Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:51
Behavioral task
behavioral1
Sample
NEAS.240afddc7de4eef25ce8f431060ef680.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.240afddc7de4eef25ce8f431060ef680.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.240afddc7de4eef25ce8f431060ef680.exe
-
Size
93KB
-
MD5
240afddc7de4eef25ce8f431060ef680
-
SHA1
06c765bee0f2d53ddd0301cc087cc299ad17e5e4
-
SHA256
84f7c2f828b1ba6172282587b5f3ab499aad7c2b31294822cad83819f7af0a8e
-
SHA512
452c47c8852e3bef0abcde00c119622c68410bb5edd69e33a96ad934c217900b8b5b8cb8e9d8c9e8b9f6e8f2b08dbf4473dd1b49946a773760226232f1c7bd77
-
SSDEEP
1536:wWyfQLd8/N2sVxD9FSiK3fGx2LASow4kkA9tl/3vxHBWBTLHjiwg58:wMJ8VjVxnODMw4kkct9fN0BLY58
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Binhnomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cadlbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmklglpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njljch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edhakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfjcnold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knefeffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfmfefni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkfkmmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnajocq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moalil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqhjggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakhaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmckbjdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejjanpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adjjeieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqhcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqppci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnncgmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqghqpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekqckmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgcjfbed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfaigclq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjmekgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalcik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcibca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcccn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofhbgmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejagaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3356-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022e0c-8.dat family_berbew behavioral2/memory/448-7-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022e0c-6.dat family_berbew behavioral2/files/0x0006000000022e17-14.dat family_berbew behavioral2/memory/3520-15-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e17-16.dat family_berbew behavioral2/files/0x0006000000022e19-17.dat family_berbew behavioral2/files/0x0006000000022e19-22.dat family_berbew behavioral2/files/0x0006000000022e19-23.dat family_berbew behavioral2/memory/4456-24-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/3960-31-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1b-32.dat family_berbew behavioral2/files/0x0006000000022e1b-30.dat family_berbew behavioral2/files/0x0006000000022e1d-38.dat family_berbew behavioral2/memory/416-39-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1d-40.dat family_berbew behavioral2/files/0x0006000000022e1f-46.dat family_berbew behavioral2/files/0x0006000000022e1f-47.dat family_berbew behavioral2/memory/4488-48-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e21-54.dat family_berbew behavioral2/files/0x0006000000022e21-55.dat family_berbew behavioral2/memory/3112-56-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e23-62.dat family_berbew behavioral2/memory/4708-63-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e23-64.dat family_berbew behavioral2/files/0x0006000000022e25-65.dat family_berbew behavioral2/files/0x0006000000022e25-70.dat family_berbew behavioral2/memory/1804-72-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e25-71.dat family_berbew behavioral2/files/0x0006000000022e27-78.dat family_berbew behavioral2/memory/1828-79-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-80.dat family_berbew behavioral2/files/0x0006000000022e29-81.dat family_berbew behavioral2/files/0x0006000000022e29-86.dat family_berbew behavioral2/files/0x0006000000022e29-88.dat family_berbew behavioral2/memory/976-87-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2c-94.dat family_berbew behavioral2/files/0x0006000000022e2c-96.dat family_berbew behavioral2/memory/3576-95-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/1324-103-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e34-102.dat family_berbew behavioral2/files/0x0006000000022e34-104.dat family_berbew behavioral2/files/0x0006000000022e36-110.dat family_berbew behavioral2/memory/1068-111-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e36-112.dat family_berbew behavioral2/files/0x0006000000022e38-118.dat family_berbew behavioral2/files/0x0006000000022e38-120.dat family_berbew behavioral2/memory/3012-119-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3a-127.dat family_berbew behavioral2/files/0x0006000000022e3a-126.dat family_berbew behavioral2/memory/5004-128-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3c-134.dat family_berbew behavioral2/files/0x0006000000022e3c-135.dat family_berbew behavioral2/memory/2392-136-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3e-143.dat family_berbew behavioral2/files/0x0006000000022e3e-142.dat family_berbew behavioral2/memory/3124-144-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e40-150.dat family_berbew behavioral2/files/0x0006000000022e40-152.dat family_berbew behavioral2/memory/576-151-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e42-158.dat family_berbew behavioral2/memory/1960-159-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022e42-160.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 448 Pcncpbmd.exe 3520 Pjhlml32.exe 4456 Pgllfp32.exe 3960 Pmidog32.exe 416 Pfaigm32.exe 4488 Qgqeappe.exe 3112 Qmmnjfnl.exe 4708 Qcgffqei.exe 1804 Acjclpcf.exe 1828 Ambgef32.exe 976 Afjlnk32.exe 3576 Aeklkchg.exe 1324 Aadifclh.exe 1068 Bebblb32.exe 3012 Bfdodjhm.exe 5004 Bjagjhnc.exe 2392 Beglgani.exe 3124 Bfhhoi32.exe 576 Banllbdn.exe 1960 Bnbmefbg.exe 3848 Chjaol32.exe 3992 Cabfga32.exe 3348 Cfpnph32.exe 812 Caebma32.exe 4712 Cfbkeh32.exe 4340 Ceckcp32.exe 4236 Cdhhdlid.exe 4068 Daqbip32.exe 1824 Ddakjkqi.exe 376 Dkkcge32.exe 2044 Deagdn32.exe 1040 Dknpmdfc.exe 792 Ehapfiem.exe 4112 Ekpmbddq.exe 5076 Edhakj32.exe 4168 Emaedo32.exe 1128 Eehnem32.exe 4904 Ehiffh32.exe 2252 Ibicnh32.exe 3616 Iiehpahb.exe 2292 Ifihif32.exe 4292 Ioambknl.exe 4444 Ienekbld.exe 3116 Jodjhkkj.exe 1784 Jilnqqbj.exe 560 Joffnk32.exe 3384 Jbgoof32.exe 2156 Jnnpdg32.exe 1500 Jnpmjf32.exe 3936 Jghabl32.exe 4936 Kbnepe32.exe 4044 Knefeffd.exe 3168 Khmknk32.exe 1060 Kbbokdlk.exe 4492 Khpgckkb.exe 3568 Knippe32.exe 4784 Knlleepl.exe 2244 Kiaqcnpb.exe 3308 Lnnikdnj.exe 4388 Lehaho32.exe 4960 Llbidimc.exe 4596 Lhijijbg.exe 1660 Lppbkgcj.exe 3924 Lemkcnaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hhimhobl.exe Hifmmb32.exe File opened for modification C:\Windows\SysWOW64\Babcil32.exe Biklho32.exe File opened for modification C:\Windows\SysWOW64\Mklfjm32.exe Mlifnphl.exe File opened for modification C:\Windows\SysWOW64\Geohklaa.exe Gppcmeem.exe File created C:\Windows\SysWOW64\Igajal32.exe Illfdc32.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lqojclne.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Pagbaglh.exe File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Pplobcpp.exe File opened for modification C:\Windows\SysWOW64\Bfaigclq.exe Bdcmkgmm.exe File opened for modification C:\Windows\SysWOW64\Cigkdmel.exe Ccmcgcmp.exe File opened for modification C:\Windows\SysWOW64\Gdgdeppb.exe Gbhhieao.exe File created C:\Windows\SysWOW64\Pfaigm32.exe Pmidog32.exe File opened for modification C:\Windows\SysWOW64\Pgbbek32.exe Ophjiaql.exe File opened for modification C:\Windows\SysWOW64\Illfdc32.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Qgjamboa.dll Iinjhh32.exe File created C:\Windows\SysWOW64\Qkfkng32.exe Qmckbjdl.exe File created C:\Windows\SysWOW64\Ejahec32.dll Hghfnioq.exe File created C:\Windows\SysWOW64\Okahhpqj.dll Lahbei32.exe File created C:\Windows\SysWOW64\Cdpqko32.dll Mklfjm32.exe File created C:\Windows\SysWOW64\Pkmhgh32.exe Piolkm32.exe File created C:\Windows\SysWOW64\Hicpgc32.exe Hehdfdek.exe File created C:\Windows\SysWOW64\Ofgdcipq.exe Oonlfo32.exe File created C:\Windows\SysWOW64\Qmdblp32.exe Qjffpe32.exe File created C:\Windows\SysWOW64\Nkeipk32.exe Ndlacapp.exe File opened for modification C:\Windows\SysWOW64\Lehaho32.exe Lnnikdnj.exe File opened for modification C:\Windows\SysWOW64\Nhmofj32.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Anobgl32.exe Adfnofpd.exe File opened for modification C:\Windows\SysWOW64\Igfclkdj.exe Ioolkncg.exe File created C:\Windows\SysWOW64\Mpolbbim.dll Nqpcjj32.exe File created C:\Windows\SysWOW64\Ifaohg32.dll Aaoaic32.exe File created C:\Windows\SysWOW64\Pbjddh32.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Iiehpahb.exe Ibicnh32.exe File created C:\Windows\SysWOW64\Emanjldl.exe Efgemb32.exe File created C:\Windows\SysWOW64\Hoeieolb.exe Hmdlmg32.exe File opened for modification C:\Windows\SysWOW64\Ioolkncg.exe Iefgbh32.exe File created C:\Windows\SysWOW64\Pmapoggk.dll Gnblnlhl.exe File opened for modification C:\Windows\SysWOW64\Kcapicdj.exe Kpccmhdg.exe File created C:\Windows\SysWOW64\Opadhb32.exe Oigllh32.exe File opened for modification C:\Windows\SysWOW64\Jqknkedi.exe Jnlbojee.exe File opened for modification C:\Windows\SysWOW64\Nenbjo32.exe Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe Hoclopne.exe File opened for modification C:\Windows\SysWOW64\Cceddf32.exe Cpihcgoa.exe File created C:\Windows\SysWOW64\Ghoqak32.dll Ojigdcll.exe File created C:\Windows\SysWOW64\Nqfbpb32.exe Niojoeel.exe File created C:\Windows\SysWOW64\Bhalpn32.dll Mlemcq32.exe File created C:\Windows\SysWOW64\Lhenai32.exe Legben32.exe File created C:\Windows\SysWOW64\Iamfph32.dll Cikglnkj.exe File created C:\Windows\SysWOW64\Gnnccl32.exe Fkofga32.exe File created C:\Windows\SysWOW64\Klndfj32.exe Jahqiaeb.exe File opened for modification C:\Windows\SysWOW64\Koonge32.exe Klpakj32.exe File created C:\Windows\SysWOW64\Maaekg32.exe Mociol32.exe File opened for modification C:\Windows\SysWOW64\Mbjnbqhp.exe Mlpeff32.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Akkffkhk.exe File opened for modification C:\Windows\SysWOW64\Edplhjhi.exe Ebaplnie.exe File opened for modification C:\Windows\SysWOW64\Mlemcq32.exe Mdnebc32.exe File opened for modification C:\Windows\SysWOW64\Doagjc32.exe Dgjoif32.exe File created C:\Windows\SysWOW64\Lebijnak.exe Lohqnd32.exe File opened for modification C:\Windows\SysWOW64\Mhjhmhhd.exe Mfkkqmiq.exe File created C:\Windows\SysWOW64\Bdocph32.exe Bapgdm32.exe File created C:\Windows\SysWOW64\Fkpiopih.dll Qoelkp32.exe File opened for modification C:\Windows\SysWOW64\Chlflabp.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Dnbakghm.exe Dkceokii.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mjlhgaqp.exe File created C:\Windows\SysWOW64\Pbgqdb32.exe Pcdqhecd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inkaqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khkdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhjjip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdjpmac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edoencdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgabh32.dll" Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjcbkij.dll" Ekpmbddq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmbanbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpkmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll" Gbhhieao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mebkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjidgkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maaekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll" Qmanljfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofhjkmkl.dll" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll" Mdnebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doccpcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnibokbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmgjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbjddh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdkoef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbqinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" Cfpnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npepkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll" Jnbgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfoceoni.dll" Nhbciqln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbljoafi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll" Foapaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" Bapgdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcdbfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geoapenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjocbhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nheqnpjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moaogand.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3356 wrote to memory of 448 3356 NEAS.240afddc7de4eef25ce8f431060ef680.exe 88 PID 3356 wrote to memory of 448 3356 NEAS.240afddc7de4eef25ce8f431060ef680.exe 88 PID 3356 wrote to memory of 448 3356 NEAS.240afddc7de4eef25ce8f431060ef680.exe 88 PID 448 wrote to memory of 3520 448 Pcncpbmd.exe 89 PID 448 wrote to memory of 3520 448 Pcncpbmd.exe 89 PID 448 wrote to memory of 3520 448 Pcncpbmd.exe 89 PID 3520 wrote to memory of 4456 3520 Pjhlml32.exe 90 PID 3520 wrote to memory of 4456 3520 Pjhlml32.exe 90 PID 3520 wrote to memory of 4456 3520 Pjhlml32.exe 90 PID 4456 wrote to memory of 3960 4456 Pgllfp32.exe 91 PID 4456 wrote to memory of 3960 4456 Pgllfp32.exe 91 PID 4456 wrote to memory of 3960 4456 Pgllfp32.exe 91 PID 3960 wrote to memory of 416 3960 Pmidog32.exe 92 PID 3960 wrote to memory of 416 3960 Pmidog32.exe 92 PID 3960 wrote to memory of 416 3960 Pmidog32.exe 92 PID 416 wrote to memory of 4488 416 Pfaigm32.exe 93 PID 416 wrote to memory of 4488 416 Pfaigm32.exe 93 PID 416 wrote to memory of 4488 416 Pfaigm32.exe 93 PID 4488 wrote to memory of 3112 4488 Qgqeappe.exe 94 PID 4488 wrote to memory of 3112 4488 Qgqeappe.exe 94 PID 4488 wrote to memory of 3112 4488 Qgqeappe.exe 94 PID 3112 wrote to memory of 4708 3112 Qmmnjfnl.exe 95 PID 3112 wrote to memory of 4708 3112 Qmmnjfnl.exe 95 PID 3112 wrote to memory of 4708 3112 Qmmnjfnl.exe 95 PID 4708 wrote to memory of 1804 4708 Qcgffqei.exe 96 PID 4708 wrote to memory of 1804 4708 Qcgffqei.exe 96 PID 4708 wrote to memory of 1804 4708 Qcgffqei.exe 96 PID 1804 wrote to memory of 1828 1804 Acjclpcf.exe 97 PID 1804 wrote to memory of 1828 1804 Acjclpcf.exe 97 PID 1804 wrote to memory of 1828 1804 Acjclpcf.exe 97 PID 1828 wrote to memory of 976 1828 Ambgef32.exe 99 PID 1828 wrote to memory of 976 1828 Ambgef32.exe 99 PID 1828 wrote to memory of 976 1828 Ambgef32.exe 99 PID 976 wrote to memory of 3576 976 Afjlnk32.exe 100 PID 976 wrote to memory of 3576 976 Afjlnk32.exe 100 PID 976 wrote to memory of 3576 976 Afjlnk32.exe 100 PID 3576 wrote to memory of 1324 3576 Aeklkchg.exe 101 PID 3576 wrote to memory of 1324 3576 Aeklkchg.exe 101 PID 3576 wrote to memory of 1324 3576 Aeklkchg.exe 101 PID 1324 wrote to memory of 1068 1324 Aadifclh.exe 102 PID 1324 wrote to memory of 1068 1324 Aadifclh.exe 102 PID 1324 wrote to memory of 1068 1324 Aadifclh.exe 102 PID 1068 wrote to memory of 3012 1068 Bebblb32.exe 103 PID 1068 wrote to memory of 3012 1068 Bebblb32.exe 103 PID 1068 wrote to memory of 3012 1068 Bebblb32.exe 103 PID 3012 wrote to memory of 5004 3012 Bfdodjhm.exe 104 PID 3012 wrote to memory of 5004 3012 Bfdodjhm.exe 104 PID 3012 wrote to memory of 5004 3012 Bfdodjhm.exe 104 PID 5004 wrote to memory of 2392 5004 Bjagjhnc.exe 105 PID 5004 wrote to memory of 2392 5004 Bjagjhnc.exe 105 PID 5004 wrote to memory of 2392 5004 Bjagjhnc.exe 105 PID 2392 wrote to memory of 3124 2392 Beglgani.exe 106 PID 2392 wrote to memory of 3124 2392 Beglgani.exe 106 PID 2392 wrote to memory of 3124 2392 Beglgani.exe 106 PID 3124 wrote to memory of 576 3124 Bfhhoi32.exe 107 PID 3124 wrote to memory of 576 3124 Bfhhoi32.exe 107 PID 3124 wrote to memory of 576 3124 Bfhhoi32.exe 107 PID 576 wrote to memory of 1960 576 Banllbdn.exe 109 PID 576 wrote to memory of 1960 576 Banllbdn.exe 109 PID 576 wrote to memory of 1960 576 Banllbdn.exe 109 PID 1960 wrote to memory of 3848 1960 Bnbmefbg.exe 110 PID 1960 wrote to memory of 3848 1960 Bnbmefbg.exe 110 PID 1960 wrote to memory of 3848 1960 Bnbmefbg.exe 110 PID 3848 wrote to memory of 3992 3848 Chjaol32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.240afddc7de4eef25ce8f431060ef680.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.240afddc7de4eef25ce8f431060ef680.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe23⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe25⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe27⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe28⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe29⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe30⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe32⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe33⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe34⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe37⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe38⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe39⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe41⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe42⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe43⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe44⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe45⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe46⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe47⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe48⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe49⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe50⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe51⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe52⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe54⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe55⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe56⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe57⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe58⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe59⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3308 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe61⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe62⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe63⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe64⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe65⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe66⤵PID:3628
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe67⤵PID:4100
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe68⤵PID:912
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe69⤵PID:2172
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe70⤵PID:2496
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe71⤵PID:872
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe72⤵PID:680
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe74⤵PID:3868
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe75⤵PID:4256
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe76⤵PID:4956
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe77⤵
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe78⤵PID:1432
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5104 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe80⤵PID:2844
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe81⤵PID:5184
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe82⤵PID:5232
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe83⤵PID:5268
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe84⤵PID:5324
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe85⤵PID:5376
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe86⤵PID:5424
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe87⤵PID:5480
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe88⤵PID:5532
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe89⤵PID:5588
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe90⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe91⤵PID:5680
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe92⤵PID:5740
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe93⤵PID:5792
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe94⤵PID:5832
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe95⤵PID:5900
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe96⤵PID:5960
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe97⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe98⤵PID:6056
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe99⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe100⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe101⤵PID:5224
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe102⤵PID:5280
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe103⤵PID:5356
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe104⤵PID:5468
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe105⤵PID:5584
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe106⤵PID:5660
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe107⤵PID:5732
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe108⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe109⤵PID:5916
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe111⤵PID:6052
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe112⤵PID:6140
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe113⤵PID:5212
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe114⤵PID:5364
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5540 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe116⤵PID:5596
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe117⤵PID:5708
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe118⤵PID:5852
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe119⤵PID:5996
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe120⤵PID:220
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe121⤵PID:5192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-