Analysis
-
max time kernel
165s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 08:39
Behavioral task
behavioral1
Sample
NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe
-
Size
135KB
-
MD5
c1b49ae2348640f9c1b98028c0a380cf
-
SHA1
29382360af6e965db2350a1b8ff7931b6a0a18bb
-
SHA256
2a8e7b68de17df6aeb418bc46ce1e3a48ac13a2cfee8cf5c6bd7ba975d444b74
-
SHA512
0e3451060a799f9c131f13bc4cea1dba2e1d88af320750ac629f1542c67c3ecb90f300f26cd9c8ad204eca607e5287654202a2c6964f1bd55e4e36b421018841
-
SSDEEP
3072:R+/TnZS1MTHNDTYK8Qr5+ViKGe7Yfs0a0Uoi:EV285TYK9cViK4fs0l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobbgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjfng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbbel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgiclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcebf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqfpoope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghpehjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgoadi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhejgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebmnqdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledeicdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjcgjbdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfpgmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaqapggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcifde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddngdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbicel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajbjoao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiheebb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijohoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folacfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajndbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanfodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjoilop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlqohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omlldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkamdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idpdfija.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdeefpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emniheha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbpnjjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfhmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keebno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdknjep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohiliof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfefmflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpihbjmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofncde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfacp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcilgco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedjfodg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qidljhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkloi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epniae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmhclod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiabh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojndd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqikfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdngljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgiic32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4708-0-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/4708-1-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd1-7.dat family_berbew behavioral2/memory/2464-8-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd1-9.dat family_berbew behavioral2/files/0x0009000000022cd4-11.dat family_berbew behavioral2/files/0x0009000000022cd4-14.dat family_berbew behavioral2/memory/3404-16-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd4-17.dat family_berbew behavioral2/files/0x000a000000022cd7-22.dat family_berbew behavioral2/memory/5040-24-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x000a000000022cd7-25.dat family_berbew behavioral2/files/0x0007000000022cd9-26.dat family_berbew behavioral2/files/0x0007000000022cd9-31.dat family_berbew behavioral2/files/0x0007000000022cd9-33.dat family_berbew behavioral2/memory/2332-32-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdb-39.dat family_berbew behavioral2/files/0x0007000000022cdb-41.dat family_berbew behavioral2/memory/2672-40-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdd-47.dat family_berbew behavioral2/files/0x0007000000022cdd-49.dat family_berbew behavioral2/memory/3828-48-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdf-50.dat family_berbew behavioral2/files/0x0007000000022cdf-55.dat family_berbew behavioral2/files/0x0007000000022cdf-57.dat family_berbew behavioral2/memory/4872-56-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce1-63.dat family_berbew behavioral2/files/0x0007000000022ce1-65.dat family_berbew behavioral2/memory/3152-66-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/4708-64-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce4-67.dat family_berbew behavioral2/files/0x0006000000022ce4-72.dat family_berbew behavioral2/files/0x0006000000022ce4-74.dat family_berbew behavioral2/memory/796-73-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce6-80.dat family_berbew behavioral2/memory/3344-82-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce6-81.dat family_berbew behavioral2/files/0x0006000000022ce8-90.dat family_berbew behavioral2/memory/1968-89-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-88.dat family_berbew behavioral2/memory/1108-97-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-96.dat family_berbew behavioral2/files/0x0006000000022cea-98.dat family_berbew behavioral2/files/0x0006000000022cec-99.dat family_berbew behavioral2/files/0x0006000000022cec-104.dat family_berbew behavioral2/memory/3540-105-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-106.dat family_berbew behavioral2/files/0x0006000000022cef-108.dat family_berbew behavioral2/files/0x0006000000022cef-112.dat family_berbew behavioral2/memory/1632-114-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cef-113.dat family_berbew behavioral2/files/0x0006000000022cf2-120.dat family_berbew behavioral2/memory/2020-122-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-121.dat family_berbew behavioral2/files/0x0006000000022cf5-128.dat family_berbew behavioral2/memory/1456-129-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-130.dat family_berbew behavioral2/files/0x0007000000022cf8-131.dat family_berbew behavioral2/memory/4576-137-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf8-136.dat family_berbew behavioral2/files/0x0007000000022cf8-138.dat family_berbew behavioral2/files/0x0006000000022cfa-144.dat family_berbew behavioral2/memory/240-145-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfa-146.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2464 Fbdnne32.exe 3404 Igmoih32.exe 5040 Ijbbfc32.exe 2332 Jjkdlall.exe 2672 Logicn32.exe 3828 Mlemcq32.exe 4872 Mddkbbfg.exe 3152 Pfeijqqe.exe 796 Bblcfo32.exe 3344 Cpifeb32.exe 1968 Egpgehnb.exe 1108 Fdmjdkda.exe 3540 Gjqinamq.exe 1632 Hgnlmdcp.exe 2020 Iglhob32.exe 1456 Jclljaei.exe 4576 Kjmjgk32.exe 240 Kmncif32.exe 4808 Lfddci32.exe 4172 Moiheebb.exe 4648 Nkpijfgf.exe 1768 Ngnppfgb.exe 5076 Oeopnmoa.exe 4860 Ogqmee32.exe 3996 Oakjnnap.exe 1640 Bichcc32.exe 3528 Bnppkj32.exe 5032 Bbniai32.exe 4780 Cejaobel.exe 4628 Dfqdid32.exe 180 Dpihbjmg.exe 1228 Eldbbjof.exe 4704 Eojeodga.exe 2660 Fcodfa32.exe 2280 Gcfjfqah.exe 2780 Gjdknjep.exe 3124 Hgbonm32.exe 5116 Ioppho32.exe 3256 Icminm32.exe 4880 Jmamba32.exe 4816 Jqofippg.exe 4640 Kfaglf32.exe 4160 Kjcjmclj.exe 3060 Kfjjbd32.exe 4068 Lfaqcclf.exe 4184 Miklkm32.exe 2948 Ndjcne32.exe 1376 Oileakbj.exe 5024 Ohdlpa32.exe 4712 Onqdhh32.exe 3148 Pkedbmab.exe 1648 Ppdjpcng.exe 3480 Qdflaa32.exe 1748 Qnopjfgi.exe 1944 Akopoi32.exe 2448 Bkamdi32.exe 1912 Bjhgke32.exe 4432 Cnkilbni.exe 3348 Dendok32.exe 2752 Ejiiippb.exe 3088 Eiobbgcl.exe 2140 Gklnem32.exe 568 Gaffbg32.exe 4464 Gahcgg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Khhalafg.exe Knpmcl32.exe File created C:\Windows\SysWOW64\Hkkgii32.exe Gpeclq32.exe File created C:\Windows\SysWOW64\Mkjnop32.exe Lqikfi32.exe File opened for modification C:\Windows\SysWOW64\Gpolld32.exe Giecojpb.exe File created C:\Windows\SysWOW64\Mddkbbfg.exe Mlemcq32.exe File created C:\Windows\SysWOW64\Hmijkj32.dll Bjhgke32.exe File created C:\Windows\SysWOW64\Gdpenp32.dll Fgencf32.exe File opened for modification C:\Windows\SysWOW64\Okcccdkp.exe Nqnofkkj.exe File created C:\Windows\SysWOW64\Hhfoha32.dll Icoglp32.exe File created C:\Windows\SysWOW64\Gfcebf32.exe Flmqem32.exe File created C:\Windows\SysWOW64\Opdpak32.dll Iclcljhi.exe File created C:\Windows\SysWOW64\Ljccfoqj.dll Gahcgg32.exe File created C:\Windows\SysWOW64\Dmefafql.exe Dhhnipbe.exe File opened for modification C:\Windows\SysWOW64\Ookokeqd.exe Mjggka32.exe File created C:\Windows\SysWOW64\Mfofjk32.exe Mpkkgbmi.exe File created C:\Windows\SysWOW64\Moanja32.dll Ealanc32.exe File created C:\Windows\SysWOW64\Hgbonm32.exe Gjdknjep.exe File created C:\Windows\SysWOW64\Qoqbbhcm.dll Clqncl32.exe File opened for modification C:\Windows\SysWOW64\Dacohegc.exe Dhkjooqb.exe File created C:\Windows\SysWOW64\Ncapbnlk.dll Llmhkd32.exe File created C:\Windows\SysWOW64\Gkbnbjlb.dll Hojndd32.exe File opened for modification C:\Windows\SysWOW64\Djaipe32.exe Dgqqnjea.exe File opened for modification C:\Windows\SysWOW64\Leenanik.exe Lagekp32.exe File opened for modification C:\Windows\SysWOW64\Aapeakij.exe Qjfmda32.exe File created C:\Windows\SysWOW64\Lklnle32.exe Kkbkffka.exe File created C:\Windows\SysWOW64\Mfdlif32.exe Mmlhpaji.exe File opened for modification C:\Windows\SysWOW64\Ealanc32.exe Ehdmenhh.exe File created C:\Windows\SysWOW64\Cjggaooi.dll Jeqbjgoo.exe File created C:\Windows\SysWOW64\Cidgnm32.exe Cdgoefki.exe File created C:\Windows\SysWOW64\Olanmmjm.dll Lfaqcclf.exe File opened for modification C:\Windows\SysWOW64\Dhnnoe32.exe Dboiaoff.exe File created C:\Windows\SysWOW64\Dchnan32.dll Bfhhho32.exe File created C:\Windows\SysWOW64\Gbabblkg.exe Gbofmmmj.exe File created C:\Windows\SysWOW64\Mdhanfoi.dll Iknmfg32.exe File created C:\Windows\SysWOW64\Ofiima32.dll Jgfcfajg.exe File created C:\Windows\SysWOW64\Ojfcmc32.exe Oclkqihc.exe File created C:\Windows\SysWOW64\Elkoqm32.dll Gbfkmk32.exe File created C:\Windows\SysWOW64\Hdgfmk32.exe Hojndd32.exe File opened for modification C:\Windows\SysWOW64\Ohhnln32.exe Oanfodmk.exe File opened for modification C:\Windows\SysWOW64\Flfjdn32.exe Dbfgdllk.exe File created C:\Windows\SysWOW64\Jihcig32.dll Imdlgm32.exe File created C:\Windows\SysWOW64\Jgfcfajg.exe Jlqohhja.exe File created C:\Windows\SysWOW64\Nemfgj32.dll Imofip32.exe File opened for modification C:\Windows\SysWOW64\Ffahnd32.exe Ejcaidlp.exe File created C:\Windows\SysWOW64\Ecmebm32.exe Echkgnnl.exe File opened for modification C:\Windows\SysWOW64\Iqkjkokh.exe Hfefmflb.exe File created C:\Windows\SysWOW64\Fmnafmhi.dll Oqdnld32.exe File created C:\Windows\SysWOW64\Cifiamoa.dll Mlemcq32.exe File created C:\Windows\SysWOW64\Hpeohnhn.dll Bdhfaj32.exe File created C:\Windows\SysWOW64\Fhoecana.dll Ohhnln32.exe File opened for modification C:\Windows\SysWOW64\Iohede32.exe Iikmlnae.exe File created C:\Windows\SysWOW64\Lcmkdd32.dll Lnldeg32.exe File created C:\Windows\SysWOW64\Miklkm32.exe Lfaqcclf.exe File created C:\Windows\SysWOW64\Dgiqhe32.dll Aehghn32.exe File opened for modification C:\Windows\SysWOW64\Pffghc32.exe Pploli32.exe File created C:\Windows\SysWOW64\Cpifeb32.exe Bblcfo32.exe File created C:\Windows\SysWOW64\Cejaobel.exe Bbniai32.exe File created C:\Windows\SysWOW64\Chkgcq32.dll Gfodpbpl.exe File created C:\Windows\SysWOW64\Kpepmkjl.exe Jmgkja32.exe File opened for modification C:\Windows\SysWOW64\Ildibc32.exe Iaodek32.exe File opened for modification C:\Windows\SysWOW64\Ejiiippb.exe Dendok32.exe File created C:\Windows\SysWOW64\Jieiif32.dll Mfofjk32.exe File created C:\Windows\SysWOW64\Dehmbjdb.dll Aiejda32.exe File created C:\Windows\SysWOW64\Eoeeekec.dll Kojdkhdd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhfifin.dll" Qkgcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkknpq32.dll" Qdjgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiejda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmeapbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbomcqc.dll" Ffahnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjdnm32.dll" Lemagjjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealanc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbfio32.dll" Hpdegdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmpcock.dll" Bdpqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmich32.dll" Echkgnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgibil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oileakbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkedbmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlgkm32.dll" Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfnl32.dll" Opgciodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opgciodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmmkcko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peemjcop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olhlaoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpehjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjdeil32.dll" Jpnhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edoehk32.dll" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpbhin.dll" Onqdhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfaqcclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgoha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqfpoope.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooalibaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leabincm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jieiif32.dll" Mfofjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbpolba.dll" Mjodff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhjkkf.dll" Nggnjjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnnifggg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpjoaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfdmj32.dll" Diqnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll" Logicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkkah32.dll" Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoodae32.dll" Meadgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phajblpj.dll" Eojeodga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqkiog32.dll" Hpqlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpjmjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolan32.dll" Ajndbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldnoemd.dll" Hbppaopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knoonphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjfqljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhkgpjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haajpgna.dll" Fqfmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnkgbibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffahnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmfpeoga.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4708 wrote to memory of 2464 4708 NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe 91 PID 4708 wrote to memory of 2464 4708 NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe 91 PID 4708 wrote to memory of 2464 4708 NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe 91 PID 2464 wrote to memory of 3404 2464 Fbdnne32.exe 92 PID 2464 wrote to memory of 3404 2464 Fbdnne32.exe 92 PID 2464 wrote to memory of 3404 2464 Fbdnne32.exe 92 PID 3404 wrote to memory of 5040 3404 Igmoih32.exe 93 PID 3404 wrote to memory of 5040 3404 Igmoih32.exe 93 PID 3404 wrote to memory of 5040 3404 Igmoih32.exe 93 PID 5040 wrote to memory of 2332 5040 Ijbbfc32.exe 94 PID 5040 wrote to memory of 2332 5040 Ijbbfc32.exe 94 PID 5040 wrote to memory of 2332 5040 Ijbbfc32.exe 94 PID 2332 wrote to memory of 2672 2332 Jjkdlall.exe 95 PID 2332 wrote to memory of 2672 2332 Jjkdlall.exe 95 PID 2332 wrote to memory of 2672 2332 Jjkdlall.exe 95 PID 2672 wrote to memory of 3828 2672 Logicn32.exe 96 PID 2672 wrote to memory of 3828 2672 Logicn32.exe 96 PID 2672 wrote to memory of 3828 2672 Logicn32.exe 96 PID 3828 wrote to memory of 4872 3828 Mlemcq32.exe 97 PID 3828 wrote to memory of 4872 3828 Mlemcq32.exe 97 PID 3828 wrote to memory of 4872 3828 Mlemcq32.exe 97 PID 4872 wrote to memory of 3152 4872 Mddkbbfg.exe 98 PID 4872 wrote to memory of 3152 4872 Mddkbbfg.exe 98 PID 4872 wrote to memory of 3152 4872 Mddkbbfg.exe 98 PID 3152 wrote to memory of 796 3152 Pfeijqqe.exe 99 PID 3152 wrote to memory of 796 3152 Pfeijqqe.exe 99 PID 3152 wrote to memory of 796 3152 Pfeijqqe.exe 99 PID 796 wrote to memory of 3344 796 Bblcfo32.exe 100 PID 796 wrote to memory of 3344 796 Bblcfo32.exe 100 PID 796 wrote to memory of 3344 796 Bblcfo32.exe 100 PID 3344 wrote to memory of 1968 3344 Cpifeb32.exe 101 PID 3344 wrote to memory of 1968 3344 Cpifeb32.exe 101 PID 3344 wrote to memory of 1968 3344 Cpifeb32.exe 101 PID 1968 wrote to memory of 1108 1968 Egpgehnb.exe 102 PID 1968 wrote to memory of 1108 1968 Egpgehnb.exe 102 PID 1968 wrote to memory of 1108 1968 Egpgehnb.exe 102 PID 1108 wrote to memory of 3540 1108 Fdmjdkda.exe 103 PID 1108 wrote to memory of 3540 1108 Fdmjdkda.exe 103 PID 1108 wrote to memory of 3540 1108 Fdmjdkda.exe 103 PID 3540 wrote to memory of 1632 3540 Gjqinamq.exe 106 PID 3540 wrote to memory of 1632 3540 Gjqinamq.exe 106 PID 3540 wrote to memory of 1632 3540 Gjqinamq.exe 106 PID 1632 wrote to memory of 2020 1632 Hgnlmdcp.exe 107 PID 1632 wrote to memory of 2020 1632 Hgnlmdcp.exe 107 PID 1632 wrote to memory of 2020 1632 Hgnlmdcp.exe 107 PID 2020 wrote to memory of 1456 2020 Iglhob32.exe 108 PID 2020 wrote to memory of 1456 2020 Iglhob32.exe 108 PID 2020 wrote to memory of 1456 2020 Iglhob32.exe 108 PID 1456 wrote to memory of 4576 1456 Jclljaei.exe 109 PID 1456 wrote to memory of 4576 1456 Jclljaei.exe 109 PID 1456 wrote to memory of 4576 1456 Jclljaei.exe 109 PID 4576 wrote to memory of 240 4576 Kjmjgk32.exe 110 PID 4576 wrote to memory of 240 4576 Kjmjgk32.exe 110 PID 4576 wrote to memory of 240 4576 Kjmjgk32.exe 110 PID 240 wrote to memory of 4808 240 Kmncif32.exe 111 PID 240 wrote to memory of 4808 240 Kmncif32.exe 111 PID 240 wrote to memory of 4808 240 Kmncif32.exe 111 PID 4808 wrote to memory of 4172 4808 Lfddci32.exe 112 PID 4808 wrote to memory of 4172 4808 Lfddci32.exe 112 PID 4808 wrote to memory of 4172 4808 Lfddci32.exe 112 PID 4172 wrote to memory of 4648 4172 Moiheebb.exe 113 PID 4172 wrote to memory of 4648 4172 Moiheebb.exe 113 PID 4172 wrote to memory of 4648 4172 Moiheebb.exe 113 PID 4648 wrote to memory of 1768 4648 Nkpijfgf.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c1b49ae2348640f9c1b98028c0a380cf.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe23⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe24⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe25⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe26⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe28⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe30⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe31⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe33⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Eojeodga.exeC:\Windows\system32\Eojeodga.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe35⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe36⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Gjdknjep.exeC:\Windows\system32\Gjdknjep.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Hgbonm32.exeC:\Windows\system32\Hgbonm32.exe38⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe39⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe40⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe41⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe42⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Kfaglf32.exeC:\Windows\system32\Kfaglf32.exe43⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe44⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Kfjjbd32.exeC:\Windows\system32\Kfjjbd32.exe45⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Lfaqcclf.exeC:\Windows\system32\Lfaqcclf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe47⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe48⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe50⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe54⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe55⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe56⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe59⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe61⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe63⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gaffbg32.exeC:\Windows\system32\Gaffbg32.exe64⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\Gkqhpmkg.exeC:\Windows\system32\Gkqhpmkg.exe66⤵PID:792
-
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe67⤵PID:4904
-
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe68⤵PID:4248
-
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe69⤵PID:3852
-
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe71⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe72⤵PID:4600
-
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe73⤵PID:3680
-
C:\Windows\SysWOW64\Kbedaand.exeC:\Windows\system32\Kbedaand.exe74⤵PID:2856
-
C:\Windows\SysWOW64\Lfnmcnjn.exeC:\Windows\system32\Lfnmcnjn.exe75⤵PID:1464
-
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe76⤵
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Npighq32.exeC:\Windows\system32\Npighq32.exe78⤵PID:5016
-
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe79⤵PID:4244
-
C:\Windows\SysWOW64\Ojkkah32.exeC:\Windows\system32\Ojkkah32.exe80⤵PID:4428
-
C:\Windows\SysWOW64\Opgciodi.exeC:\Windows\system32\Opgciodi.exe81⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe82⤵PID:4384
-
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe83⤵PID:4744
-
C:\Windows\SysWOW64\Okodlgbl.exeC:\Windows\system32\Okodlgbl.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe85⤵PID:3404
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe86⤵PID:1780
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe87⤵PID:5124
-
C:\Windows\SysWOW64\Pgphggpe.exeC:\Windows\system32\Pgphggpe.exe88⤵PID:5172
-
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe89⤵PID:5220
-
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe91⤵PID:5308
-
C:\Windows\SysWOW64\Bdpqcg32.exeC:\Windows\system32\Bdpqcg32.exe92⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe93⤵PID:5396
-
C:\Windows\SysWOW64\Dncehk32.exeC:\Windows\system32\Dncehk32.exe94⤵PID:5444
-
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe95⤵PID:5488
-
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Faiplcmk.exeC:\Windows\system32\Faiplcmk.exe97⤵PID:5572
-
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe98⤵PID:5612
-
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe99⤵PID:5660
-
C:\Windows\SysWOW64\Flaaok32.exeC:\Windows\system32\Flaaok32.exe100⤵PID:5704
-
C:\Windows\SysWOW64\Fanigb32.exeC:\Windows\system32\Fanigb32.exe101⤵PID:5752
-
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Gmggac32.exeC:\Windows\system32\Gmggac32.exe103⤵PID:5848
-
C:\Windows\SysWOW64\Gdaonmdd.exeC:\Windows\system32\Gdaonmdd.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Gmjcgb32.exeC:\Windows\system32\Gmjcgb32.exe105⤵PID:5988
-
C:\Windows\SysWOW64\Hhkgpjqn.exeC:\Windows\system32\Hhkgpjqn.exe106⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe107⤵PID:6096
-
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe108⤵PID:6136
-
C:\Windows\SysWOW64\Hhbnqi32.exeC:\Windows\system32\Hhbnqi32.exe109⤵PID:5152
-
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe110⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Ilpfgg32.exeC:\Windows\system32\Ilpfgg32.exe111⤵PID:4872
-
C:\Windows\SysWOW64\Imabnofj.exeC:\Windows\system32\Imabnofj.exe112⤵PID:5336
-
C:\Windows\SysWOW64\Ikgpmc32.exeC:\Windows\system32\Ikgpmc32.exe113⤵PID:3820
-
C:\Windows\SysWOW64\Idpdfija.exeC:\Windows\system32\Idpdfija.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4140 -
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe115⤵PID:5476
-
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe116⤵PID:4144
-
C:\Windows\SysWOW64\Jkqccbkf.exeC:\Windows\system32\Jkqccbkf.exe117⤵PID:5640
-
C:\Windows\SysWOW64\Jefgak32.exeC:\Windows\system32\Jefgak32.exe118⤵PID:5688
-
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe119⤵PID:5772
-
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe120⤵PID:5872
-
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe121⤵PID:5900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-