Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 14:18
Behavioral task
behavioral1
Sample
NEAS.b83167734464e7c3c7b91335ab150b80.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b83167734464e7c3c7b91335ab150b80.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b83167734464e7c3c7b91335ab150b80.exe
-
Size
125KB
-
MD5
b83167734464e7c3c7b91335ab150b80
-
SHA1
67a2d4a280121493ad376cc0bf2fedb90609c98b
-
SHA256
32d59e299e20a0b4115a3ec5bc7367662152e05d72bf4743bc31796fb5350a77
-
SHA512
515f36234618dcef6efe100f133961df45790b3509daabf45361e2f194b0518f347afed40105fad2738050d8fd244c4cd86c465957073cc7e59056bfcfaea816
-
SSDEEP
3072:ozR+LYpIWCqfhDJldMc41WdTCn93OGey/ZhJakrPF:ozFp6qkcXTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmccnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okailj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhpogij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolodqcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dggkipii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofbdncaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hecadm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflkqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chinkndp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eanqpdgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhennm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qefkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okodlgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojigdcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijiopd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plejoode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefnjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpmfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqkigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfikaqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qomghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npgjbabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjchn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qohpkf32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2660-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/memory/3512-8-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x0008000000022df0-14.dat family_berbew behavioral2/memory/4104-15-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022df0-16.dat family_berbew behavioral2/files/0x0006000000022e0b-17.dat family_berbew behavioral2/files/0x0006000000022e0b-22.dat family_berbew behavioral2/files/0x0006000000022e0b-24.dat family_berbew behavioral2/memory/3668-23-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0d-30.dat family_berbew behavioral2/files/0x0006000000022e0d-31.dat family_berbew behavioral2/memory/4416-32-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0f-37.dat family_berbew behavioral2/memory/1564-39-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0f-40.dat family_berbew behavioral2/files/0x0006000000022e12-48.dat family_berbew behavioral2/memory/2520-47-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e15-54.dat family_berbew behavioral2/memory/4528-56-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e15-55.dat family_berbew behavioral2/files/0x0006000000022e12-46.dat family_berbew behavioral2/files/0x0006000000022e18-62.dat family_berbew behavioral2/memory/3184-63-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e18-64.dat family_berbew behavioral2/files/0x0006000000022e1a-70.dat family_berbew behavioral2/memory/212-71-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1a-72.dat family_berbew behavioral2/files/0x0008000000022df3-73.dat family_berbew behavioral2/files/0x0008000000022df3-78.dat family_berbew behavioral2/memory/5044-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022df3-80.dat family_berbew behavioral2/files/0x0006000000022e1e-86.dat family_berbew behavioral2/files/0x0006000000022e1e-88.dat family_berbew behavioral2/memory/4460-87-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e21-94.dat family_berbew behavioral2/files/0x0006000000022e21-95.dat family_berbew behavioral2/memory/1728-96-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e23-102.dat family_berbew behavioral2/memory/4228-103-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e23-104.dat family_berbew behavioral2/files/0x0006000000022e25-111.dat family_berbew behavioral2/files/0x0006000000022e25-110.dat family_berbew behavioral2/memory/828-112-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-118.dat family_berbew behavioral2/memory/1416-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-120.dat family_berbew behavioral2/files/0x0006000000022e29-126.dat family_berbew behavioral2/memory/2360-127-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e29-128.dat family_berbew behavioral2/files/0x0006000000022e2b-134.dat family_berbew behavioral2/memory/1568-135-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2b-136.dat family_berbew behavioral2/files/0x0006000000022e2d-142.dat family_berbew behavioral2/files/0x0006000000022e2d-143.dat family_berbew behavioral2/files/0x0006000000022e2f-151.dat family_berbew behavioral2/files/0x0006000000022e2f-150.dat family_berbew behavioral2/files/0x0006000000022e31-158.dat family_berbew behavioral2/memory/1980-152-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/memory/3120-159-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-160.dat family_berbew behavioral2/memory/4028-144-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022e34-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3512 Qoifflkg.exe 4104 Qhakoa32.exe 3668 Ajqgidij.exe 4416 Acilajpk.exe 1564 Amaqjp32.exe 2520 Afjeceml.exe 4528 Aobilkcl.exe 3184 Amfjeobf.exe 212 Ajjjocap.exe 5044 Bgnkhg32.exe 4460 Bqfoamfj.exe 1728 Bjodjb32.exe 4228 Bmomlnjk.exe 828 Bmbiamhi.exe 1416 Bggnof32.exe 2360 Cgjjdf32.exe 1568 Cabomkll.exe 4028 Cfogeb32.exe 1980 Cadlbk32.exe 3120 Cfadkb32.exe 2480 Cfcqpa32.exe 512 Cpleig32.exe 2888 Cjaifp32.exe 5048 Dfhjkabi.exe 2972 Dmbbhkjf.exe 1400 Diicml32.exe 2136 Dfmcfp32.exe 940 Dpehof32.exe 1348 Dmihij32.exe 2580 Djmibn32.exe 4912 Edemkd32.exe 4304 Edhjqc32.exe 3208 Empoiimf.exe 468 Efhcbodf.exe 3216 Edmclccp.exe 648 Fineoi32.exe 4780 Fdcjlb32.exe 4132 Fknbil32.exe 1752 Fpjjac32.exe 3628 Fkpool32.exe 1908 Fajgkfio.exe 4368 Fmqgpgoc.exe 4200 Gpaqbbld.exe 1368 Gdafnpqh.exe 1756 Gddbcp32.exe 3516 Gahcmd32.exe 4232 Hgelek32.exe 3660 Hajpbckl.exe 3820 Hkbdki32.exe 1396 Hdkidohn.exe 1804 Hkeaqi32.exe 1592 Haoimcgg.exe 4444 Hjjnae32.exe 4360 Hhknpmma.exe 1264 Hacbhb32.exe 4208 Ijogmdqm.exe 2304 Iddljmpc.exe 4632 Inmpcc32.exe 3932 Idghpmnp.exe 4952 Ijcahd32.exe 4832 Ijfnmc32.exe 1108 Ihgnkkbd.exe 4492 Indfca32.exe 3536 Jhijqj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Acilajpk.exe Ajqgidij.exe File created C:\Windows\SysWOW64\Gngeik32.exe Eqncnj32.exe File opened for modification C:\Windows\SysWOW64\Kkpnga32.exe Kdffjgpj.exe File created C:\Windows\SysWOW64\Ghjlocgj.dll Hmecba32.exe File created C:\Windows\SysWOW64\Knfepldb.exe Kleiid32.exe File created C:\Windows\SysWOW64\Mhgfdmle.exe Process not Found File created C:\Windows\SysWOW64\Elaobdmm.exe Dalkek32.exe File opened for modification C:\Windows\SysWOW64\Kkdoje32.exe Kifcnjpi.exe File created C:\Windows\SysWOW64\Haaqllnf.dll Pmbcik32.exe File created C:\Windows\SysWOW64\Pgdgmm32.dll Pocpqcpm.exe File created C:\Windows\SysWOW64\Hcicbg32.dll Process not Found File created C:\Windows\SysWOW64\Mefmbbod.exe Process not Found File created C:\Windows\SysWOW64\Pphjbgfj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljhefhha.exe Lcnmin32.exe File created C:\Windows\SysWOW64\Anclekni.dll Nboiekjd.exe File created C:\Windows\SysWOW64\Lilbdcfe.exe Lbbjhini.exe File created C:\Windows\SysWOW64\Acemfcjn.dll Process not Found File created C:\Windows\SysWOW64\Jmnhamog.dll Process not Found File created C:\Windows\SysWOW64\Ifkqol32.dll Jddiegbm.exe File created C:\Windows\SysWOW64\Eghimo32.exe Eanqpdgi.exe File created C:\Windows\SysWOW64\Poohao32.dll Process not Found File created C:\Windows\SysWOW64\Npjelo32.exe Process not Found File created C:\Windows\SysWOW64\Ahhjomjk.dll Ocihgnam.exe File created C:\Windows\SysWOW64\Eccoloed.dll Mbpfig32.exe File created C:\Windows\SysWOW64\Amhopf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Nqdlpmce.exe Process not Found File created C:\Windows\SysWOW64\Aooolbep.exe Qmnbej32.exe File created C:\Windows\SysWOW64\Jghnge32.dll Neclpamg.exe File created C:\Windows\SysWOW64\Hjdcfp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Domdjj32.exe Bohbhmfm.exe File created C:\Windows\SysWOW64\Aqdbfa32.exe Ajjjjghg.exe File created C:\Windows\SysWOW64\Mlcaiklc.dll Mmokpglb.exe File created C:\Windows\SysWOW64\Aljmal32.exe Akipic32.exe File opened for modification C:\Windows\SysWOW64\Nildajdg.exe Process not Found File created C:\Windows\SysWOW64\Gahcmd32.exe Gddbcp32.exe File created C:\Windows\SysWOW64\Enkjji32.dll Mahnhhod.exe File opened for modification C:\Windows\SysWOW64\Pllgnl32.exe Oeaoab32.exe File created C:\Windows\SysWOW64\Flgadake.exe Fiheheka.exe File created C:\Windows\SysWOW64\Npfnef32.dll Feofmf32.exe File opened for modification C:\Windows\SysWOW64\Clfdcgkj.exe Process not Found File created C:\Windows\SysWOW64\Jaddoaap.dll Fkpool32.exe File opened for modification C:\Windows\SysWOW64\Hpnoncim.exe Hehkajig.exe File opened for modification C:\Windows\SysWOW64\Bqdlmo32.exe Bjkcqdje.exe File created C:\Windows\SysWOW64\Aphiikma.dll Giahndcf.exe File opened for modification C:\Windows\SysWOW64\Mmahff32.exe Mjcljk32.exe File created C:\Windows\SysWOW64\Jligio32.dll Process not Found File created C:\Windows\SysWOW64\Hhknpmma.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Cmloae32.dll Process not Found File created C:\Windows\SysWOW64\Ckmacl32.dll Hiinoc32.exe File created C:\Windows\SysWOW64\Edgccoai.dll Jkajnh32.exe File created C:\Windows\SysWOW64\Ikbekfli.dll Bgdjicmn.exe File created C:\Windows\SysWOW64\Pakaab32.dll Eghimo32.exe File opened for modification C:\Windows\SysWOW64\Jidbpa32.exe Process not Found File created C:\Windows\SysWOW64\Ldhbnhlm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ldleoa32.exe Process not Found File created C:\Windows\SysWOW64\Bebkdhkf.dll Process not Found File created C:\Windows\SysWOW64\Pbjnik32.dll Fbajbi32.exe File opened for modification C:\Windows\SysWOW64\Ljlagndl.exe Process not Found File created C:\Windows\SysWOW64\Miaboe32.exe Mbgjbkfg.exe File opened for modification C:\Windows\SysWOW64\Bfendmoc.exe Bokehc32.exe File opened for modification C:\Windows\SysWOW64\Amaqjp32.exe Acilajpk.exe File created C:\Windows\SysWOW64\Gekmam32.dll Dmihij32.exe File opened for modification C:\Windows\SysWOW64\Abmjqe32.exe Aalmimfd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omegjomb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfoamp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhbbmim.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poohao32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cicdai32.dll" Jibmgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jihbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmokpglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhkgpjqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolbfo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Locnlmoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eacaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjbjg32.dll" Acdeneij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmakofh.dll" Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knkokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebihiaml.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afockelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nboiekjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlghoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idkpmgjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eakdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmgll32.dll" Iddljmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhiofap.dll" Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acokhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikcmmjkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjoqack.dll" Clhbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkeej32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkfia32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbphinj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" Haodle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcfhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpgdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdobhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Padnaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejmkiiha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmioc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmphaaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihnci32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bomknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkaeih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 3512 2660 NEAS.b83167734464e7c3c7b91335ab150b80.exe 88 PID 2660 wrote to memory of 3512 2660 NEAS.b83167734464e7c3c7b91335ab150b80.exe 88 PID 2660 wrote to memory of 3512 2660 NEAS.b83167734464e7c3c7b91335ab150b80.exe 88 PID 3512 wrote to memory of 4104 3512 Qoifflkg.exe 89 PID 3512 wrote to memory of 4104 3512 Qoifflkg.exe 89 PID 3512 wrote to memory of 4104 3512 Qoifflkg.exe 89 PID 4104 wrote to memory of 3668 4104 Qhakoa32.exe 90 PID 4104 wrote to memory of 3668 4104 Qhakoa32.exe 90 PID 4104 wrote to memory of 3668 4104 Qhakoa32.exe 90 PID 3668 wrote to memory of 4416 3668 Ajqgidij.exe 91 PID 3668 wrote to memory of 4416 3668 Ajqgidij.exe 91 PID 3668 wrote to memory of 4416 3668 Ajqgidij.exe 91 PID 4416 wrote to memory of 1564 4416 Acilajpk.exe 92 PID 4416 wrote to memory of 1564 4416 Acilajpk.exe 92 PID 4416 wrote to memory of 1564 4416 Acilajpk.exe 92 PID 1564 wrote to memory of 2520 1564 Amaqjp32.exe 93 PID 1564 wrote to memory of 2520 1564 Amaqjp32.exe 93 PID 1564 wrote to memory of 2520 1564 Amaqjp32.exe 93 PID 2520 wrote to memory of 4528 2520 Afjeceml.exe 94 PID 2520 wrote to memory of 4528 2520 Afjeceml.exe 94 PID 2520 wrote to memory of 4528 2520 Afjeceml.exe 94 PID 4528 wrote to memory of 3184 4528 Aobilkcl.exe 95 PID 4528 wrote to memory of 3184 4528 Aobilkcl.exe 95 PID 4528 wrote to memory of 3184 4528 Aobilkcl.exe 95 PID 3184 wrote to memory of 212 3184 Amfjeobf.exe 96 PID 3184 wrote to memory of 212 3184 Amfjeobf.exe 96 PID 3184 wrote to memory of 212 3184 Amfjeobf.exe 96 PID 212 wrote to memory of 5044 212 Ajjjocap.exe 97 PID 212 wrote to memory of 5044 212 Ajjjocap.exe 97 PID 212 wrote to memory of 5044 212 Ajjjocap.exe 97 PID 5044 wrote to memory of 4460 5044 Bgnkhg32.exe 98 PID 5044 wrote to memory of 4460 5044 Bgnkhg32.exe 98 PID 5044 wrote to memory of 4460 5044 Bgnkhg32.exe 98 PID 4460 wrote to memory of 1728 4460 Bqfoamfj.exe 99 PID 4460 wrote to memory of 1728 4460 Bqfoamfj.exe 99 PID 4460 wrote to memory of 1728 4460 Bqfoamfj.exe 99 PID 1728 wrote to memory of 4228 1728 Bjodjb32.exe 100 PID 1728 wrote to memory of 4228 1728 Bjodjb32.exe 100 PID 1728 wrote to memory of 4228 1728 Bjodjb32.exe 100 PID 4228 wrote to memory of 828 4228 Bmomlnjk.exe 101 PID 4228 wrote to memory of 828 4228 Bmomlnjk.exe 101 PID 4228 wrote to memory of 828 4228 Bmomlnjk.exe 101 PID 828 wrote to memory of 1416 828 Bmbiamhi.exe 102 PID 828 wrote to memory of 1416 828 Bmbiamhi.exe 102 PID 828 wrote to memory of 1416 828 Bmbiamhi.exe 102 PID 1416 wrote to memory of 2360 1416 Bggnof32.exe 103 PID 1416 wrote to memory of 2360 1416 Bggnof32.exe 103 PID 1416 wrote to memory of 2360 1416 Bggnof32.exe 103 PID 2360 wrote to memory of 1568 2360 Cgjjdf32.exe 104 PID 2360 wrote to memory of 1568 2360 Cgjjdf32.exe 104 PID 2360 wrote to memory of 1568 2360 Cgjjdf32.exe 104 PID 1568 wrote to memory of 4028 1568 Cabomkll.exe 105 PID 1568 wrote to memory of 4028 1568 Cabomkll.exe 105 PID 1568 wrote to memory of 4028 1568 Cabomkll.exe 105 PID 4028 wrote to memory of 1980 4028 Cfogeb32.exe 106 PID 4028 wrote to memory of 1980 4028 Cfogeb32.exe 106 PID 4028 wrote to memory of 1980 4028 Cfogeb32.exe 106 PID 1980 wrote to memory of 3120 1980 Cadlbk32.exe 107 PID 1980 wrote to memory of 3120 1980 Cadlbk32.exe 107 PID 1980 wrote to memory of 3120 1980 Cadlbk32.exe 107 PID 3120 wrote to memory of 2480 3120 Cfadkb32.exe 108 PID 3120 wrote to memory of 2480 3120 Cfadkb32.exe 108 PID 3120 wrote to memory of 2480 3120 Cfadkb32.exe 108 PID 2480 wrote to memory of 512 2480 Cfcqpa32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b83167734464e7c3c7b91335ab150b80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b83167734464e7c3c7b91335ab150b80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe23⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe24⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe25⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe26⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe27⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe28⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe29⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe31⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe32⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe33⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe34⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe35⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe36⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe37⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe38⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe39⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe40⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe42⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe43⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe44⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe45⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe47⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe48⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe49⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe50⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe51⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe52⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe53⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe55⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe57⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe59⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe60⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe61⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe62⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe63⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe64⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe65⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe66⤵PID:2324
-
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe67⤵PID:2432
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe68⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe69⤵PID:3424
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe70⤵PID:4480
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe71⤵PID:2416
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe72⤵
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe73⤵PID:4752
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe74⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe75⤵PID:4308
-
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe76⤵PID:2008
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe77⤵PID:3808
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe78⤵PID:2512
-
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe79⤵PID:2780
-
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe80⤵PID:4812
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe81⤵PID:5128
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe83⤵
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe84⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe85⤵PID:5320
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe86⤵PID:5372
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe87⤵PID:5408
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe89⤵PID:5516
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe90⤵PID:5568
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe92⤵PID:5672
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe93⤵PID:5716
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe94⤵PID:5776
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe95⤵PID:5820
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe96⤵PID:5872
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe97⤵PID:5920
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe98⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe99⤵PID:6012
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe100⤵
- Drops file in System32 directory
PID:6052 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe101⤵PID:6096
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe102⤵PID:3548
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe103⤵PID:5200
-
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe104⤵PID:5300
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe105⤵PID:5364
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe106⤵PID:5496
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe108⤵PID:5604
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe109⤵PID:5696
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe110⤵PID:5768
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe111⤵PID:5856
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe112⤵PID:5928
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe113⤵PID:6004
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe114⤵PID:6080
-
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe115⤵PID:4136
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe116⤵PID:5244
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe117⤵PID:5312
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe118⤵PID:5536
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe119⤵PID:5656
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe120⤵PID:5800
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe121⤵PID:5908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-