Analysis
-
max time kernel
155s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 07:55
Behavioral task
behavioral1
Sample
NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe
-
Size
161KB
-
MD5
e088d4f5a46127c11503c3fdeb0ba070
-
SHA1
8292c7418a9ab0389d55e713af757a6eb362e625
-
SHA256
edca61c0519fd744a30711984a188806721fb5a56daa9159c9e362e99e45407b
-
SHA512
718890d6bc1a646438570b0d6fb6c40a1945d627891182e10dee85853ab1f44236ca532af311e4f15378e5c270e6192d0dd8c07674359ec91c66617d478ec745
-
SSDEEP
3072:1w+9dIvjqo1ZuLQlWSQekuVwtCJXeex7rrIRZK8K8/kv:1w+vI71ZuLQT5kuVwtmeetrIyR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnolojhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koiejemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Debfpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endnohdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfoeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqdeefpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankbigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjmdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmgcoaie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecafgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdclcmba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnbhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojomm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjqaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmomgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agpqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nofoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnaolm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecjpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kheekkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbmifdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inhion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Komhkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkiiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpmmhpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nneiikqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikcmmjkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqpdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjmkqke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnncl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ochamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcjkfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmechmip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mallojmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpoljg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhfgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbjfjci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nneiikqe.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/files/0x00090000000222f4-8.dat family_berbew behavioral2/files/0x0006000000022e0c-14.dat family_berbew behavioral2/files/0x0006000000022e0c-16.dat family_berbew behavioral2/files/0x0006000000022e0e-22.dat family_berbew behavioral2/files/0x0006000000022e0e-24.dat family_berbew behavioral2/files/0x0006000000022e0f-30.dat family_berbew behavioral2/files/0x0006000000022e0f-32.dat family_berbew behavioral2/files/0x0006000000022e12-39.dat family_berbew behavioral2/files/0x0006000000022e12-38.dat family_berbew behavioral2/files/0x0006000000022e14-47.dat family_berbew behavioral2/files/0x0006000000022e14-46.dat family_berbew behavioral2/files/0x0006000000022e16-54.dat family_berbew behavioral2/files/0x0006000000022e16-56.dat family_berbew behavioral2/files/0x0006000000022e19-62.dat family_berbew behavioral2/files/0x0006000000022e19-64.dat family_berbew behavioral2/files/0x0006000000022e1b-70.dat family_berbew behavioral2/files/0x0006000000022e1b-71.dat family_berbew behavioral2/files/0x0006000000022e23-78.dat family_berbew behavioral2/files/0x0006000000022e23-80.dat family_berbew behavioral2/files/0x0006000000022e25-87.dat family_berbew behavioral2/files/0x0006000000022e25-90.dat family_berbew behavioral2/files/0x0006000000022e28-96.dat family_berbew behavioral2/files/0x0006000000022e28-99.dat family_berbew behavioral2/files/0x0006000000022e2a-105.dat family_berbew behavioral2/files/0x0006000000022e2a-107.dat family_berbew behavioral2/files/0x0006000000022e2c-115.dat family_berbew behavioral2/files/0x0006000000022e2c-117.dat family_berbew behavioral2/files/0x0006000000022e2e-124.dat family_berbew behavioral2/files/0x0006000000022e2e-126.dat family_berbew behavioral2/files/0x0006000000022e30-133.dat family_berbew behavioral2/files/0x0006000000022e30-135.dat family_berbew behavioral2/files/0x0006000000022e32-142.dat family_berbew behavioral2/files/0x0006000000022e32-144.dat family_berbew behavioral2/files/0x0006000000022e36-146.dat family_berbew behavioral2/files/0x0006000000022e36-151.dat family_berbew behavioral2/files/0x0006000000022e36-154.dat family_berbew behavioral2/files/0x0006000000022e39-160.dat family_berbew behavioral2/files/0x0006000000022e39-162.dat family_berbew behavioral2/files/0x0006000000022e3b-169.dat family_berbew behavioral2/files/0x0006000000022e3b-171.dat family_berbew behavioral2/files/0x0006000000022e3f-180.dat family_berbew behavioral2/files/0x0006000000022e3f-178.dat family_berbew behavioral2/files/0x0006000000022e42-189.dat family_berbew behavioral2/files/0x0006000000022e42-187.dat family_berbew behavioral2/files/0x0006000000022e44-196.dat family_berbew behavioral2/files/0x0006000000022e44-198.dat family_berbew behavioral2/files/0x0006000000022e4a-204.dat family_berbew behavioral2/files/0x0006000000022e53-233.dat family_berbew behavioral2/files/0x0006000000022e53-232.dat family_berbew behavioral2/files/0x0006000000022e55-242.dat family_berbew behavioral2/files/0x0006000000022e55-241.dat family_berbew behavioral2/files/0x0006000000022e51-224.dat family_berbew behavioral2/files/0x0006000000022e51-223.dat family_berbew behavioral2/files/0x0006000000022e4f-216.dat family_berbew behavioral2/files/0x0006000000022e4f-214.dat family_berbew behavioral2/files/0x0006000000022e4a-206.dat family_berbew behavioral2/files/0x0006000000022e58-246.dat family_berbew behavioral2/files/0x0006000000022e58-251.dat family_berbew behavioral2/files/0x0006000000022e58-253.dat family_berbew behavioral2/files/0x0006000000022e5d-261.dat family_berbew behavioral2/files/0x0006000000022e5d-260.dat family_berbew behavioral2/files/0x0007000000022e60-270.dat family_berbew behavioral2/files/0x0007000000022e60-269.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3772 Hjlkge32.exe 3368 Hpfcdojl.exe 656 Iddljmpc.exe 1316 Jhlgfj32.exe 1536 Kageaj32.exe 4376 Kkmioc32.exe 1256 Lajagj32.exe 2736 Lalnmiia.exe 4296 Lgffic32.exe 4572 Lankbigo.exe 512 Lbngllob.exe 4984 Llflea32.exe 1808 Mldhfpib.exe 860 Nlnkmnah.exe 2780 Qikgco32.exe 4108 Akcjkfij.exe 460 Ajdjin32.exe 4972 Abbkcpma.exe 4836 Bcahmb32.exe 2364 Bokehc32.exe 2756 Bjbfklei.exe 1564 Ccmgiaig.exe 1532 Ccbadp32.exe 1412 Dbjkkl32.exe 4160 Hkbmqb32.exe 3360 Hlcjhkdp.exe 4816 Hginecde.exe 3024 Hlegnjbm.exe 2636 Hmechmip.exe 4684 Kgipcogp.exe 2088 Kcpahpmd.exe 3332 Kqdaadln.exe 2916 Lnjnqh32.exe 4564 Lnmkfh32.exe 2160 Lmbhgd32.exe 2424 Lqpamb32.exe 2316 Madjhb32.exe 4400 Mchppmij.exe 1260 Njfagf32.exe 3300 Nhmofj32.exe 3516 Neclenfo.exe 2628 Palbgl32.exe 3800 Pldcjeia.exe 4352 Qkipkani.exe 3792 Aogiap32.exe 2796 Aednci32.exe 2732 Anaomkdb.exe 3124 Akglloai.exe 1108 Bemqih32.exe 3952 Bhkmec32.exe 1892 Badanigc.exe 1168 Bnkbcj32.exe 4508 Bojomm32.exe 1660 Bdgged32.exe 1648 Coohhlpe.exe 1800 Flmqlg32.exe 2704 Gmafajfi.exe 4580 Gpgind32.exe 3304 Hpnoncim.exe 5004 Hifcgion.exe 4476 Hoclopne.exe 4408 Hfjdqmng.exe 4484 Ifmqfm32.exe 3436 Ipeeobbe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oflfda32.dll Pmefiakh.exe File created C:\Windows\SysWOW64\Jkgmmjgh.dll Iaahjmkn.exe File opened for modification C:\Windows\SysWOW64\Ipoheakj.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Eoggpbpn.dll Fjocbhbo.exe File created C:\Windows\SysWOW64\Mcggga32.exe Llpofd32.exe File opened for modification C:\Windows\SysWOW64\Bkglkapo.exe Bdmdng32.exe File created C:\Windows\SysWOW64\Nnhfokoc.exe Nkijbooo.exe File opened for modification C:\Windows\SysWOW64\Mablfnne.exe Mledmg32.exe File opened for modification C:\Windows\SysWOW64\Hifaic32.exe Giddddad.exe File created C:\Windows\SysWOW64\Apaofk32.exe Acmomgoa.exe File created C:\Windows\SysWOW64\Ecjpfp32.exe Eakdje32.exe File created C:\Windows\SysWOW64\Ionbcb32.exe Ilpfgg32.exe File created C:\Windows\SysWOW64\Oihkgo32.exe Lbpmbipk.exe File created C:\Windows\SysWOW64\Bcnafl32.dll Nklfho32.exe File created C:\Windows\SysWOW64\Akljinhl.dll Pnmhqh32.exe File opened for modification C:\Windows\SysWOW64\Madjhb32.exe Lqpamb32.exe File created C:\Windows\SysWOW64\Okceaikl.exe Oheienli.exe File created C:\Windows\SysWOW64\Kkmioc32.exe Kageaj32.exe File created C:\Windows\SysWOW64\Ndjldo32.exe Nmpdgdmp.exe File created C:\Windows\SysWOW64\Aohcbiop.dll Kaajfe32.exe File opened for modification C:\Windows\SysWOW64\Nohicdia.exe Nqgiel32.exe File opened for modification C:\Windows\SysWOW64\Aecialmb.exe Aimhmkgn.exe File opened for modification C:\Windows\SysWOW64\Lcpqgbkj.exe Lkiiee32.exe File opened for modification C:\Windows\SysWOW64\Biolkc32.exe Bahdje32.exe File created C:\Windows\SysWOW64\Kmjinjnj.exe Jodlof32.exe File created C:\Windows\SysWOW64\Npbhdogo.dll Eapmedef.exe File opened for modification C:\Windows\SysWOW64\Bojhnjgf.exe Bimoecio.exe File created C:\Windows\SysWOW64\Qhbhpg32.dll Mcgbfcij.exe File created C:\Windows\SysWOW64\Bhkmec32.exe Bemqih32.exe File created C:\Windows\SysWOW64\Codncb32.dll Nofoki32.exe File created C:\Windows\SysWOW64\Lcpkmo32.dll Knphfklg.exe File created C:\Windows\SysWOW64\Lqbgcp32.exe Lncjgddf.exe File opened for modification C:\Windows\SysWOW64\Bafgdfim.exe Aikbpckb.exe File created C:\Windows\SysWOW64\Ldcinlep.dll Blnhgn32.exe File opened for modification C:\Windows\SysWOW64\Mallojmd.exe Mjednmla.exe File created C:\Windows\SysWOW64\Gbkkik32.exe Gkaclqkk.exe File created C:\Windows\SysWOW64\Kocgbend.exe Klekfinp.exe File opened for modification C:\Windows\SysWOW64\Gkdjaf32.exe Gdkbdllj.exe File opened for modification C:\Windows\SysWOW64\Maefnk32.exe Lacihleo.exe File created C:\Windows\SysWOW64\Mldbeh32.dll Bqdechnf.exe File opened for modification C:\Windows\SysWOW64\Oihkgo32.exe Lbpmbipk.exe File created C:\Windows\SysWOW64\Gmafajfi.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Aecialmb.exe Aimhmkgn.exe File created C:\Windows\SysWOW64\Bpmobi32.exe Bnobfn32.exe File opened for modification C:\Windows\SysWOW64\Fceihh32.exe Fmkqknci.exe File created C:\Windows\SysWOW64\Mkcjdfne.dll Ncbaabom.exe File opened for modification C:\Windows\SysWOW64\Hajkqfoe.exe Hnlodjpa.exe File created C:\Windows\SysWOW64\Okolfj32.exe Obfhmd32.exe File created C:\Windows\SysWOW64\Lfcfnm32.exe Lpinac32.exe File created C:\Windows\SysWOW64\Dmnkdfce.exe Djoohk32.exe File created C:\Windows\SysWOW64\Alpopnkk.dll Occkhp32.exe File created C:\Windows\SysWOW64\Ccmgiaig.exe Bjbfklei.exe File created C:\Windows\SysWOW64\Geanfelc.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Gdojoeki.dll Okailj32.exe File opened for modification C:\Windows\SysWOW64\Ofgmib32.exe Ochamg32.exe File opened for modification C:\Windows\SysWOW64\Laqlclga.exe Lkgdfb32.exe File created C:\Windows\SysWOW64\Oqmhlego.exe Nnolojhk.exe File created C:\Windows\SysWOW64\Lbngllob.exe Lankbigo.exe File opened for modification C:\Windows\SysWOW64\Hlegnjbm.exe Hginecde.exe File opened for modification C:\Windows\SysWOW64\Mpenmadn.exe Mmfaafej.exe File created C:\Windows\SysWOW64\Pabcflhd.dll Lafmjp32.exe File created C:\Windows\SysWOW64\Amkabind.exe Aecialmb.exe File opened for modification C:\Windows\SysWOW64\Moefdljc.exe Mlgjhp32.exe File created C:\Windows\SysWOW64\Nqifkl32.exe Nohicdia.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5136 4864 WerFault.exe 812 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mccokj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oohkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhphq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eapmedef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhhkjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knphfklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nofoki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okeinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpopnkk.dll" Occkhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnmhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okolfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdkbdllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pboblika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogqcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbngllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojajin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnifekmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opcjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bifblbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqdeefpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkapelka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcngddao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nicjaino.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omdnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpkmo32.dll" Knphfklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndfgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbijq32.dll" Ljglnmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghojbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfcfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jekjcaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccigpbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmcfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhmhiaka.dll" Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfe32.dll" Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmeilpn.dll" Pcdlghgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngbgmpcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfdeo32.dll" Npldnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmgi32.dll" Nildajdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkbcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boldcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjhfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjldplpd.dll" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojfcdnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocknbglo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odcojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhblne32.dll" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgfpe32.dll" Glinjqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabokoop.dll" Djoohk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mknjgajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lopmii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqceni32.dll" Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll" Niojoeel.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3772 2328 NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe 87 PID 2328 wrote to memory of 3772 2328 NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe 87 PID 2328 wrote to memory of 3772 2328 NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe 87 PID 3772 wrote to memory of 3368 3772 Hjlkge32.exe 88 PID 3772 wrote to memory of 3368 3772 Hjlkge32.exe 88 PID 3772 wrote to memory of 3368 3772 Hjlkge32.exe 88 PID 3368 wrote to memory of 656 3368 Hpfcdojl.exe 89 PID 3368 wrote to memory of 656 3368 Hpfcdojl.exe 89 PID 3368 wrote to memory of 656 3368 Hpfcdojl.exe 89 PID 656 wrote to memory of 1316 656 Iddljmpc.exe 90 PID 656 wrote to memory of 1316 656 Iddljmpc.exe 90 PID 656 wrote to memory of 1316 656 Iddljmpc.exe 90 PID 1316 wrote to memory of 1536 1316 Jhlgfj32.exe 91 PID 1316 wrote to memory of 1536 1316 Jhlgfj32.exe 91 PID 1316 wrote to memory of 1536 1316 Jhlgfj32.exe 91 PID 1536 wrote to memory of 4376 1536 Kageaj32.exe 92 PID 1536 wrote to memory of 4376 1536 Kageaj32.exe 92 PID 1536 wrote to memory of 4376 1536 Kageaj32.exe 92 PID 4376 wrote to memory of 1256 4376 Kkmioc32.exe 93 PID 4376 wrote to memory of 1256 4376 Kkmioc32.exe 93 PID 4376 wrote to memory of 1256 4376 Kkmioc32.exe 93 PID 1256 wrote to memory of 2736 1256 Lajagj32.exe 95 PID 1256 wrote to memory of 2736 1256 Lajagj32.exe 95 PID 1256 wrote to memory of 2736 1256 Lajagj32.exe 95 PID 2736 wrote to memory of 4296 2736 Lalnmiia.exe 96 PID 2736 wrote to memory of 4296 2736 Lalnmiia.exe 96 PID 2736 wrote to memory of 4296 2736 Lalnmiia.exe 96 PID 4296 wrote to memory of 4572 4296 Lgffic32.exe 97 PID 4296 wrote to memory of 4572 4296 Lgffic32.exe 97 PID 4296 wrote to memory of 4572 4296 Lgffic32.exe 97 PID 4572 wrote to memory of 512 4572 Lankbigo.exe 98 PID 4572 wrote to memory of 512 4572 Lankbigo.exe 98 PID 4572 wrote to memory of 512 4572 Lankbigo.exe 98 PID 512 wrote to memory of 4984 512 Lbngllob.exe 99 PID 512 wrote to memory of 4984 512 Lbngllob.exe 99 PID 512 wrote to memory of 4984 512 Lbngllob.exe 99 PID 4984 wrote to memory of 1808 4984 Llflea32.exe 100 PID 4984 wrote to memory of 1808 4984 Llflea32.exe 100 PID 4984 wrote to memory of 1808 4984 Llflea32.exe 100 PID 1808 wrote to memory of 860 1808 Mldhfpib.exe 101 PID 1808 wrote to memory of 860 1808 Mldhfpib.exe 101 PID 1808 wrote to memory of 860 1808 Mldhfpib.exe 101 PID 860 wrote to memory of 2780 860 Nlnkmnah.exe 103 PID 860 wrote to memory of 2780 860 Nlnkmnah.exe 103 PID 860 wrote to memory of 2780 860 Nlnkmnah.exe 103 PID 2780 wrote to memory of 4108 2780 Qikgco32.exe 104 PID 2780 wrote to memory of 4108 2780 Qikgco32.exe 104 PID 2780 wrote to memory of 4108 2780 Qikgco32.exe 104 PID 4108 wrote to memory of 460 4108 Akcjkfij.exe 105 PID 4108 wrote to memory of 460 4108 Akcjkfij.exe 105 PID 4108 wrote to memory of 460 4108 Akcjkfij.exe 105 PID 460 wrote to memory of 4972 460 Ajdjin32.exe 106 PID 460 wrote to memory of 4972 460 Ajdjin32.exe 106 PID 460 wrote to memory of 4972 460 Ajdjin32.exe 106 PID 4972 wrote to memory of 4836 4972 Abbkcpma.exe 107 PID 4972 wrote to memory of 4836 4972 Abbkcpma.exe 107 PID 4972 wrote to memory of 4836 4972 Abbkcpma.exe 107 PID 4836 wrote to memory of 2364 4836 Bcahmb32.exe 109 PID 4836 wrote to memory of 2364 4836 Bcahmb32.exe 109 PID 4836 wrote to memory of 2364 4836 Bcahmb32.exe 109 PID 2364 wrote to memory of 2756 2364 Bokehc32.exe 110 PID 2364 wrote to memory of 2756 2364 Bokehc32.exe 110 PID 2364 wrote to memory of 2756 2364 Bokehc32.exe 110 PID 2756 wrote to memory of 1564 2756 Bjbfklei.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e088d4f5a46127c11503c3fdeb0ba070.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe23⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe24⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe25⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe26⤵
- Executes dropped EXE
PID:4160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe1⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe3⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe5⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe6⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe7⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe9⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe10⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe12⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe13⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe14⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe15⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe16⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe17⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe18⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe19⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe21⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe22⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe25⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe26⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe27⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe29⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe30⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe32⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe33⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe34⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe35⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe36⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe37⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe38⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe39⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe40⤵PID:3908
-
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe41⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe42⤵PID:3888
-
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe43⤵
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe44⤵PID:3744
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe46⤵PID:1356
-
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe47⤵PID:2752
-
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe48⤵PID:3704
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe49⤵PID:2696
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe50⤵PID:3396
-
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe51⤵PID:1496
-
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe52⤵PID:224
-
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe53⤵PID:4236
-
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe54⤵PID:3808
-
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe55⤵PID:4224
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe56⤵PID:1928
-
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe57⤵PID:2860
-
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe58⤵PID:4576
-
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe59⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe60⤵PID:5176
-
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe62⤵PID:5260
-
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe63⤵PID:5300
-
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe64⤵PID:5344
-
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe65⤵PID:5384
-
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe66⤵PID:5428
-
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe67⤵PID:5476
-
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe68⤵PID:5516
-
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe69⤵PID:5556
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe70⤵PID:5596
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe72⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe73⤵PID:5728
-
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe74⤵PID:5772
-
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe75⤵
- Modifies registry class
PID:5812 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe76⤵PID:5852
-
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe77⤵PID:5900
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe78⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe79⤵PID:5992
-
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe80⤵PID:6032
-
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe81⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe82⤵PID:6120
-
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe83⤵PID:5044
-
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe85⤵PID:4268
-
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe87⤵PID:5380
-
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe88⤵PID:5460
-
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe90⤵PID:5624
-
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe91⤵PID:5696
-
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe92⤵PID:5764
-
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe93⤵PID:5836
-
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe94⤵PID:5912
-
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe96⤵PID:6076
-
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe97⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe98⤵PID:5188
-
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe99⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe100⤵PID:5436
-
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe101⤵PID:5588
-
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe102⤵PID:5664
-
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe107⤵PID:4180
-
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe108⤵PID:5548
-
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe109⤵PID:5752
-
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe110⤵PID:5976
-
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe111⤵PID:6116
-
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe112⤵PID:5328
-
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe113⤵PID:5716
-
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe114⤵PID:6020
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe115⤵PID:5280
-
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe116⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe117⤵PID:5972
-
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe118⤵PID:6160
-
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe119⤵PID:6212
-
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe120⤵PID:6260
-
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe121⤵PID:6304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-