Analysis
-
max time kernel
176s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 13:51
Behavioral task
behavioral1
Sample
NEAS.07bbb7063ceae77a33e0374737589d70.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.07bbb7063ceae77a33e0374737589d70.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.07bbb7063ceae77a33e0374737589d70.exe
-
Size
416KB
-
MD5
07bbb7063ceae77a33e0374737589d70
-
SHA1
51cc7aa27f94e05d6c9b4c4225e782a6544f9864
-
SHA256
66fc8d2973b5e872092150ea1801f2f3fcad07af8673e9b50ff1231e14c37c92
-
SHA512
ad471b36164fcc0c511811593024c961dfec0a3b2e2a0abe2cceeabcb66bd7d85ee0b035a91d51b43ee0d49de49d2a66fd06e8fc70f08ba251f30a56cf600f2c
-
SSDEEP
12288:ri++GYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:ridGYJ07kE0KoFtw2gu9RxrBIUbPLwHh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edakimoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmffnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejofacfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inombh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nombnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfcjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iljpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmimai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgicdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbbmjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmbflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgpmffeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjafoapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfcgpkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngcngfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfogiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nemcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Filicodb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpnoncim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lejngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpcmagpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npognfpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhkdjli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcaeige.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeimqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlijodjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmijkhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gammbfqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfkcibdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnmgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opfedb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkjgpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkckoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ignndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbbffdlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goabhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjemkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hphpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klloichl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhchc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiqcnhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idmhqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigajfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiefmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibdiln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idpbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahnghafl.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022df3-8.dat family_berbew behavioral2/files/0x0008000000022df3-6.dat family_berbew behavioral2/files/0x0006000000022e14-15.dat family_berbew behavioral2/files/0x0006000000022e16-22.dat family_berbew behavioral2/files/0x0006000000022e16-23.dat family_berbew behavioral2/files/0x0008000000022e02-30.dat family_berbew behavioral2/files/0x0006000000022e1f-38.dat family_berbew behavioral2/files/0x0006000000022e1f-37.dat family_berbew behavioral2/files/0x0008000000022e02-29.dat family_berbew behavioral2/files/0x0006000000022e14-14.dat family_berbew behavioral2/files/0x0006000000022e21-45.dat family_berbew behavioral2/files/0x0006000000022e21-46.dat family_berbew behavioral2/files/0x0006000000022e23-55.dat family_berbew behavioral2/files/0x0006000000022e23-54.dat family_berbew behavioral2/files/0x0006000000022e25-63.dat family_berbew behavioral2/files/0x0006000000022e25-62.dat family_berbew behavioral2/files/0x0006000000022e27-70.dat family_berbew behavioral2/files/0x0006000000022e27-72.dat family_berbew behavioral2/files/0x0006000000022e29-78.dat family_berbew behavioral2/files/0x0006000000022e29-79.dat family_berbew behavioral2/files/0x0006000000022e2b-87.dat family_berbew behavioral2/files/0x0006000000022e2b-86.dat family_berbew behavioral2/files/0x0006000000022e2d-94.dat family_berbew behavioral2/files/0x0006000000022e2d-96.dat family_berbew behavioral2/files/0x0006000000022e2f-102.dat family_berbew behavioral2/files/0x0006000000022e2f-103.dat family_berbew behavioral2/files/0x0006000000022e31-110.dat family_berbew behavioral2/files/0x0006000000022e31-112.dat family_berbew behavioral2/files/0x0006000000022e33-113.dat family_berbew behavioral2/files/0x0006000000022e33-120.dat family_berbew behavioral2/files/0x0006000000022e33-118.dat family_berbew behavioral2/files/0x0006000000022e37-126.dat family_berbew behavioral2/files/0x0006000000022e37-128.dat family_berbew behavioral2/files/0x0006000000022e3b-129.dat family_berbew behavioral2/files/0x0006000000022e3b-134.dat family_berbew behavioral2/files/0x0006000000022e3b-136.dat family_berbew behavioral2/files/0x0006000000022e3e-144.dat family_berbew behavioral2/files/0x0007000000022e41-150.dat family_berbew behavioral2/files/0x0006000000022e43-159.dat family_berbew behavioral2/files/0x0006000000022e45-167.dat family_berbew behavioral2/files/0x0007000000022e40-168.dat family_berbew behavioral2/files/0x0006000000022e45-166.dat family_berbew behavioral2/files/0x0006000000022e43-158.dat family_berbew behavioral2/files/0x0007000000022e41-151.dat family_berbew behavioral2/files/0x0006000000022e3e-142.dat family_berbew behavioral2/files/0x0006000000022e48-182.dat family_berbew behavioral2/files/0x0006000000022e48-183.dat family_berbew behavioral2/files/0x0007000000022e40-174.dat family_berbew behavioral2/files/0x0007000000022e40-173.dat family_berbew behavioral2/files/0x0006000000022e4a-192.dat family_berbew behavioral2/files/0x0006000000022e4a-190.dat family_berbew behavioral2/files/0x0006000000022e4e-198.dat family_berbew behavioral2/files/0x0006000000022e4e-199.dat family_berbew behavioral2/files/0x0006000000022e50-206.dat family_berbew behavioral2/files/0x0006000000022e50-208.dat family_berbew behavioral2/files/0x0006000000022e55-215.dat family_berbew behavioral2/files/0x0006000000022e5a-223.dat family_berbew behavioral2/files/0x0006000000022e5a-222.dat family_berbew behavioral2/files/0x0006000000022e55-214.dat family_berbew behavioral2/files/0x0006000000022e5d-230.dat family_berbew behavioral2/files/0x0006000000022e5d-232.dat family_berbew behavioral2/files/0x0007000000022e61-238.dat family_berbew behavioral2/files/0x0007000000022e61-239.dat family_berbew behavioral2/files/0x0006000000022e65-246.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2300 Njinmf32.exe 4704 Nnfgcd32.exe 4948 Neqopnhb.exe 1420 Nnicid32.exe 1576 Ndflak32.exe 2216 Nlmdbh32.exe 2212 Oeehkn32.exe 3864 Onpjichj.exe 4868 Odmbaj32.exe 3852 Ohkkhhmh.exe 1924 Pmaffnce.exe 3356 Pmcclm32.exe 4448 Qemhbj32.exe 4572 Qkipkani.exe 3668 Qhmqdemc.exe 1168 Aojefobm.exe 4664 Anobgl32.exe 4092 Alpbecod.exe 3840 Adkgje32.exe 4980 Aoalgn32.exe 4064 Aekddhcb.exe 3192 Akglloai.exe 2788 Bemqih32.exe 1572 Bepmoh32.exe 2404 Bkobmnka.exe 3144 Bakgoh32.exe 2432 Chglab32.exe 1680 Coadnlnb.exe 1944 Chiigadc.exe 3248 Cdpjlb32.exe 4104 Cofnik32.exe 4636 Ckmonl32.exe 4936 Chqogq32.exe 4556 Ddgplado.exe 4776 Dkahilkl.exe 1500 Dfglfdkb.exe 2888 Ddligq32.exe 3920 Doaneiop.exe 4052 Dijbno32.exe 4620 Dodjjimm.exe 2240 Dbbffdlq.exe 3932 Emhkdmlg.exe 3080 Enigke32.exe 652 Eecphp32.exe 3308 Eoideh32.exe 780 Eeelnp32.exe 4904 Ennqfenp.exe 1796 Epmmqheb.exe 5080 Eifaim32.exe 2560 Flfkkhid.exe 4204 Fbpchb32.exe 3788 Fligqhga.exe 840 Fealin32.exe 3004 Fnipbc32.exe 2904 Fpimlfke.exe 2320 Fiaael32.exe 452 Fbjena32.exe 2776 Gfhndpol.exe 4872 Gmafajfi.exe 1652 Gemkelcd.exe 2804 Glgcbf32.exe 1424 Geohklaa.exe 4376 Goglcahb.exe 4308 Gmimai32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bnehgmob.exe Bglpjb32.exe File created C:\Windows\SysWOW64\Emnjnaja.dll Ednajepe.exe File opened for modification C:\Windows\SysWOW64\Aqjpod32.exe Aokceaoa.exe File created C:\Windows\SysWOW64\Bciebm32.exe Bmomecoi.exe File created C:\Windows\SysWOW64\Fiilmofe.exe Embkhn32.exe File created C:\Windows\SysWOW64\Knfeoobh.exe Kkgicccd.exe File created C:\Windows\SysWOW64\Gfhndpol.exe Fbjena32.exe File created C:\Windows\SysWOW64\Onahgf32.dll Ahdpjn32.exe File opened for modification C:\Windows\SysWOW64\Majjgmco.exe Mlmbofdh.exe File created C:\Windows\SysWOW64\Lnbcfp32.dll Oeccijoh.exe File created C:\Windows\SysWOW64\Ffiblg32.exe Fldnoo32.exe File opened for modification C:\Windows\SysWOW64\Dfonnk32.exe Dpefaq32.exe File created C:\Windows\SysWOW64\Mliejcjo.dll Epgenk32.exe File created C:\Windows\SysWOW64\Dmifkecb.exe Dfonnk32.exe File opened for modification C:\Windows\SysWOW64\Fjlpbb32.exe Fgfmeg32.exe File created C:\Windows\SysWOW64\Hpdlajfe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjhfjg32.exe Cpbbln32.exe File opened for modification C:\Windows\SysWOW64\Poomom32.exe Pakleh32.exe File created C:\Windows\SysWOW64\Akcjel32.exe Ajbmmcii.exe File opened for modification C:\Windows\SysWOW64\Ndomiddc.exe Nmedmj32.exe File created C:\Windows\SysWOW64\Leadag32.dll Fpeapilo.exe File created C:\Windows\SysWOW64\Nmedmj32.exe Ngklppei.exe File created C:\Windows\SysWOW64\Jlabgq32.dll Giqlbqcc.exe File created C:\Windows\SysWOW64\Fbpchb32.exe Flfkkhid.exe File opened for modification C:\Windows\SysWOW64\Kdkdqinj.exe Kjepcqnd.exe File opened for modification C:\Windows\SysWOW64\Aokceaoa.exe Ahakhg32.exe File created C:\Windows\SysWOW64\Fkpoha32.exe Fdffkgpc.exe File created C:\Windows\SysWOW64\Kqiiiidg.dll Dfefeq32.exe File created C:\Windows\SysWOW64\Hibape32.exe Hipdjfoo.exe File created C:\Windows\SysWOW64\Iddoag32.dll Gnkflo32.exe File opened for modification C:\Windows\SysWOW64\Hiefmp32.exe Hbknqeha.exe File created C:\Windows\SysWOW64\Nqgiel32.exe Ngodlgka.exe File opened for modification C:\Windows\SysWOW64\Gpfjfg32.exe Ggnenagl.exe File opened for modification C:\Windows\SysWOW64\Fjphoi32.exe Fcepbooa.exe File opened for modification C:\Windows\SysWOW64\Odmbaj32.exe Onpjichj.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Agimkk32.exe File created C:\Windows\SysWOW64\Qileqiab.dll Process not Found File created C:\Windows\SysWOW64\Eammlc32.dll Qhlkbaho.exe File opened for modification C:\Windows\SysWOW64\Hbflnl32.exe Hphpap32.exe File created C:\Windows\SysWOW64\Edmcbd32.dll Process not Found File created C:\Windows\SysWOW64\Oqoefand.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Cibkohef.exe Cbhbbn32.exe File created C:\Windows\SysWOW64\Jqhaolli.exe Jgpmffeh.exe File created C:\Windows\SysWOW64\Ccgjjc32.exe Cmmbmiag.exe File opened for modification C:\Windows\SysWOW64\Hfmigmgf.exe Hnfafpfd.exe File created C:\Windows\SysWOW64\Kakednfj.exe Kidmcqeg.exe File created C:\Windows\SysWOW64\Nqpccp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iljpbp32.exe Ikickgnf.exe File created C:\Windows\SysWOW64\Jfgefg32.exe Jcihjl32.exe File created C:\Windows\SysWOW64\Kbjkbj32.dll Jdpkoalc.exe File created C:\Windows\SysWOW64\Ahnljade.dll Kmbfiokn.exe File opened for modification C:\Windows\SysWOW64\Mqnfon32.exe Moljgeco.exe File created C:\Windows\SysWOW64\Ocmhbj32.dll Homadjin.exe File created C:\Windows\SysWOW64\Eephkk32.dll Nhbfpl32.exe File created C:\Windows\SysWOW64\Ogailh32.dll Epmmjnkp.exe File opened for modification C:\Windows\SysWOW64\Flfjdn32.exe Ffiblg32.exe File created C:\Windows\SysWOW64\Paiogf32.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Lmnbjama.dll Pnmopk32.exe File created C:\Windows\SysWOW64\Hoaocf32.exe Process not Found File created C:\Windows\SysWOW64\Ojmqgd32.exe Process not Found File created C:\Windows\SysWOW64\Cbefkp32.exe Cknnjcmo.exe File created C:\Windows\SysWOW64\Lfdqcn32.dll Pfandnla.exe File opened for modification C:\Windows\SysWOW64\Obgofmjb.exe Obdbqm32.exe File created C:\Windows\SysWOW64\Jecdnddf.dll Qofjjb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jipqkopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eecpaeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmidnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaihonhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqdlpmce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfmdoph.dll" Ajlngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbqmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkngco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll" Enigke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhefhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgjjgkh.dll" Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjccna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll" Dfakcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmnohha.dll" Fcepbooa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhqaokcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edjgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejlban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bglpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkhdgfen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkkjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaofphbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfefeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bacina32.dll" Hdmohnhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geeecogb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agpoqoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bciebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clbhkfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhghjpod.dll" Obdbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opnglhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcphpdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faiplcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggilbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkbmjhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gphddlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqlhniij.dll" Meepoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgnbol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibdiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decnea32.dll" Cnhell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eabjkdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emfebjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccpkblqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhbnqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbfeoohe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poomom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhihkjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjnfh32.dll" Bjbnndgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponca32.dll" Ejhanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohcbiop.dll" Kaajfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkechjib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njmejp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 316 wrote to memory of 2300 316 NEAS.07bbb7063ceae77a33e0374737589d70.exe 87 PID 316 wrote to memory of 2300 316 NEAS.07bbb7063ceae77a33e0374737589d70.exe 87 PID 316 wrote to memory of 2300 316 NEAS.07bbb7063ceae77a33e0374737589d70.exe 87 PID 2300 wrote to memory of 4704 2300 Njinmf32.exe 88 PID 2300 wrote to memory of 4704 2300 Njinmf32.exe 88 PID 2300 wrote to memory of 4704 2300 Njinmf32.exe 88 PID 4704 wrote to memory of 4948 4704 Nnfgcd32.exe 89 PID 4704 wrote to memory of 4948 4704 Nnfgcd32.exe 89 PID 4704 wrote to memory of 4948 4704 Nnfgcd32.exe 89 PID 4948 wrote to memory of 1420 4948 Neqopnhb.exe 90 PID 4948 wrote to memory of 1420 4948 Neqopnhb.exe 90 PID 4948 wrote to memory of 1420 4948 Neqopnhb.exe 90 PID 1420 wrote to memory of 1576 1420 Nnicid32.exe 91 PID 1420 wrote to memory of 1576 1420 Nnicid32.exe 91 PID 1420 wrote to memory of 1576 1420 Nnicid32.exe 91 PID 1576 wrote to memory of 2216 1576 Ndflak32.exe 92 PID 1576 wrote to memory of 2216 1576 Ndflak32.exe 92 PID 1576 wrote to memory of 2216 1576 Ndflak32.exe 92 PID 2216 wrote to memory of 2212 2216 Nlmdbh32.exe 94 PID 2216 wrote to memory of 2212 2216 Nlmdbh32.exe 94 PID 2216 wrote to memory of 2212 2216 Nlmdbh32.exe 94 PID 2212 wrote to memory of 3864 2212 Oeehkn32.exe 95 PID 2212 wrote to memory of 3864 2212 Oeehkn32.exe 95 PID 2212 wrote to memory of 3864 2212 Oeehkn32.exe 95 PID 3864 wrote to memory of 4868 3864 Onpjichj.exe 96 PID 3864 wrote to memory of 4868 3864 Onpjichj.exe 96 PID 3864 wrote to memory of 4868 3864 Onpjichj.exe 96 PID 4868 wrote to memory of 3852 4868 Odmbaj32.exe 97 PID 4868 wrote to memory of 3852 4868 Odmbaj32.exe 97 PID 4868 wrote to memory of 3852 4868 Odmbaj32.exe 97 PID 3852 wrote to memory of 1924 3852 Ohkkhhmh.exe 98 PID 3852 wrote to memory of 1924 3852 Ohkkhhmh.exe 98 PID 3852 wrote to memory of 1924 3852 Ohkkhhmh.exe 98 PID 1924 wrote to memory of 3356 1924 Pmaffnce.exe 99 PID 1924 wrote to memory of 3356 1924 Pmaffnce.exe 99 PID 1924 wrote to memory of 3356 1924 Pmaffnce.exe 99 PID 3356 wrote to memory of 4448 3356 Pmcclm32.exe 100 PID 3356 wrote to memory of 4448 3356 Pmcclm32.exe 100 PID 3356 wrote to memory of 4448 3356 Pmcclm32.exe 100 PID 4448 wrote to memory of 4572 4448 Qemhbj32.exe 101 PID 4448 wrote to memory of 4572 4448 Qemhbj32.exe 101 PID 4448 wrote to memory of 4572 4448 Qemhbj32.exe 101 PID 4572 wrote to memory of 3668 4572 Qkipkani.exe 102 PID 4572 wrote to memory of 3668 4572 Qkipkani.exe 102 PID 4572 wrote to memory of 3668 4572 Qkipkani.exe 102 PID 3668 wrote to memory of 1168 3668 Qhmqdemc.exe 103 PID 3668 wrote to memory of 1168 3668 Qhmqdemc.exe 103 PID 3668 wrote to memory of 1168 3668 Qhmqdemc.exe 103 PID 1168 wrote to memory of 4664 1168 Aojefobm.exe 104 PID 1168 wrote to memory of 4664 1168 Aojefobm.exe 104 PID 1168 wrote to memory of 4664 1168 Aojefobm.exe 104 PID 4664 wrote to memory of 4092 4664 Anobgl32.exe 105 PID 4664 wrote to memory of 4092 4664 Anobgl32.exe 105 PID 4664 wrote to memory of 4092 4664 Anobgl32.exe 105 PID 4092 wrote to memory of 3840 4092 Alpbecod.exe 106 PID 4092 wrote to memory of 3840 4092 Alpbecod.exe 106 PID 4092 wrote to memory of 3840 4092 Alpbecod.exe 106 PID 3840 wrote to memory of 4980 3840 Adkgje32.exe 109 PID 3840 wrote to memory of 4980 3840 Adkgje32.exe 109 PID 3840 wrote to memory of 4980 3840 Adkgje32.exe 109 PID 4980 wrote to memory of 4064 4980 Aoalgn32.exe 108 PID 4980 wrote to memory of 4064 4980 Aoalgn32.exe 108 PID 4980 wrote to memory of 4064 4980 Aoalgn32.exe 108 PID 4064 wrote to memory of 3192 4064 Aekddhcb.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.07bbb7063ceae77a33e0374737589d70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.07bbb7063ceae77a33e0374737589d70.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe2⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe3⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe4⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe5⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe6⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe7⤵
- Executes dropped EXE
- Modifies registry class
PID:1680
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe1⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe2⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe3⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe4⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe5⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe6⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe8⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe9⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe10⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe11⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe12⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe14⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe15⤵
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe16⤵
- Executes dropped EXE
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe17⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe19⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe20⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe21⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe23⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe24⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe25⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe26⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe27⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe28⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe30⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe31⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe32⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe33⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe34⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe35⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe37⤵PID:3960
-
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4740 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe39⤵PID:1544
-
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe40⤵PID:1700
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe41⤵PID:1960
-
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:212 -
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe43⤵PID:1880
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe44⤵PID:4060
-
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe45⤵PID:4048
-
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe46⤵PID:3340
-
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe47⤵PID:1928
-
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe48⤵PID:3456
-
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe49⤵PID:4800
-
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe50⤵PID:2620
-
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe51⤵PID:2196
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe52⤵PID:4192
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe53⤵PID:4036
-
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe54⤵PID:3872
-
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe55⤵PID:3392
-
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe56⤵PID:4924
-
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe57⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe58⤵PID:3436
-
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe59⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe61⤵PID:1984
-
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe62⤵
- Drops file in System32 directory
PID:3912 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe63⤵PID:5060
-
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe64⤵PID:932
-
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe65⤵PID:5136
-
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe66⤵PID:5180
-
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe67⤵PID:5224
-
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe68⤵PID:5268
-
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe69⤵PID:5312
-
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe70⤵PID:5360
-
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe71⤵PID:5400
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe72⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe74⤵PID:5524
-
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe75⤵PID:5568
-
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe76⤵PID:5612
-
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe77⤵PID:5656
-
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe78⤵PID:5704
-
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe79⤵PID:5744
-
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe80⤵PID:5792
-
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe81⤵PID:5836
-
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe82⤵PID:5900
-
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe83⤵PID:5944
-
C:\Windows\SysWOW64\Jekjcaef.exeC:\Windows\system32\Jekjcaef.exe84⤵PID:5988
-
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe85⤵PID:6032
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe86⤵PID:6088
-
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe87⤵PID:6132
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe88⤵
- Drops file in System32 directory
PID:5164 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe89⤵PID:5208
-
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe90⤵PID:5296
-
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe91⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe92⤵PID:5424
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe93⤵PID:5504
-
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe94⤵PID:5580
-
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe95⤵PID:5636
-
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe96⤵PID:5732
-
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe97⤵PID:5784
-
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe98⤵PID:5860
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe99⤵PID:5888
-
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe100⤵PID:5952
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe101⤵PID:6020
-
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe102⤵PID:4352
-
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe103⤵PID:6140
-
C:\Windows\SysWOW64\Acqgojmb.exeC:\Windows\system32\Acqgojmb.exe104⤵PID:5192
-
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe105⤵PID:5304
-
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe106⤵PID:5388
-
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe107⤵PID:5552
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe108⤵PID:5652
-
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe109⤵PID:5756
-
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe110⤵PID:5872
-
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe112⤵PID:6000
-
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe113⤵PID:6112
-
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe114⤵PID:5248
-
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe115⤵PID:5408
-
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe116⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe117⤵PID:5788
-
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe118⤵PID:5920
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe119⤵PID:6068
-
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-