Analysis
-
max time kernel
181s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:15
Behavioral task
behavioral1
Sample
NEAS.9923cc0ceb9215121152707013e12de0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9923cc0ceb9215121152707013e12de0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.9923cc0ceb9215121152707013e12de0.exe
-
Size
367KB
-
MD5
9923cc0ceb9215121152707013e12de0
-
SHA1
d3afcc62855b36523a92997fe528cccfcfc67c79
-
SHA256
03306b55f7cccdef7287fad8218268818f456eca07f6d6353ba52d2a25f3b358
-
SHA512
a92af53ae9ec93fc50ab98117164da81ca2d61385671a4bed4ed13b220d5728a93a6745100eb8d7aebf1e3e0788f13d962ead530c4bfd5c552d27c89da3afce4
-
SSDEEP
6144:jjwTzA2n+KobitnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:GA2VoOtJCXqP77D7FB24lwR45FB24lqM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhcpkkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cooolhin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckhlgilp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbppa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfihmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidamcgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adadbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgieipmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igmgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npnqcpmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhojka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibojgikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jphcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjhaeklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahnghafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjlpnpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jloacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omnqhbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhfpjghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlnqfanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgbnkfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlejnqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhcmpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmnglh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjfbed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoegcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkjclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mohidbkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jangaboo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fggdic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckglc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldhacpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgahnjpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmlbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbpolb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmmchpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plhgdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqbmadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhlmgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbheajp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcoekhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icoodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpapgknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhbbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofdhlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllppnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcmolimg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qekbaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpjegpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbphncfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omnqcfig.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022e12-5.dat family_berbew behavioral2/files/0x0006000000022e12-7.dat family_berbew behavioral2/files/0x0006000000022e16-14.dat family_berbew behavioral2/files/0x0006000000022e16-16.dat family_berbew behavioral2/files/0x0007000000022e17-22.dat family_berbew behavioral2/files/0x0007000000022e17-24.dat family_berbew behavioral2/files/0x0006000000022e1a-30.dat family_berbew behavioral2/files/0x0006000000022e1a-32.dat family_berbew behavioral2/files/0x0008000000022df9-38.dat family_berbew behavioral2/files/0x0008000000022df9-40.dat family_berbew behavioral2/files/0x0006000000022e1e-46.dat family_berbew behavioral2/files/0x0006000000022e1e-48.dat family_berbew behavioral2/files/0x0006000000022e20-54.dat family_berbew behavioral2/files/0x0006000000022e20-56.dat family_berbew behavioral2/files/0x0006000000022e23-64.dat family_berbew behavioral2/files/0x0006000000022e23-62.dat family_berbew behavioral2/files/0x0006000000022e25-70.dat family_berbew behavioral2/files/0x0006000000022e25-71.dat family_berbew behavioral2/files/0x0006000000022e27-78.dat family_berbew behavioral2/files/0x0006000000022e27-80.dat family_berbew behavioral2/files/0x0006000000022e29-86.dat family_berbew behavioral2/files/0x0006000000022e29-88.dat family_berbew behavioral2/files/0x0006000000022e2b-94.dat family_berbew behavioral2/files/0x0006000000022e2b-96.dat family_berbew behavioral2/files/0x0006000000022e2d-102.dat family_berbew behavioral2/files/0x0006000000022e2d-104.dat family_berbew behavioral2/files/0x0006000000022e30-110.dat family_berbew behavioral2/files/0x0006000000022e30-112.dat family_berbew behavioral2/files/0x0006000000022e36-118.dat family_berbew behavioral2/files/0x0006000000022e36-120.dat family_berbew behavioral2/files/0x0006000000022e39-127.dat family_berbew behavioral2/files/0x0006000000022e39-126.dat family_berbew behavioral2/files/0x0006000000022e3e-134.dat family_berbew behavioral2/files/0x0006000000022e3e-136.dat family_berbew behavioral2/files/0x0006000000022e41-142.dat family_berbew behavioral2/files/0x0006000000022e41-144.dat family_berbew behavioral2/files/0x0006000000022e43-150.dat family_berbew behavioral2/files/0x0006000000022e43-151.dat family_berbew behavioral2/files/0x0006000000022e45-159.dat family_berbew behavioral2/files/0x0006000000022e45-158.dat family_berbew behavioral2/files/0x0006000000022e48-166.dat family_berbew behavioral2/files/0x0006000000022e48-167.dat family_berbew behavioral2/files/0x0006000000022e4a-174.dat family_berbew behavioral2/files/0x0006000000022e4a-176.dat family_berbew behavioral2/files/0x0007000000022e34-183.dat family_berbew behavioral2/files/0x0007000000022e34-182.dat family_berbew behavioral2/files/0x0007000000022e3c-190.dat family_berbew behavioral2/files/0x0007000000022e3c-192.dat family_berbew behavioral2/files/0x0006000000022e4e-193.dat family_berbew behavioral2/files/0x0006000000022e4e-198.dat family_berbew behavioral2/files/0x0006000000022e4e-199.dat family_berbew behavioral2/files/0x0006000000022e50-206.dat family_berbew behavioral2/files/0x0006000000022e50-208.dat family_berbew behavioral2/files/0x0006000000022e52-214.dat family_berbew behavioral2/files/0x0006000000022e52-216.dat family_berbew behavioral2/files/0x0006000000022e54-223.dat family_berbew behavioral2/files/0x0006000000022e54-222.dat family_berbew behavioral2/files/0x0006000000022e56-230.dat family_berbew behavioral2/files/0x0006000000022e56-231.dat family_berbew behavioral2/files/0x0006000000022e5a-238.dat family_berbew behavioral2/files/0x0006000000022e5a-240.dat family_berbew behavioral2/files/0x0006000000022e5c-246.dat family_berbew behavioral2/files/0x0006000000022e5c-247.dat family_berbew behavioral2/files/0x0006000000022e5e-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2148 Ojfcdnjc.exe 4496 Opeiadfg.exe 4364 Pjmjdm32.exe 3120 Phajna32.exe 4972 Pffgom32.exe 4220 Pjdpelnc.exe 456 Ppahmb32.exe 4588 Qdoacabq.exe 4388 Qpeahb32.exe 3388 Aoioli32.exe 4824 Aokkahlo.exe 4236 Aonhghjl.exe 3024 Ahfmpnql.exe 4608 Bmeandma.exe 3148 Bkibgh32.exe 4868 Bmjkic32.exe 1916 Bknlbhhe.exe 4032 Boldhf32.exe 2172 Cnaaib32.exe 4748 Ckebcg32.exe 3928 Cdmfllhn.exe 4888 Chnlgjlb.exe 2196 Dpiplm32.exe 920 Dnmaea32.exe 3544 Ddifgk32.exe 3964 Damfao32.exe 3620 Dhikci32.exe 4472 Edplhjhi.exe 4368 Egaejeej.exe 3156 Edeeci32.exe 3044 Egened32.exe 3728 Edionhpn.exe 2332 Fkhpfbce.exe 4940 Fbgbnkfm.exe 4248 Fgcjfbed.exe 4476 Gkaclqkk.exe 4872 Gejhef32.exe 3432 Gghdaa32.exe 4616 Gbnhoj32.exe 3756 Ggkqgaol.exe 3496 Gbpedjnb.exe 3140 Ggmmlamj.exe 2288 Gbbajjlp.exe 4624 Hlkfbocp.exe 4744 Hioflcbj.exe 1632 Lchfib32.exe 1896 Llqjbhdc.exe 2648 Lancko32.exe 4396 Llcghg32.exe 1724 Lcmodajm.exe 2088 Mfkkqmiq.exe 644 Modpib32.exe 4636 Mfnhfm32.exe 1432 Mhldbh32.exe 1644 Mljmhflh.exe 3748 Mohidbkl.exe 2348 Mhanngbl.exe 4892 Mcfbkpab.exe 4580 Mqjbddpl.exe 3800 Nblolm32.exe 5084 Nqfbpb32.exe 1756 Obgohklm.exe 652 Ojnfihmo.exe 2816 Ookoaokf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mpapgknd.exe Mfkkjbnn.exe File created C:\Windows\SysWOW64\Hkllgnco.exe Hbdgnilo.exe File opened for modification C:\Windows\SysWOW64\Ddifgk32.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Kakdifap.dll Fkiapn32.exe File created C:\Windows\SysWOW64\Ncbfcp32.exe Mjjbjjdd.exe File created C:\Windows\SysWOW64\Plhgdn32.exe Pkfjmfld.exe File opened for modification C:\Windows\SysWOW64\Idoknmfj.exe Ilhcmpeg.exe File created C:\Windows\SysWOW64\Pbpbhmcg.dll Omgjhc32.exe File created C:\Windows\SysWOW64\Jonfci32.dll Ibjibg32.exe File created C:\Windows\SysWOW64\Nhfpjghi.exe Mnnkaa32.exe File opened for modification C:\Windows\SysWOW64\Mjahfl32.exe Mgclja32.exe File created C:\Windows\SysWOW64\Hgocapmi.exe Fggdic32.exe File opened for modification C:\Windows\SysWOW64\Idieob32.exe Ibjibg32.exe File created C:\Windows\SysWOW64\Ckhlgilp.exe Cjgpoq32.exe File created C:\Windows\SysWOW64\Coqnmkpd.exe Pfdjccol.exe File created C:\Windows\SysWOW64\Ojmbll32.dll Bgpggm32.exe File created C:\Windows\SysWOW64\Dbnmek32.exe Ahmqnkbp.exe File opened for modification C:\Windows\SysWOW64\Lchfib32.exe Hioflcbj.exe File opened for modification C:\Windows\SysWOW64\Mboqnm32.exe Mldhacpj.exe File created C:\Windows\SysWOW64\Idpofgof.dll Dfcjoa32.exe File created C:\Windows\SysWOW64\Bdglhadi.dll Hgdedj32.exe File opened for modification C:\Windows\SysWOW64\Ingpgcmj.exe Igmgji32.exe File created C:\Windows\SysWOW64\Pjpboibb.dll Bjodch32.exe File created C:\Windows\SysWOW64\Modmkn32.dll Lalnfooo.exe File created C:\Windows\SysWOW64\Cbkncd32.exe Combgh32.exe File opened for modification C:\Windows\SysWOW64\Egened32.exe Edeeci32.exe File created C:\Windows\SysWOW64\Odgjdibf.exe Hqmggi32.exe File created C:\Windows\SysWOW64\Jodlof32.exe Jflgfpkc.exe File created C:\Windows\SysWOW64\Nfcoekhe.exe Nlnkgbhp.exe File opened for modification C:\Windows\SysWOW64\Biogieke.exe Bfqkmj32.exe File created C:\Windows\SysWOW64\Kgcqil32.dll Cjflblll.exe File created C:\Windows\SysWOW64\Poajdlcq.exe Plbmhadm.exe File created C:\Windows\SysWOW64\Dkppik32.dll Icoodj32.exe File opened for modification C:\Windows\SysWOW64\Ikkppgld.exe Icdhojka.exe File created C:\Windows\SysWOW64\Mqbgpl32.dll Jbgmkfli.exe File created C:\Windows\SysWOW64\Hmbflc32.exe Hkdjph32.exe File opened for modification C:\Windows\SysWOW64\Nnfgmjfb.exe Nlhkqngo.exe File created C:\Windows\SysWOW64\Lbqihb32.exe Jangaboo.exe File created C:\Windows\SysWOW64\Egened32.exe Edeeci32.exe File opened for modification C:\Windows\SysWOW64\Bbpolb32.exe Nhcbidcd.exe File opened for modification C:\Windows\SysWOW64\Bilcol32.exe Bjkcqdje.exe File created C:\Windows\SysWOW64\Jlilhlel.dll Lckglc32.exe File created C:\Windows\SysWOW64\Cofemg32.exe Cmhial32.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bknlbhhe.exe File opened for modification C:\Windows\SysWOW64\Ikpjkf32.exe Idfaolpb.exe File opened for modification C:\Windows\SysWOW64\Lomqmoob.exe Lnldeg32.exe File created C:\Windows\SysWOW64\Mmgmmdep.dll Jkfcigkm.exe File created C:\Windows\SysWOW64\Kkmgenjm.dll Nmbamdkm.exe File created C:\Windows\SysWOW64\Ahmqnkbp.exe Ojbamj32.exe File created C:\Windows\SysWOW64\Nqclfeon.dll Jkjclk32.exe File opened for modification C:\Windows\SysWOW64\Jgqdal32.exe Jdbheajp.exe File opened for modification C:\Windows\SysWOW64\Kbbhjc32.exe Kbpkdd32.exe File opened for modification C:\Windows\SysWOW64\Daeddlco.exe Dgmpkg32.exe File created C:\Windows\SysWOW64\Ndkfpm32.dll Ghgeoq32.exe File created C:\Windows\SysWOW64\Lckglc32.exe Kjcccm32.exe File created C:\Windows\SysWOW64\Midoph32.exe Lckglc32.exe File created C:\Windows\SysWOW64\Dmgdcp32.dll Ojkkah32.exe File created C:\Windows\SysWOW64\Akoqjl32.exe Ajndbd32.exe File created C:\Windows\SysWOW64\Nelfnd32.exe Nnbnaj32.exe File opened for modification C:\Windows\SysWOW64\Lbqihb32.exe Jangaboo.exe File created C:\Windows\SysWOW64\Hfpgkgjo.dll Cdmfebnk.exe File created C:\Windows\SysWOW64\Hcjnlmph.dll Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Nliakd32.exe Nihiiimi.exe File created C:\Windows\SysWOW64\Fljfei32.dll Akoqjl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cooolhin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklmlfcf.dll" Mfkkjbnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbblinfi.dll" Hklglk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjflblll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjak32.dll" Nlhkqngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohjmfjh.dll" Ibojgikg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdoegcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgopbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oihapg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlggcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjgghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilafcomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhajffl.dll" Jeocgfgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibojgikg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fggdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbdgnilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljanf32.dll" Bcmolimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meepne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njmopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Haoighmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgbmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpcim32.dll" Hhdhhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehqncld.dll" Liqibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcddlhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeded32.dll" Pfdjccol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll" Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqagcpkg.dll" Fehplggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbqihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgenjm.dll" Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jglkfmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aadokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcimclb.dll" Jnqbmadp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmbfpea.dll" Ilcjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhejgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbbblhf.dll" Jpooimdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdclbopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhbbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgmkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oefpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neqoidmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkqpd32.dll" Iioicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phpkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhqmdoef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 NEAS.9923cc0ceb9215121152707013e12de0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogffd32.dll" Cqfahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idieob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qkjgomgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peflco32.dll" Ingpgcmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oagpne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olgnnqpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkepeaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpomme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knagdd32.dll" Nfjeej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbijpfjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdehho32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4524 wrote to memory of 2148 4524 NEAS.9923cc0ceb9215121152707013e12de0.exe 89 PID 4524 wrote to memory of 2148 4524 NEAS.9923cc0ceb9215121152707013e12de0.exe 89 PID 4524 wrote to memory of 2148 4524 NEAS.9923cc0ceb9215121152707013e12de0.exe 89 PID 2148 wrote to memory of 4496 2148 Ojfcdnjc.exe 90 PID 2148 wrote to memory of 4496 2148 Ojfcdnjc.exe 90 PID 2148 wrote to memory of 4496 2148 Ojfcdnjc.exe 90 PID 4496 wrote to memory of 4364 4496 Opeiadfg.exe 91 PID 4496 wrote to memory of 4364 4496 Opeiadfg.exe 91 PID 4496 wrote to memory of 4364 4496 Opeiadfg.exe 91 PID 4364 wrote to memory of 3120 4364 Pjmjdm32.exe 92 PID 4364 wrote to memory of 3120 4364 Pjmjdm32.exe 92 PID 4364 wrote to memory of 3120 4364 Pjmjdm32.exe 92 PID 3120 wrote to memory of 4972 3120 Phajna32.exe 94 PID 3120 wrote to memory of 4972 3120 Phajna32.exe 94 PID 3120 wrote to memory of 4972 3120 Phajna32.exe 94 PID 4972 wrote to memory of 4220 4972 Pffgom32.exe 95 PID 4972 wrote to memory of 4220 4972 Pffgom32.exe 95 PID 4972 wrote to memory of 4220 4972 Pffgom32.exe 95 PID 4220 wrote to memory of 456 4220 Pjdpelnc.exe 96 PID 4220 wrote to memory of 456 4220 Pjdpelnc.exe 96 PID 4220 wrote to memory of 456 4220 Pjdpelnc.exe 96 PID 456 wrote to memory of 4588 456 Ppahmb32.exe 97 PID 456 wrote to memory of 4588 456 Ppahmb32.exe 97 PID 456 wrote to memory of 4588 456 Ppahmb32.exe 97 PID 4588 wrote to memory of 4388 4588 Qdoacabq.exe 98 PID 4588 wrote to memory of 4388 4588 Qdoacabq.exe 98 PID 4588 wrote to memory of 4388 4588 Qdoacabq.exe 98 PID 4388 wrote to memory of 3388 4388 Qpeahb32.exe 99 PID 4388 wrote to memory of 3388 4388 Qpeahb32.exe 99 PID 4388 wrote to memory of 3388 4388 Qpeahb32.exe 99 PID 3388 wrote to memory of 4824 3388 Aoioli32.exe 100 PID 3388 wrote to memory of 4824 3388 Aoioli32.exe 100 PID 3388 wrote to memory of 4824 3388 Aoioli32.exe 100 PID 4824 wrote to memory of 4236 4824 Aokkahlo.exe 102 PID 4824 wrote to memory of 4236 4824 Aokkahlo.exe 102 PID 4824 wrote to memory of 4236 4824 Aokkahlo.exe 102 PID 4236 wrote to memory of 3024 4236 Aonhghjl.exe 103 PID 4236 wrote to memory of 3024 4236 Aonhghjl.exe 103 PID 4236 wrote to memory of 3024 4236 Aonhghjl.exe 103 PID 3024 wrote to memory of 4608 3024 Ahfmpnql.exe 104 PID 3024 wrote to memory of 4608 3024 Ahfmpnql.exe 104 PID 3024 wrote to memory of 4608 3024 Ahfmpnql.exe 104 PID 4608 wrote to memory of 3148 4608 Bmeandma.exe 105 PID 4608 wrote to memory of 3148 4608 Bmeandma.exe 105 PID 4608 wrote to memory of 3148 4608 Bmeandma.exe 105 PID 3148 wrote to memory of 4868 3148 Bkibgh32.exe 106 PID 3148 wrote to memory of 4868 3148 Bkibgh32.exe 106 PID 3148 wrote to memory of 4868 3148 Bkibgh32.exe 106 PID 4868 wrote to memory of 1916 4868 Bmjkic32.exe 107 PID 4868 wrote to memory of 1916 4868 Bmjkic32.exe 107 PID 4868 wrote to memory of 1916 4868 Bmjkic32.exe 107 PID 1916 wrote to memory of 4032 1916 Bknlbhhe.exe 108 PID 1916 wrote to memory of 4032 1916 Bknlbhhe.exe 108 PID 1916 wrote to memory of 4032 1916 Bknlbhhe.exe 108 PID 4032 wrote to memory of 2172 4032 Boldhf32.exe 109 PID 4032 wrote to memory of 2172 4032 Boldhf32.exe 109 PID 4032 wrote to memory of 2172 4032 Boldhf32.exe 109 PID 2172 wrote to memory of 4748 2172 Cnaaib32.exe 110 PID 2172 wrote to memory of 4748 2172 Cnaaib32.exe 110 PID 2172 wrote to memory of 4748 2172 Cnaaib32.exe 110 PID 4748 wrote to memory of 3928 4748 Ckebcg32.exe 111 PID 4748 wrote to memory of 3928 4748 Ckebcg32.exe 111 PID 4748 wrote to memory of 3928 4748 Ckebcg32.exe 111 PID 3928 wrote to memory of 4888 3928 Cdmfllhn.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9923cc0ceb9215121152707013e12de0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9923cc0ceb9215121152707013e12de0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4888 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe26⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe27⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe28⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe29⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe30⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe32⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe33⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe34⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe37⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe38⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe39⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe40⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe41⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe42⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe43⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe44⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe45⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Lchfib32.exeC:\Windows\system32\Lchfib32.exe47⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe48⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe49⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe50⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe51⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe53⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe54⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe55⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe58⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe60⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe61⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe62⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe63⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe66⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe67⤵PID:3344
-
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe68⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe69⤵PID:1180
-
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe70⤵PID:768
-
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe71⤵PID:4316
-
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe72⤵
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe74⤵PID:4448
-
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe75⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe76⤵PID:2148
-
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe77⤵PID:1596
-
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe78⤵PID:940
-
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe79⤵PID:2536
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe80⤵PID:3900
-
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe81⤵PID:4564
-
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe82⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe83⤵PID:920
-
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe85⤵PID:2480
-
C:\Windows\SysWOW64\Dioiki32.exeC:\Windows\system32\Dioiki32.exe86⤵PID:4060
-
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe87⤵PID:3544
-
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe88⤵PID:2388
-
C:\Windows\SysWOW64\Dlobmd32.exeC:\Windows\system32\Dlobmd32.exe89⤵PID:2416
-
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe90⤵PID:1272
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe91⤵PID:2860
-
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe92⤵PID:4784
-
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe93⤵PID:4964
-
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe94⤵PID:2280
-
C:\Windows\SysWOW64\Eliecc32.exeC:\Windows\system32\Eliecc32.exe95⤵PID:3384
-
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe96⤵PID:1508
-
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe97⤵PID:1452
-
C:\Windows\SysWOW64\Eecfah32.exeC:\Windows\system32\Eecfah32.exe98⤵PID:4580
-
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe100⤵PID:1680
-
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe101⤵PID:568
-
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe102⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe103⤵PID:1256
-
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe104⤵PID:4632
-
C:\Windows\SysWOW64\Femigg32.exeC:\Windows\system32\Femigg32.exe105⤵PID:3124
-
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe106⤵
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe107⤵PID:4492
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe108⤵PID:1268
-
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe109⤵PID:4868
-
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe110⤵PID:5020
-
C:\Windows\SysWOW64\Giokid32.exeC:\Windows\system32\Giokid32.exe111⤵PID:1464
-
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe112⤵PID:2692
-
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe113⤵PID:4536
-
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe114⤵PID:2616
-
C:\Windows\SysWOW64\Ghgeoq32.exeC:\Windows\system32\Ghgeoq32.exe115⤵
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe116⤵PID:1756
-
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe117⤵PID:3472
-
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe118⤵PID:3868
-
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe119⤵
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe120⤵PID:4472
-
C:\Windows\SysWOW64\Hkodak32.exeC:\Windows\system32\Hkodak32.exe121⤵PID:3388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-