Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 08:27
Behavioral task
behavioral1
Sample
NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe
-
Size
367KB
-
MD5
9465bb7b5ecc190c83b7ff2130ca7b95
-
SHA1
d8307ffbff71486aec3c9ad780bf21efc6a8276c
-
SHA256
426018fd4c1d6fdd2eaf1c305f89577987a2287077066e8b20a4c1bb8d754313
-
SHA512
5426655ef171ff2bfcb32f0291d837292c9e7c1e7c418767f19fb2c400ce9714982658fce5e1ab7a35d9c53896edd73babb45050c92d8a21bf8ce699c15c4afb
-
SSDEEP
6144:6JjaNcgC7tnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:6JjbtJCXqP77D7FB24lwR45FB24lqM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eincadmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpibdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jginej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onngci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnienqbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdlfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fochecog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamjcpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgaelcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nopfpgip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacmchcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdaqhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdhedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkapelka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jabiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnqebaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beobcdoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhkecb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkopail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Najjmjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cigcjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngemjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfoocaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apobakpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjdiadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khifno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmmfmhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhhenhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ladhkmno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biljib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglkkiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfjjbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffcpgcfj.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000500000001e9bf-8.dat family_berbew behavioral2/files/0x0007000000022e29-15.dat family_berbew behavioral2/files/0x0007000000022e2b-23.dat family_berbew behavioral2/files/0x0007000000022e2b-22.dat family_berbew behavioral2/files/0x0007000000022e2d-30.dat family_berbew behavioral2/files/0x0007000000022e2d-32.dat family_berbew behavioral2/files/0x0007000000022e29-14.dat family_berbew behavioral2/files/0x000500000001e9bf-6.dat family_berbew behavioral2/files/0x0007000000022e2f-38.dat family_berbew behavioral2/files/0x0007000000022e2f-39.dat family_berbew behavioral2/files/0x0007000000022e31-48.dat family_berbew behavioral2/files/0x0007000000022e31-46.dat family_berbew behavioral2/files/0x0007000000022e35-54.dat family_berbew behavioral2/files/0x0007000000022e35-56.dat family_berbew behavioral2/files/0x0007000000022e38-62.dat family_berbew behavioral2/files/0x0007000000022e38-64.dat family_berbew behavioral2/files/0x0008000000022e26-70.dat family_berbew behavioral2/files/0x0008000000022e26-72.dat family_berbew behavioral2/files/0x0007000000022e3b-78.dat family_berbew behavioral2/files/0x0007000000022e3b-79.dat family_berbew behavioral2/files/0x0007000000022e4c-86.dat family_berbew behavioral2/files/0x0007000000022e4c-87.dat family_berbew behavioral2/files/0x0006000000022e4e-94.dat family_berbew behavioral2/files/0x0006000000022e4e-96.dat family_berbew behavioral2/files/0x0006000000022e50-97.dat family_berbew behavioral2/files/0x0006000000022e50-102.dat family_berbew behavioral2/files/0x0006000000022e50-104.dat family_berbew behavioral2/files/0x0006000000022e53-110.dat family_berbew behavioral2/files/0x0006000000022e53-112.dat family_berbew behavioral2/files/0x0006000000022e56-118.dat family_berbew behavioral2/files/0x0006000000022e56-120.dat family_berbew behavioral2/files/0x0006000000022e58-126.dat family_berbew behavioral2/files/0x0006000000022e58-128.dat family_berbew behavioral2/files/0x0006000000022e5a-134.dat family_berbew behavioral2/files/0x0006000000022e5a-136.dat family_berbew behavioral2/files/0x0006000000022e5c-142.dat family_berbew behavioral2/files/0x0006000000022e5c-144.dat family_berbew behavioral2/files/0x0006000000022e5e-150.dat family_berbew behavioral2/files/0x0006000000022e5e-152.dat family_berbew behavioral2/files/0x0006000000022e60-158.dat family_berbew behavioral2/files/0x0006000000022e60-159.dat family_berbew behavioral2/files/0x0006000000022e62-166.dat family_berbew behavioral2/files/0x0006000000022e62-168.dat family_berbew behavioral2/files/0x0006000000022e64-174.dat family_berbew behavioral2/files/0x0006000000022e64-175.dat family_berbew behavioral2/files/0x0006000000022e66-182.dat family_berbew behavioral2/files/0x0006000000022e66-183.dat family_berbew behavioral2/files/0x0006000000022e68-190.dat family_berbew behavioral2/files/0x0006000000022e68-192.dat family_berbew behavioral2/files/0x0006000000022e6a-193.dat family_berbew behavioral2/files/0x0006000000022e6a-198.dat family_berbew behavioral2/files/0x0006000000022e6a-200.dat family_berbew behavioral2/files/0x0006000000022e6c-202.dat family_berbew behavioral2/files/0x0006000000022e6c-206.dat family_berbew behavioral2/files/0x0006000000022e6c-208.dat family_berbew behavioral2/files/0x0006000000022e6e-214.dat family_berbew behavioral2/files/0x0006000000022e6e-216.dat family_berbew behavioral2/files/0x0006000000022e70-222.dat family_berbew behavioral2/files/0x0006000000022e70-224.dat family_berbew behavioral2/files/0x0006000000022e72-230.dat family_berbew behavioral2/files/0x0006000000022e72-231.dat family_berbew behavioral2/files/0x0006000000022e74-238.dat family_berbew behavioral2/files/0x0006000000022e74-240.dat family_berbew behavioral2/files/0x0006000000022e76-241.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1284 Fbjmhh32.exe 3676 Gmbmkpie.exe 5104 Gfkbde32.exe 1416 Gpcfmkff.exe 4192 Gikkfqmf.exe 5048 Gmiclo32.exe 4356 Hpjmnjqn.exe 1604 Hdhedh32.exe 4792 Hienlpel.exe 5096 Higjaoci.exe 924 Hgkkkcbc.exe 3772 Hdokdg32.exe 4980 Idahjg32.exe 2912 Igbalblk.exe 4116 Idfaefkd.exe 3596 Icknfcol.exe 4928 Ipoopgnf.exe 4848 Jlfpdh32.exe 4156 Jkgpbp32.exe 2892 Jgnqgqan.exe 4632 Jcdala32.exe 1660 Jcgnbaeo.exe 4268 Jqknkedi.exe 4552 Knooej32.exe 4396 Kjepjkhf.exe 4220 Knchpiom.exe 3252 Lnjnqh32.exe 4300 Ljaoeini.exe 4536 Ldgccb32.exe 2260 Lnohlgep.exe 1692 Lmdemd32.exe 1160 Lcnmin32.exe 3236 Lqbncb32.exe 4320 Madjhb32.exe 4856 Mgehfkop.exe 972 Mnpabe32.exe 3528 Nclikl32.exe 2436 Napjdpcn.exe 3620 Nlfnaicd.exe 4336 Ncabfkqo.exe 3036 Naecop32.exe 1380 Nlkgmh32.exe 496 Nagpeo32.exe 1308 Nmnqjp32.exe 3504 Ojbacd32.exe 1688 Odjeljhd.exe 4420 Omcjep32.exe 4392 Ohhnbhok.exe 4412 Omegjomb.exe 1096 Olfghg32.exe 1304 Olicnfco.exe 4452 Peahgl32.exe 2204 Poimpapp.exe 116 Pdfehh32.exe 1800 Pajeam32.exe 2864 Ponfka32.exe 3980 Phfjcf32.exe 2120 Pmcclm32.exe 1008 Pldcjeia.exe 4828 Qaalblgi.exe 4216 Qlgpod32.exe 4052 Qeodhjmo.exe 2876 Qklmpalf.exe 3856 Aafemk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpgoolbl.exe Kimgba32.exe File created C:\Windows\SysWOW64\Apaofk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Ckebcg32.exe File created C:\Windows\SysWOW64\Likndk32.dll Ngifef32.exe File created C:\Windows\SysWOW64\Ijblmdkg.dll Process not Found File created C:\Windows\SysWOW64\Mmjdpi32.dll Aaoadg32.exe File opened for modification C:\Windows\SysWOW64\Ahfmka32.exe Aehpof32.exe File created C:\Windows\SysWOW64\Cikqab32.dll Process not Found File created C:\Windows\SysWOW64\Mgkjch32.exe Maoakaip.exe File created C:\Windows\SysWOW64\Chfegk32.exe Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Fpnfbi32.exe Fnmjkahi.exe File created C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Pndhhnda.exe Ogjpld32.exe File opened for modification C:\Windows\SysWOW64\Gnfmapqo.exe Ggldde32.exe File created C:\Windows\SysWOW64\Jgkmgk32.exe Jleijb32.exe File created C:\Windows\SysWOW64\Dbckcf32.exe Dpdogj32.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll Panhbfep.exe File created C:\Windows\SysWOW64\Hmbqdiko.dll Process not Found File created C:\Windows\SysWOW64\Bgfgpnpd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cpjdiadb.exe Cjpllgme.exe File created C:\Windows\SysWOW64\Fiboaq32.dll Dheibpje.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Bikeni32.exe File created C:\Windows\SysWOW64\Cqiehnml.exe Ckmmpg32.exe File created C:\Windows\SysWOW64\Kaandh32.dll Cngnbfid.exe File created C:\Windows\SysWOW64\Pcokca32.dll Ggldde32.exe File opened for modification C:\Windows\SysWOW64\Okcogc32.exe Odifjipd.exe File created C:\Windows\SysWOW64\Ogjpld32.exe Ofhcdlgg.exe File opened for modification C:\Windows\SysWOW64\Ladhkmno.exe Ljjpnb32.exe File created C:\Windows\SysWOW64\Ooaiflce.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dijgjpip.exe Cnebmgjj.exe File created C:\Windows\SysWOW64\Qhnpleki.dll Glkkop32.exe File opened for modification C:\Windows\SysWOW64\Mbcjimda.exe Mlialb32.exe File created C:\Windows\SysWOW64\Oadkoa32.dll Plfipakk.exe File opened for modification C:\Windows\SysWOW64\Bddcenpi.exe Bogkmgba.exe File created C:\Windows\SysWOW64\Hnjghqbi.dll Jcihjl32.exe File created C:\Windows\SysWOW64\Hafpiehg.exe Hklglk32.exe File created C:\Windows\SysWOW64\Klbjgbff.dll Pjmjdm32.exe File created C:\Windows\SysWOW64\Enonclfe.dll Process not Found File created C:\Windows\SysWOW64\Kiljgf32.dll Chqogq32.exe File created C:\Windows\SysWOW64\Icjkef32.dll Ldfhgn32.exe File opened for modification C:\Windows\SysWOW64\Ffcpgcfj.exe Fdadpk32.exe File created C:\Windows\SysWOW64\Eblgon32.exe Elaobdmm.exe File opened for modification C:\Windows\SysWOW64\Pllieg32.exe Pfoamp32.exe File created C:\Windows\SysWOW64\Abjfai32.dll Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Jpmdabfb.exe Jolhjj32.exe File opened for modification C:\Windows\SysWOW64\Ofmdio32.exe Opclldhj.exe File created C:\Windows\SysWOW64\Npnjcb32.dll Ndomiddc.exe File opened for modification C:\Windows\SysWOW64\Lhkkjl32.exe Process not Found File created C:\Windows\SysWOW64\Cnnllhpa.exe Ciaddaaj.exe File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe Caageq32.exe File created C:\Windows\SysWOW64\Bdnofdgl.dll Ffnglc32.exe File created C:\Windows\SysWOW64\Edefnf32.dll Fhkecb32.exe File opened for modification C:\Windows\SysWOW64\Gndpkp32.exe Gfmhjb32.exe File created C:\Windows\SysWOW64\Ojedmh32.dll Pelacg32.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Eemgkpef.exe Eoconenj.exe File created C:\Windows\SysWOW64\Lpbokjho.exe Liifnp32.exe File created C:\Windows\SysWOW64\Pbpbhmcg.dll Ofmbkipk.exe File created C:\Windows\SysWOW64\Qnoalo32.dll Lnkgbibj.exe File created C:\Windows\SysWOW64\Oilmhhfd.exe Obbekn32.exe File created C:\Windows\SysWOW64\Mfeodebg.dll Nnpcjplf.exe File opened for modification C:\Windows\SysWOW64\Lihpdj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bbecnipp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Offnhpfo.exe Oaifpi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmjlkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclflc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okcccdkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbnbhfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkpjo32.dll" Pjgemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnjbbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdnmfclj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfmpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djbbhafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdkdafo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkiapn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakcie32.dll" Eiobbgcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaihonhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pccahbmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adkelplc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnkgbibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gccmaack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcefei32.dll" Ignnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laiafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jllokajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adqeaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhaapee.dll" Nehjmnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgni32.dll" Adhdjpjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchqnhej.dll" Oknnanhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikcmmjkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijdpd32.dll" Cfedmfqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjlilndf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khifno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfjibel.dll" Phfcdcfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppphkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqmicpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfggf32.dll" Calbnnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqkiok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akkffkhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aecbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehifak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooalibaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbndn32.dll" Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaejqa32.dll" Apfhajjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqmgigfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apdkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeofeib.dll" Ojbacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbchdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgdidgjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Janpnfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnpleki.dll" Glkkop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aealll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgknd32.dll" Ienlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glinjqhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 1284 4832 NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe 86 PID 4832 wrote to memory of 1284 4832 NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe 86 PID 4832 wrote to memory of 1284 4832 NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe 86 PID 1284 wrote to memory of 3676 1284 Fbjmhh32.exe 87 PID 1284 wrote to memory of 3676 1284 Fbjmhh32.exe 87 PID 1284 wrote to memory of 3676 1284 Fbjmhh32.exe 87 PID 3676 wrote to memory of 5104 3676 Gmbmkpie.exe 88 PID 3676 wrote to memory of 5104 3676 Gmbmkpie.exe 88 PID 3676 wrote to memory of 5104 3676 Gmbmkpie.exe 88 PID 5104 wrote to memory of 1416 5104 Gfkbde32.exe 89 PID 5104 wrote to memory of 1416 5104 Gfkbde32.exe 89 PID 5104 wrote to memory of 1416 5104 Gfkbde32.exe 89 PID 1416 wrote to memory of 4192 1416 Gpcfmkff.exe 90 PID 1416 wrote to memory of 4192 1416 Gpcfmkff.exe 90 PID 1416 wrote to memory of 4192 1416 Gpcfmkff.exe 90 PID 4192 wrote to memory of 5048 4192 Gikkfqmf.exe 91 PID 4192 wrote to memory of 5048 4192 Gikkfqmf.exe 91 PID 4192 wrote to memory of 5048 4192 Gikkfqmf.exe 91 PID 5048 wrote to memory of 4356 5048 Gmiclo32.exe 92 PID 5048 wrote to memory of 4356 5048 Gmiclo32.exe 92 PID 5048 wrote to memory of 4356 5048 Gmiclo32.exe 92 PID 4356 wrote to memory of 1604 4356 Hpjmnjqn.exe 93 PID 4356 wrote to memory of 1604 4356 Hpjmnjqn.exe 93 PID 4356 wrote to memory of 1604 4356 Hpjmnjqn.exe 93 PID 1604 wrote to memory of 4792 1604 Hdhedh32.exe 94 PID 1604 wrote to memory of 4792 1604 Hdhedh32.exe 94 PID 1604 wrote to memory of 4792 1604 Hdhedh32.exe 94 PID 4792 wrote to memory of 5096 4792 Hienlpel.exe 95 PID 4792 wrote to memory of 5096 4792 Hienlpel.exe 95 PID 4792 wrote to memory of 5096 4792 Hienlpel.exe 95 PID 5096 wrote to memory of 924 5096 Higjaoci.exe 96 PID 5096 wrote to memory of 924 5096 Higjaoci.exe 96 PID 5096 wrote to memory of 924 5096 Higjaoci.exe 96 PID 924 wrote to memory of 3772 924 Hgkkkcbc.exe 97 PID 924 wrote to memory of 3772 924 Hgkkkcbc.exe 97 PID 924 wrote to memory of 3772 924 Hgkkkcbc.exe 97 PID 3772 wrote to memory of 4980 3772 Hdokdg32.exe 98 PID 3772 wrote to memory of 4980 3772 Hdokdg32.exe 98 PID 3772 wrote to memory of 4980 3772 Hdokdg32.exe 98 PID 4980 wrote to memory of 2912 4980 Idahjg32.exe 100 PID 4980 wrote to memory of 2912 4980 Idahjg32.exe 100 PID 4980 wrote to memory of 2912 4980 Idahjg32.exe 100 PID 2912 wrote to memory of 4116 2912 Igbalblk.exe 101 PID 2912 wrote to memory of 4116 2912 Igbalblk.exe 101 PID 2912 wrote to memory of 4116 2912 Igbalblk.exe 101 PID 4116 wrote to memory of 3596 4116 Idfaefkd.exe 102 PID 4116 wrote to memory of 3596 4116 Idfaefkd.exe 102 PID 4116 wrote to memory of 3596 4116 Idfaefkd.exe 102 PID 3596 wrote to memory of 4928 3596 Icknfcol.exe 103 PID 3596 wrote to memory of 4928 3596 Icknfcol.exe 103 PID 3596 wrote to memory of 4928 3596 Icknfcol.exe 103 PID 4928 wrote to memory of 4848 4928 Ipoopgnf.exe 104 PID 4928 wrote to memory of 4848 4928 Ipoopgnf.exe 104 PID 4928 wrote to memory of 4848 4928 Ipoopgnf.exe 104 PID 4848 wrote to memory of 4156 4848 Jlfpdh32.exe 105 PID 4848 wrote to memory of 4156 4848 Jlfpdh32.exe 105 PID 4848 wrote to memory of 4156 4848 Jlfpdh32.exe 105 PID 4156 wrote to memory of 2892 4156 Jkgpbp32.exe 106 PID 4156 wrote to memory of 2892 4156 Jkgpbp32.exe 106 PID 4156 wrote to memory of 2892 4156 Jkgpbp32.exe 106 PID 2892 wrote to memory of 4632 2892 Jgnqgqan.exe 107 PID 2892 wrote to memory of 4632 2892 Jgnqgqan.exe 107 PID 2892 wrote to memory of 4632 2892 Jgnqgqan.exe 107 PID 4632 wrote to memory of 1660 4632 Jcdala32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9465bb7b5ecc190c83b7ff2130ca7b95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe23⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe24⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe25⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe26⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe27⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe28⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe29⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe30⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe31⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe32⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe33⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe34⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe35⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe36⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe37⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe38⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe39⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe40⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe41⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe42⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe43⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe44⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe45⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe48⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe49⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe50⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe51⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe52⤵PID:1780
-
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe53⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe54⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe56⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe57⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe58⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe60⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe61⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe62⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe64⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe65⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe67⤵PID:3928
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe68⤵PID:3404
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe69⤵PID:1804
-
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe70⤵PID:3736
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe71⤵PID:4432
-
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe73⤵PID:2460
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe74⤵
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe75⤵PID:5128
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe76⤵PID:5172
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe77⤵PID:5208
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe78⤵PID:5260
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe79⤵PID:5308
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe80⤵PID:5356
-
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe81⤵PID:5396
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe82⤵PID:5436
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe83⤵PID:5480
-
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe84⤵PID:5524
-
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe85⤵PID:5572
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe86⤵PID:5612
-
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe87⤵PID:5660
-
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe88⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe89⤵PID:5760
-
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe90⤵PID:5804
-
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe91⤵PID:5848
-
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe92⤵PID:5892
-
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe93⤵PID:5936
-
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe94⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe95⤵PID:6024
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe96⤵PID:6068
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe97⤵PID:6112
-
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe98⤵PID:792
-
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe99⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe100⤵PID:5292
-
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe101⤵PID:5384
-
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe102⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe103⤵PID:5536
-
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe104⤵PID:5600
-
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe105⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe106⤵PID:5744
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe107⤵PID:5840
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe108⤵PID:5884
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe109⤵PID:3704
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe110⤵PID:6064
-
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe111⤵PID:6100
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe112⤵PID:5204
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe114⤵PID:5488
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe115⤵PID:5596
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe118⤵PID:5944
-
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe119⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe120⤵PID:5252
-
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe121⤵
- Modifies registry class
PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-