Analysis
-
max time kernel
196s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 17:53
Behavioral task
behavioral1
Sample
NEAS.fe49d9df97f95da7d4327d504a84a718.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fe49d9df97f95da7d4327d504a84a718.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.fe49d9df97f95da7d4327d504a84a718.exe
-
Size
240KB
-
MD5
fe49d9df97f95da7d4327d504a84a718
-
SHA1
065d119abccc0af099082610ff7fdf2521358745
-
SHA256
3f7476c014c462d393a0cfba015f70316e206ad1746adeea28b7a9bd0601ca3c
-
SHA512
2c8842770c4278c4879df521399e8c9654664f91f7d15a6b47feefd8571edbe031fd6913f0c2ac20208ebabe767dabfbf3476df314f102d28591d2de9c51f037
-
SSDEEP
6144:RO6Jl8FWZo/EcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:Rrm/tycSly8DSUA1YHVD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkeifga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgbppknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqdcio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfqmjajc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmjqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjfegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aljefena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gndpkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbiklmhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peajngoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejlban32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpgca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkcmjlio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piceflpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dibdeegc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljefena.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdhfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cioifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fclmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaedanal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfgfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edakimoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agkqiobl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcjedcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldkfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qofjjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgamhjja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbopcip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfhmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfqogfjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbhiial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlkpgia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbinkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aomipkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbphncfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alkeifga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdoofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmmmbll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Angleokb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgomgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeaph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmagch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecanojgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qibfdkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nildajdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okcccdkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidhehcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejijiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemephgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcccol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhlkbaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfbahcfc.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2964-0-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022e31-6.dat family_berbew behavioral2/memory/1752-8-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022e31-7.dat family_berbew behavioral2/files/0x0006000000022e4f-14.dat family_berbew behavioral2/memory/3680-15-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4f-16.dat family_berbew behavioral2/files/0x0006000000022e55-22.dat family_berbew behavioral2/files/0x0006000000022e55-23.dat family_berbew behavioral2/memory/2976-27-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e57-30.dat family_berbew behavioral2/memory/1236-31-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e57-32.dat family_berbew behavioral2/files/0x0006000000022e59-39.dat family_berbew behavioral2/files/0x0006000000022e59-38.dat family_berbew behavioral2/memory/4696-44-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/2216-48-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e60-47.dat family_berbew behavioral2/files/0x0006000000022e60-46.dat family_berbew behavioral2/files/0x0006000000022e63-55.dat family_berbew behavioral2/memory/3140-60-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e63-54.dat family_berbew behavioral2/files/0x0006000000022e65-63.dat family_berbew behavioral2/files/0x0006000000022e65-62.dat family_berbew behavioral2/memory/3716-68-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e68-70.dat family_berbew behavioral2/files/0x0006000000022e68-71.dat family_berbew behavioral2/memory/3160-73-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6a-72.dat family_berbew behavioral2/files/0x0006000000022e6a-78.dat family_berbew behavioral2/memory/3372-79-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6a-80.dat family_berbew behavioral2/files/0x0007000000022e53-86.dat family_berbew behavioral2/memory/4604-87-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022e53-88.dat family_berbew behavioral2/files/0x0008000000022e5c-89.dat family_berbew behavioral2/files/0x0008000000022e5c-93.dat family_berbew behavioral2/memory/2056-95-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022e5c-96.dat family_berbew behavioral2/files/0x0009000000022e5e-102.dat family_berbew behavioral2/files/0x0009000000022e5e-104.dat family_berbew behavioral2/memory/3380-103-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e71-110.dat family_berbew behavioral2/files/0x0006000000022e71-112.dat family_berbew behavioral2/memory/4516-111-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e75-118.dat family_berbew behavioral2/memory/4720-119-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e75-120.dat family_berbew behavioral2/files/0x0007000000022e72-126.dat family_berbew behavioral2/memory/4912-128-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022e72-127.dat family_berbew behavioral2/files/0x0006000000022e78-134.dat family_berbew behavioral2/memory/4432-140-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e78-135.dat family_berbew behavioral2/memory/60-144-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022d4a-143.dat family_berbew behavioral2/files/0x0007000000022d4a-142.dat family_berbew behavioral2/files/0x0006000000022e7e-150.dat family_berbew behavioral2/files/0x0006000000022e7e-152.dat family_berbew behavioral2/memory/5104-151-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/5080-159-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e80-160.dat family_berbew behavioral2/files/0x0006000000022e80-158.dat family_berbew behavioral2/files/0x0006000000022e82-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1752 Gdiakp32.exe 3680 Gqpapacd.exe 2976 Gdnjfojj.exe 1236 Gjkbnfha.exe 4696 Hccggl32.exe 2216 Haidfpki.exe 3140 Halaloif.exe 3716 Hjdedepg.exe 3160 Ielfgmnj.exe 3372 Ijiopd32.exe 4604 Iaedanal.exe 2056 Lefkkg32.exe 3380 Lamlphoo.exe 4516 Mdnebc32.exe 4720 Mcabej32.exe 4912 Mklfjm32.exe 4432 Mhpgca32.exe 60 Mcfkpjng.exe 5104 Nchhfild.exe 5080 Nkcmjlio.exe 1588 Nhgmcp32.exe 3392 Ncmaai32.exe 4848 Nconfh32.exe 4724 Nofoki32.exe 3464 Nbdkhe32.exe 3320 Obfhmd32.exe 1932 Obidcdfo.exe 2196 Pbgqdb32.exe 2868 Pmmeak32.exe 1532 Piceflpi.exe 3412 Qfgfpp32.exe 640 Qmanljfo.exe 2236 Qckfid32.exe 1792 Qmckbjdl.exe 4208 Aflpkpjm.exe 5096 Acppddig.exe 1288 Alkeifga.exe 2408 Aioebj32.exe 1912 Ammnhilb.exe 4928 Aehbmk32.exe 4056 Albkieqj.exe 3752 Bfhofnpp.exe 812 Bmagch32.exe 516 Bfjllnnm.exe 4760 Beoimjce.exe 1436 Bbcignbo.exe 4732 Bfabmmhe.exe 3700 Cpifeb32.exe 4728 Cdgolq32.exe 3924 Cehlcikj.exe 3572 Cdjlap32.exe 2644 Cekhihig.exe 4752 Cboibm32.exe 4824 Cpcila32.exe 4652 Clijablo.exe 1456 Dbcbnlcl.exe 1004 Dpgbgpbe.exe 2452 Dedkogqm.exe 2936 Dbhlikpf.exe 3556 Dibdeegc.exe 3568 Ddhhbngi.exe 1300 Didqkeeq.exe 3016 Digmqe32.exe 624 Ecoaijio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lcjagh32.dll Dnqaheai.exe File created C:\Windows\SysWOW64\Aohcbiop.dll Kaajfe32.exe File created C:\Windows\SysWOW64\Gpjlfhpk.dll Allpnplb.exe File created C:\Windows\SysWOW64\Ccinggcj.exe Ckaffjbg.exe File opened for modification C:\Windows\SysWOW64\Emknmi32.exe Ejlban32.exe File created C:\Windows\SysWOW64\Fneoma32.exe Feljgd32.exe File created C:\Windows\SysWOW64\Nbibeo32.exe Niqnli32.exe File created C:\Windows\SysWOW64\Mngepb32.exe Mhmmchpd.exe File created C:\Windows\SysWOW64\Acmhgq32.dll Dpbdiehi.exe File opened for modification C:\Windows\SysWOW64\Jondojna.exe Jdhpba32.exe File created C:\Windows\SysWOW64\Fdbiad32.dll Nejpckgc.exe File opened for modification C:\Windows\SysWOW64\Cngnbfid.exe Cfpfqiha.exe File created C:\Windows\SysWOW64\Naamoolh.dll Nnfpcada.exe File created C:\Windows\SysWOW64\Dqhicdkm.dll Lebalokn.exe File opened for modification C:\Windows\SysWOW64\Dihllkal.exe Dbndoa32.exe File created C:\Windows\SysWOW64\Acppddig.exe Aflpkpjm.exe File opened for modification C:\Windows\SysWOW64\Dfqogfjo.exe Dofgklcb.exe File opened for modification C:\Windows\SysWOW64\Nnfpcada.exe Nkhdgfen.exe File opened for modification C:\Windows\SysWOW64\Didqkeeq.exe Ddhhbngi.exe File created C:\Windows\SysWOW64\Odejmglm.dll Jmlkpgia.exe File opened for modification C:\Windows\SysWOW64\Khifno32.exe Kpanmb32.exe File created C:\Windows\SysWOW64\Pnbifmla.exe Pldljbmn.exe File opened for modification C:\Windows\SysWOW64\Qofjjb32.exe Gafmkp32.exe File created C:\Windows\SysWOW64\Elolco32.exe Edcgnmml.exe File created C:\Windows\SysWOW64\Knjhae32.exe Kklkej32.exe File opened for modification C:\Windows\SysWOW64\Nildajdg.exe Nnfpcada.exe File created C:\Windows\SysWOW64\Nicjaino.exe Nbibeo32.exe File opened for modification C:\Windows\SysWOW64\Pacahhib.exe Pneelmjo.exe File created C:\Windows\SysWOW64\Ppbhiamb.dll Bfbahcfc.exe File created C:\Windows\SysWOW64\Enopgj32.dll Ecefjckj.exe File created C:\Windows\SysWOW64\Begcjjql.exe Bpjkbcbe.exe File opened for modification C:\Windows\SysWOW64\Nconfh32.exe Ncmaai32.exe File opened for modification C:\Windows\SysWOW64\Feimadoe.exe Fckaeioa.exe File created C:\Windows\SysWOW64\Ipenifka.dll Ionlhlld.exe File created C:\Windows\SysWOW64\Klljhe32.exe Gdeqaa32.exe File created C:\Windows\SysWOW64\Dqpmeikh.dll Dcdnce32.exe File created C:\Windows\SysWOW64\Jbkeki32.dll Mcabej32.exe File opened for modification C:\Windows\SysWOW64\Fckaeioa.exe Flaiho32.exe File opened for modification C:\Windows\SysWOW64\Aeigilml.exe Aploae32.exe File created C:\Windows\SysWOW64\Idhgkcln.exe Iajkohmj.exe File opened for modification C:\Windows\SysWOW64\Oiakpheo.exe Obgccn32.exe File opened for modification C:\Windows\SysWOW64\Fclmkb32.exe Ejchbmna.exe File created C:\Windows\SysWOW64\Ecanojgl.exe Elhfbp32.exe File created C:\Windows\SysWOW64\Nofoki32.exe Nconfh32.exe File created C:\Windows\SysWOW64\Jgfdkj32.dll Dpgbgpbe.exe File created C:\Windows\SysWOW64\Feljgd32.exe Flcfnn32.exe File created C:\Windows\SysWOW64\Mlgpjh32.dll Cgbppknb.exe File created C:\Windows\SysWOW64\Nmpmghih.dll Mddidm32.exe File created C:\Windows\SysWOW64\Pkmfbjni.dll Ogqcon32.exe File opened for modification C:\Windows\SysWOW64\Afinbdon.exe Aoofej32.exe File opened for modification C:\Windows\SysWOW64\Hjdedepg.exe Halaloif.exe File created C:\Windows\SysWOW64\Ejlban32.exe Ebejpp32.exe File created C:\Windows\SysWOW64\Fldailbk.dll Bpaacblm.exe File created C:\Windows\SysWOW64\Eekcho32.dll Jgbccm32.exe File created C:\Windows\SysWOW64\Fdfpneeo.dll Kklkej32.exe File created C:\Windows\SysWOW64\Iclaea32.dll Ninafj32.exe File created C:\Windows\SysWOW64\Jdahga32.dll Ciefpn32.exe File created C:\Windows\SysWOW64\Pmmgfg32.dll Agmmnnpj.exe File created C:\Windows\SysWOW64\Qfcjhphd.exe Qolbgbgb.exe File created C:\Windows\SysWOW64\Fjjjanla.exe Qfhmcl32.exe File opened for modification C:\Windows\SysWOW64\Gdnjfojj.exe Gqpapacd.exe File opened for modification C:\Windows\SysWOW64\Galonj32.exe Ghcjedcj.exe File created C:\Windows\SysWOW64\Jgonal32.dll Hanlcjgh.exe File opened for modification C:\Windows\SysWOW64\Bcokah32.exe Blecdn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Milinkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdgolq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfeigjf.dll" Aebjokda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nahgik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnplqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkpbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll" Clijablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Didqkeeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghcjedcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmkibl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqgiel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijlkqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fllkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nchhfild.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcccol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pidaleei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afinbdon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dibdeegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mggolhaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfogfco.dll" Milinkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nchhfild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afinbdon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dldlbgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiplf32.dll" Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jblloe32.dll" Boaeioej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Haidfpki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Digmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqfpoope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodlkdco.dll" Mnjqhcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmgi32.dll" Nkjqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlindcmm.dll" Qlkbka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcabej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjnmobg.dll" Ccajdmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfjhj32.dll" Kojdkhdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nofoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnbifmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhmmchpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjfh32.dll" Nconfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cooolhin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhlkbaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnlip32.dll" Ajkgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laocpjjj.dll" Ccinggcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqpmeikh.dll" Dcdnce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alkeifga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aploae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmlbdad.dll" Bmlofhca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkoaagmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eikfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepkahmm.dll" Eiaobjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elbhde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aehbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bojohp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkhjim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khmoionj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phkmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femcdp32.dll" Fbcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmloefoi.dll" Khfkpjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aljefena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghbheo.dll" Nimbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkmebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qecgcfmf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 1752 2964 NEAS.fe49d9df97f95da7d4327d504a84a718.exe 91 PID 2964 wrote to memory of 1752 2964 NEAS.fe49d9df97f95da7d4327d504a84a718.exe 91 PID 2964 wrote to memory of 1752 2964 NEAS.fe49d9df97f95da7d4327d504a84a718.exe 91 PID 1752 wrote to memory of 3680 1752 Gdiakp32.exe 92 PID 1752 wrote to memory of 3680 1752 Gdiakp32.exe 92 PID 1752 wrote to memory of 3680 1752 Gdiakp32.exe 92 PID 3680 wrote to memory of 2976 3680 Gqpapacd.exe 93 PID 3680 wrote to memory of 2976 3680 Gqpapacd.exe 93 PID 3680 wrote to memory of 2976 3680 Gqpapacd.exe 93 PID 2976 wrote to memory of 1236 2976 Gdnjfojj.exe 94 PID 2976 wrote to memory of 1236 2976 Gdnjfojj.exe 94 PID 2976 wrote to memory of 1236 2976 Gdnjfojj.exe 94 PID 1236 wrote to memory of 4696 1236 Gjkbnfha.exe 95 PID 1236 wrote to memory of 4696 1236 Gjkbnfha.exe 95 PID 1236 wrote to memory of 4696 1236 Gjkbnfha.exe 95 PID 4696 wrote to memory of 2216 4696 Hccggl32.exe 96 PID 4696 wrote to memory of 2216 4696 Hccggl32.exe 96 PID 4696 wrote to memory of 2216 4696 Hccggl32.exe 96 PID 2216 wrote to memory of 3140 2216 Haidfpki.exe 97 PID 2216 wrote to memory of 3140 2216 Haidfpki.exe 97 PID 2216 wrote to memory of 3140 2216 Haidfpki.exe 97 PID 3140 wrote to memory of 3716 3140 Halaloif.exe 98 PID 3140 wrote to memory of 3716 3140 Halaloif.exe 98 PID 3140 wrote to memory of 3716 3140 Halaloif.exe 98 PID 3716 wrote to memory of 3160 3716 Hjdedepg.exe 99 PID 3716 wrote to memory of 3160 3716 Hjdedepg.exe 99 PID 3716 wrote to memory of 3160 3716 Hjdedepg.exe 99 PID 3160 wrote to memory of 3372 3160 Ielfgmnj.exe 100 PID 3160 wrote to memory of 3372 3160 Ielfgmnj.exe 100 PID 3160 wrote to memory of 3372 3160 Ielfgmnj.exe 100 PID 3372 wrote to memory of 4604 3372 Ijiopd32.exe 102 PID 3372 wrote to memory of 4604 3372 Ijiopd32.exe 102 PID 3372 wrote to memory of 4604 3372 Ijiopd32.exe 102 PID 4604 wrote to memory of 2056 4604 Iaedanal.exe 103 PID 4604 wrote to memory of 2056 4604 Iaedanal.exe 103 PID 4604 wrote to memory of 2056 4604 Iaedanal.exe 103 PID 2056 wrote to memory of 3380 2056 Lefkkg32.exe 104 PID 2056 wrote to memory of 3380 2056 Lefkkg32.exe 104 PID 2056 wrote to memory of 3380 2056 Lefkkg32.exe 104 PID 3380 wrote to memory of 4516 3380 Lamlphoo.exe 105 PID 3380 wrote to memory of 4516 3380 Lamlphoo.exe 105 PID 3380 wrote to memory of 4516 3380 Lamlphoo.exe 105 PID 4516 wrote to memory of 4720 4516 Mdnebc32.exe 106 PID 4516 wrote to memory of 4720 4516 Mdnebc32.exe 106 PID 4516 wrote to memory of 4720 4516 Mdnebc32.exe 106 PID 4720 wrote to memory of 4912 4720 Mcabej32.exe 107 PID 4720 wrote to memory of 4912 4720 Mcabej32.exe 107 PID 4720 wrote to memory of 4912 4720 Mcabej32.exe 107 PID 4912 wrote to memory of 4432 4912 Mklfjm32.exe 108 PID 4912 wrote to memory of 4432 4912 Mklfjm32.exe 108 PID 4912 wrote to memory of 4432 4912 Mklfjm32.exe 108 PID 4432 wrote to memory of 60 4432 Mhpgca32.exe 109 PID 4432 wrote to memory of 60 4432 Mhpgca32.exe 109 PID 4432 wrote to memory of 60 4432 Mhpgca32.exe 109 PID 60 wrote to memory of 5104 60 Mcfkpjng.exe 110 PID 60 wrote to memory of 5104 60 Mcfkpjng.exe 110 PID 60 wrote to memory of 5104 60 Mcfkpjng.exe 110 PID 5104 wrote to memory of 5080 5104 Nchhfild.exe 111 PID 5104 wrote to memory of 5080 5104 Nchhfild.exe 111 PID 5104 wrote to memory of 5080 5104 Nchhfild.exe 111 PID 5080 wrote to memory of 1588 5080 Nkcmjlio.exe 112 PID 5080 wrote to memory of 1588 5080 Nkcmjlio.exe 112 PID 5080 wrote to memory of 1588 5080 Nkcmjlio.exe 112 PID 1588 wrote to memory of 3392 1588 Nhgmcp32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fe49d9df97f95da7d4327d504a84a718.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fe49d9df97f95da7d4327d504a84a718.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe26⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe27⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe28⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe29⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe30⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe33⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe34⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe35⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe37⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe39⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe40⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4056 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe45⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe46⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe47⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe48⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe49⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe51⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe52⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe53⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe54⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe57⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe60⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe65⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe66⤵
- Drops file in System32 directory
PID:4200 -
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4276 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe68⤵PID:2744
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe70⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe71⤵PID:5176
-
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe72⤵PID:5224
-
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe73⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe74⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe75⤵PID:5356
-
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe76⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe77⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe78⤵PID:5668
-
C:\Windows\SysWOW64\Pdoofl32.exeC:\Windows\system32\Pdoofl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Dkgeao32.exeC:\Windows\system32\Dkgeao32.exe81⤵PID:5980
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe82⤵PID:6060
-
C:\Windows\SysWOW64\Pmbcik32.exeC:\Windows\system32\Pmbcik32.exe83⤵PID:6140
-
C:\Windows\SysWOW64\Pfoamp32.exeC:\Windows\system32\Pfoamp32.exe84⤵PID:5212
-
C:\Windows\SysWOW64\Qbeaba32.exeC:\Windows\system32\Qbeaba32.exe85⤵PID:5280
-
C:\Windows\SysWOW64\Qednnm32.exeC:\Windows\system32\Qednnm32.exe86⤵PID:5392
-
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe87⤵
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Qfcjhphd.exeC:\Windows\system32\Qfcjhphd.exe88⤵PID:956
-
C:\Windows\SysWOW64\Qibfdkgh.exeC:\Windows\system32\Qibfdkgh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4864 -
C:\Windows\SysWOW64\Aploae32.exeC:\Windows\system32\Aploae32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Aeigilml.exeC:\Windows\system32\Aeigilml.exe91⤵PID:5552
-
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe92⤵PID:2384
-
C:\Windows\SysWOW64\Aghdco32.exeC:\Windows\system32\Aghdco32.exe93⤵PID:1252
-
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe94⤵PID:1512
-
C:\Windows\SysWOW64\Agkqiobl.exeC:\Windows\system32\Agkqiobl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Agmmnnpj.exeC:\Windows\system32\Agmmnnpj.exe96⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe98⤵
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Bojohp32.exeC:\Windows\system32\Bojohp32.exe99⤵
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Bmlofhca.exeC:\Windows\system32\Bmlofhca.exe100⤵
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Bpjkbcbe.exeC:\Windows\system32\Bpjkbcbe.exe101⤵
- Drops file in System32 directory
PID:3824 -
C:\Windows\SysWOW64\Begcjjql.exeC:\Windows\system32\Begcjjql.exe102⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe103⤵PID:4892
-
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe104⤵
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Bjgifhep.exeC:\Windows\system32\Bjgifhep.exe105⤵PID:2168
-
C:\Windows\SysWOW64\Bpaacblm.exeC:\Windows\system32\Bpaacblm.exe106⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Benjkijd.exeC:\Windows\system32\Benjkijd.exe107⤵PID:1624
-
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe108⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Cfpfqiha.exeC:\Windows\system32\Cfpfqiha.exe109⤵
- Drops file in System32 directory
PID:3552 -
C:\Windows\SysWOW64\Cngnbfid.exeC:\Windows\system32\Cngnbfid.exe110⤵PID:5692
-
C:\Windows\SysWOW64\Cohkinob.exeC:\Windows\system32\Cohkinob.exe111⤵PID:5756
-
C:\Windows\SysWOW64\Cllkcbnl.exeC:\Windows\system32\Cllkcbnl.exe112⤵PID:3496
-
C:\Windows\SysWOW64\Cokgonmp.exeC:\Windows\system32\Cokgonmp.exe113⤵PID:4832
-
C:\Windows\SysWOW64\Cgbppknb.exeC:\Windows\system32\Cgbppknb.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Clohhbli.exeC:\Windows\system32\Clohhbli.exe115⤵PID:4376
-
C:\Windows\SysWOW64\Cnndbecl.exeC:\Windows\system32\Cnndbecl.exe116⤵PID:3676
-
C:\Windows\SysWOW64\Cfiiggpg.exeC:\Windows\system32\Cfiiggpg.exe117⤵PID:5804
-
C:\Windows\SysWOW64\Dnqaheai.exeC:\Windows\system32\Dnqaheai.exe118⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Dcmjpl32.exeC:\Windows\system32\Dcmjpl32.exe119⤵PID:4284
-
C:\Windows\SysWOW64\Dncnnd32.exeC:\Windows\system32\Dncnnd32.exe120⤵PID:3924
-
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe121⤵PID:4368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-