe 109 PID 3976 wrote to memory of 216 3976 Ofbdncaj.exe 109 PID 216 wrote to memory of 4540 216 Ofdqcc32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.55bfc2cd03573e17387de2ca087f4c40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.55bfc2cd03573e17387de2ca087f4c40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe23⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe24⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe25⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe32⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:728 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe37⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe40⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe41⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe42⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe43⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe44⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe45⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe46⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe49⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe50⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe52⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe57⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe60⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe62⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Enigjh32.exeC:\Windows\system32\Enigjh32.exe66⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Gdaonmdd.exeC:\Windows\system32\Gdaonmdd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe68⤵PID:3808
-
C:\Windows\SysWOW64\Aiimejap.exeC:\Windows\system32\Aiimejap.exe69⤵PID:4836
-
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe70⤵PID:804
-
C:\Windows\SysWOW64\Acaanp32.exeC:\Windows\system32\Acaanp32.exe71⤵PID:1580
-
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe72⤵PID:828
-
C:\Windows\SysWOW64\Amgekh32.exeC:\Windows\system32\Amgekh32.exe73⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe74⤵
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Accnco32.exeC:\Windows\system32\Accnco32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe76⤵PID:5024
-
C:\Windows\SysWOW64\Bpgnmcdh.exeC:\Windows\system32\Bpgnmcdh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Bipcei32.exeC:\Windows\system32\Bipcei32.exe79⤵PID:920
-
C:\Windows\SysWOW64\Bpjkbcbe.exeC:\Windows\system32\Bpjkbcbe.exe80⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Bomknp32.exeC:\Windows\system32\Bomknp32.exe81⤵PID:3024
-
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:428 -
C:\Windows\SysWOW64\Bibpkiie.exeC:\Windows\system32\Bibpkiie.exe83⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe84⤵PID:4920
-
C:\Windows\SysWOW64\Boohcpgm.exeC:\Windows\system32\Boohcpgm.exe85⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe86⤵PID:5012
-
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Blchmdff.exeC:\Windows\system32\Blchmdff.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3952 -
C:\Windows\SysWOW64\Bcmqin32.exeC:\Windows\system32\Bcmqin32.exe89⤵PID:4820
-
C:\Windows\SysWOW64\Bjgifhep.exeC:\Windows\system32\Bjgifhep.exe90⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Bpaacblm.exeC:\Windows\system32\Bpaacblm.exe91⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Bcomonkq.exeC:\Windows\system32\Bcomonkq.exe92⤵PID:452
-
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5048 -
C:\Windows\SysWOW64\Dlcaca32.exeC:\Windows\system32\Dlcaca32.exe94⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Dcmjpl32.exeC:\Windows\system32\Dcmjpl32.exe95⤵PID:440
-
C:\Windows\SysWOW64\Dflflg32.exeC:\Windows\system32\Dflflg32.exe96⤵PID:948
-
C:\Windows\SysWOW64\Dncnnd32.exeC:\Windows\system32\Dncnnd32.exe97⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe98⤵PID:5028
-
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe99⤵PID:3688
-
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4840 -
C:\Windows\SysWOW64\Hbanfk32.exeC:\Windows\system32\Hbanfk32.exe101⤵PID:2804
-
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe102⤵PID:4808
-
C:\Windows\SysWOW64\Ipckqnja.exeC:\Windows\system32\Ipckqnja.exe103⤵PID:2492
-
C:\Windows\SysWOW64\Jjhonfjg.exeC:\Windows\system32\Jjhonfjg.exe104⤵PID:3052
-
C:\Windows\SysWOW64\Jbccbi32.exeC:\Windows\system32\Jbccbi32.exe105⤵PID:1128
-
C:\Windows\SysWOW64\Jmihpa32.exeC:\Windows\system32\Jmihpa32.exe106⤵PID:3684
-
C:\Windows\SysWOW64\Jbhmnhcm.exeC:\Windows\system32\Jbhmnhcm.exe107⤵PID:4472
-
C:\Windows\SysWOW64\Jaimko32.exeC:\Windows\system32\Jaimko32.exe108⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Kfhbifgq.exeC:\Windows\system32\Kfhbifgq.exe109⤵PID:3416
-
C:\Windows\SysWOW64\Kdlcbjfj.exeC:\Windows\system32\Kdlcbjfj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Kiikkada.exeC:\Windows\system32\Kiikkada.exe111⤵PID:4552
-
C:\Windows\SysWOW64\Kdophj32.exeC:\Windows\system32\Kdophj32.exe112⤵
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Kcdmifip.exeC:\Windows\system32\Kcdmifip.exe113⤵
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Kphmbjhi.exeC:\Windows\system32\Kphmbjhi.exe114⤵PID:2088
-
C:\Windows\SysWOW64\Kkmapc32.exeC:\Windows\system32\Kkmapc32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Kagimmol.exeC:\Windows\system32\Kagimmol.exe116⤵PID:4116
-
C:\Windows\SysWOW64\Lcifde32.exeC:\Windows\system32\Lcifde32.exe117⤵PID:4068
-
C:\Windows\SysWOW64\Libnapmg.exeC:\Windows\system32\Libnapmg.exe118⤵PID:3036
-
C:\Windows\SysWOW64\Ldhbnhlm.exeC:\Windows\system32\Ldhbnhlm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4348 -
C:\Windows\SysWOW64\Lgfojd32.exeC:\Windows\system32\Lgfojd32.exe120⤵PID:4712
-
C:\Windows\SysWOW64\Lmqggncn.exeC:\Windows\system32\Lmqggncn.exe121⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-