Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:20
Behavioral task
behavioral1
Sample
NEAS.d25129dfad050228ccc2a6572c195b40.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d25129dfad050228ccc2a6572c195b40.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.d25129dfad050228ccc2a6572c195b40.exe
-
Size
305KB
-
MD5
d25129dfad050228ccc2a6572c195b40
-
SHA1
5d8fed39d448df54a2d26849ffb2d065e9c7cd4e
-
SHA256
fb7dc7cd2ce60ad53cf0b296d017df45ee29bd7dee5b891a969d44fcafd72d51
-
SHA512
80054980d97e03a941e9c603f56a40ec6aa52473606baab327ecbc3d11e021476af070ec42c165da948306f1edcc557e030abff5dc63c85545db8f7be777e91d
-
SSDEEP
6144:Wj70v0AGNxunXe8yhrtMsQBvli+RQFdq:Wj70evAO8qRMsrOQF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oflfoepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlinedh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknnjcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kemhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnbfmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnhphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnakg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjjpllp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdaigi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifhkkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pncanhaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphfjhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfhfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdnce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oopjchnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafcmglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdknjep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmccecfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjjkkghp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiomqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbofpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifcpgiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnckjbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iickdgpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighfgodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knofif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mniafbfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbofpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjdknjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjgbapo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgenlldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Malgmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcddlhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjfegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbpcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoaocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agaoca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifckkhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Macdgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplmenpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djqbeonf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnanpfdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbfpaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jifemfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aiifeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edmhai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejnbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kddpnpdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nclbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnodmijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lemoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefega32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llbphdfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blhpjnbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gehbcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfbaj32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2980-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cc9-6.dat family_berbew behavioral2/memory/2232-8-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cc9-7.dat family_berbew behavioral2/files/0x0006000000022cdb-14.dat family_berbew behavioral2/files/0x0006000000022cdb-16.dat family_berbew behavioral2/memory/1680-15-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cde-22.dat family_berbew behavioral2/memory/1052-23-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cde-24.dat family_berbew behavioral2/files/0x0006000000022ce0-30.dat family_berbew behavioral2/memory/536-32-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce0-31.dat family_berbew behavioral2/files/0x0006000000022ce3-38.dat family_berbew behavioral2/memory/2004-39-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce3-40.dat family_berbew behavioral2/files/0x0006000000022ce5-46.dat family_berbew behavioral2/files/0x0006000000022ce5-48.dat family_berbew behavioral2/memory/3748-47-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce7-54.dat family_berbew behavioral2/files/0x0006000000022ce7-56.dat family_berbew behavioral2/memory/4596-55-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd3-63.dat family_berbew behavioral2/files/0x0008000000022cd3-62.dat family_berbew behavioral2/memory/1960-64-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-70.dat family_berbew behavioral2/files/0x0006000000022cf0-71.dat family_berbew behavioral2/memory/4420-72-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc3-78.dat family_berbew behavioral2/memory/4684-79-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc3-80.dat family_berbew behavioral2/files/0x0009000000022cd6-81.dat family_berbew behavioral2/files/0x0009000000022cd6-86.dat family_berbew behavioral2/memory/4604-88-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd6-87.dat family_berbew behavioral2/files/0x0009000000022ceb-94.dat family_berbew behavioral2/memory/3204-95-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022ceb-96.dat family_berbew behavioral2/files/0x0007000000022ced-97.dat family_berbew behavioral2/files/0x0007000000022ced-102.dat family_berbew behavioral2/memory/1392-103-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022ced-104.dat family_berbew behavioral2/files/0x0006000000022cf4-110.dat family_berbew behavioral2/memory/2212-111-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-112.dat family_berbew behavioral2/files/0x0006000000022cf6-118.dat family_berbew behavioral2/memory/4768-119-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf6-120.dat family_berbew behavioral2/files/0x0006000000022cf8-126.dat family_berbew behavioral2/memory/3352-127-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-128.dat family_berbew behavioral2/files/0x0006000000022cfa-134.dat family_berbew behavioral2/memory/1000-136-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfa-135.dat family_berbew behavioral2/files/0x0006000000022cfc-142.dat family_berbew behavioral2/memory/4888-143-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-144.dat family_berbew behavioral2/files/0x0006000000022cfe-150.dat family_berbew behavioral2/memory/740-151-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-152.dat family_berbew behavioral2/files/0x0006000000022d01-158.dat family_berbew behavioral2/memory/2624-159-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d01-160.dat family_berbew behavioral2/files/0x0006000000022d03-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2232 Mhmcck32.exe 1680 Pbdmdlie.exe 1052 Agaoca32.exe 536 Bpomem32.exe 2004 Beobcdoi.exe 3748 Bfpkbfdi.exe 4596 Cfedmfqd.exe 1960 Cppelkeb.exe 4420 Dimcppgm.exe 4684 Dbjade32.exe 4604 Efopjbjg.exe 3204 Fbjjkble.exe 1392 Ghqeihbb.exe 2212 Gjdknjep.exe 4768 Hllkqdli.exe 3352 Ifckkhfi.exe 1000 Kplijk32.exe 4888 Lpbokjho.exe 740 Mpchbhjl.exe 2624 Nfaijand.exe 4744 Nalgbi32.exe 4168 Omjnhiiq.exe 3096 Okpkgm32.exe 4968 Pncanhaf.exe 4628 Paaidf32.exe 4932 Pknghk32.exe 1356 Akenij32.exe 2132 Ababkdij.exe 4456 Bbkeacqo.exe 3480 Bjkcqdje.exe 2708 Capkim32.exe 5032 Dgomaf32.exe 4688 Eeomfioh.exe 1100 Ejnbdp32.exe 4912 Fhbbmc32.exe 2968 Fajgfiag.exe 4348 Fhkecb32.exe 948 Fbqiak32.exe 1376 Gaffbg32.exe 3744 Hllcfnhm.exe 2128 Hhbdko32.exe 1312 Icdhdfcj.exe 896 Jjpmfpid.exe 3984 Koiejemn.exe 384 Kblkap32.exe 2028 Lfjchn32.exe 768 Mmokpglb.exe 1824 Mboqnm32.exe 5044 Mcnmhpoj.exe 1164 Mmfaafej.exe 2208 Mbcjimda.exe 4820 Nfcoekhe.exe 4892 Nbjpjl32.exe 1632 Njceqili.exe 4816 Opefdo32.exe 2908 Ppafpm32.exe 4408 Pindcboi.exe 3340 Pcfhlh32.exe 2492 Qpjifl32.exe 3788 Akgcdc32.exe 1128 Aljmal32.exe 680 Agpqnd32.exe 2000 Cjlilndf.exe 3360 Ccendc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pbhghdkf.dll Ifbbbl32.exe File created C:\Windows\SysWOW64\Oqlkon32.dll Bmpaad32.exe File created C:\Windows\SysWOW64\Nnpjdfpb.exe Nmommn32.exe File created C:\Windows\SysWOW64\Cdoegcfl.exe Cnbmolhd.exe File opened for modification C:\Windows\SysWOW64\Ibcadcgf.exe Iikmlnae.exe File opened for modification C:\Windows\SysWOW64\Faholm32.exe Ecgone32.exe File created C:\Windows\SysWOW64\Mbcjimda.exe Mmfaafej.exe File opened for modification C:\Windows\SysWOW64\Eiobmjkd.exe Epgndedc.exe File opened for modification C:\Windows\SysWOW64\Glpmkm32.exe Gfcebf32.exe File created C:\Windows\SysWOW64\Dknnhekd.exe Ddcekk32.exe File created C:\Windows\SysWOW64\Hfacai32.exe Hcpjpn32.exe File opened for modification C:\Windows\SysWOW64\Immhdc32.exe Ifcpgiji.exe File created C:\Windows\SysWOW64\Geenclkn.exe Gohfkemf.exe File created C:\Windows\SysWOW64\Ibqpio32.dll Nkmmbe32.exe File opened for modification C:\Windows\SysWOW64\Hbchnfei.exe Goepgg32.exe File opened for modification C:\Windows\SysWOW64\Ojjfpjjj.exe Okeinn32.exe File created C:\Windows\SysWOW64\Pjcnjl32.dll Kemhpl32.exe File created C:\Windows\SysWOW64\Njinfk32.exe Napjnfik.exe File created C:\Windows\SysWOW64\Boijog32.dll Fajgfiag.exe File created C:\Windows\SysWOW64\Lmqggncn.exe Kdffiinp.exe File created C:\Windows\SysWOW64\Keioln32.dll Daaiml32.exe File opened for modification C:\Windows\SysWOW64\Bhnqoo32.exe Bbdhbepl.exe File created C:\Windows\SysWOW64\Dfglpjqo.exe Dnpdom32.exe File created C:\Windows\SysWOW64\Appdbegc.dll Bbcpkjkg.exe File created C:\Windows\SysWOW64\Eeomfioh.exe Eihlahjd.exe File created C:\Windows\SysWOW64\Aljmal32.exe Akgcdc32.exe File opened for modification C:\Windows\SysWOW64\Nfeepdbg.exe Nfnooe32.exe File created C:\Windows\SysWOW64\Ajqmddce.dll Pncanhaf.exe File opened for modification C:\Windows\SysWOW64\Ababkdij.exe Akenij32.exe File opened for modification C:\Windows\SysWOW64\Lckicnei.exe Lnnakg32.exe File created C:\Windows\SysWOW64\Kafcmglb.exe Jlikdq32.exe File created C:\Windows\SysWOW64\Hbnjfefo.exe Gfimpfmj.exe File opened for modification C:\Windows\SysWOW64\Phfjmlhh.exe Pehnaqid.exe File created C:\Windows\SysWOW64\Fbbnfjom.dll Nnojad32.exe File created C:\Windows\SysWOW64\Hjlddclp.dll Cngnbfid.exe File created C:\Windows\SysWOW64\Peeakakg.exe Phaabm32.exe File created C:\Windows\SysWOW64\Afhaeflb.dll Omkmhlpf.exe File created C:\Windows\SysWOW64\Gmcdolbn.exe Ghflgedf.exe File created C:\Windows\SysWOW64\Cbaqmd32.dll Hpiobc32.exe File opened for modification C:\Windows\SysWOW64\Lpbokjho.exe Kplijk32.exe File opened for modification C:\Windows\SysWOW64\Nofmndkd.exe Nqdlpmce.exe File created C:\Windows\SysWOW64\Kfbeee32.dll Bkoiqjdj.exe File created C:\Windows\SysWOW64\Igabdekb.exe Ihlechfj.exe File created C:\Windows\SysWOW64\Mpgbleck.dll Lhhchi32.exe File created C:\Windows\SysWOW64\Obnlpnbm.exe Nbkojo32.exe File opened for modification C:\Windows\SysWOW64\Dkcehaof.exe Dfglpjqo.exe File opened for modification C:\Windows\SysWOW64\Pjhihm32.exe Pqoepgca.exe File opened for modification C:\Windows\SysWOW64\Mmfaafej.exe Mcnmhpoj.exe File created C:\Windows\SysWOW64\Inolkblc.dll Haclio32.exe File created C:\Windows\SysWOW64\Gfimpfmj.exe Fkcibnmd.exe File created C:\Windows\SysWOW64\Dmnhgdjo.exe Dkokma32.exe File opened for modification C:\Windows\SysWOW64\Dmcabd32.exe Dbnmek32.exe File created C:\Windows\SysWOW64\Aampgb32.dll Emoanbll.exe File opened for modification C:\Windows\SysWOW64\Ipplmh32.exe Hifcqo32.exe File created C:\Windows\SysWOW64\Nqlbqlmm.exe Nqifkl32.exe File created C:\Windows\SysWOW64\Opfedb32.exe Oaeegjeb.exe File created C:\Windows\SysWOW64\Iaicpdqi.dll Lnlloj32.exe File created C:\Windows\SysWOW64\Ldjjhh32.dll Eglkhk32.exe File created C:\Windows\SysWOW64\Halhpkbp.exe Hajkjkdb.exe File created C:\Windows\SysWOW64\Aadgadai.exe Afocdkac.exe File created C:\Windows\SysWOW64\Aecpnk32.dll Eglkmh32.exe File created C:\Windows\SysWOW64\Koggehff.exe Kobnji32.exe File opened for modification C:\Windows\SysWOW64\Cdmokljp.exe Cigknc32.exe File created C:\Windows\SysWOW64\Hgapfpjf.exe Hjmomkll.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflpgl32.dll" Bimoecio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cknnjcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Femndhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomjgpen.dll" Clnanlhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdaqe32.dll" Acfhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfnqdale.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doeifpkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndcoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljbhqih.dll" Dggkbeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idceim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcikagij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opefdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifcpgiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akoqjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfenncdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmqgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdalfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aohpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmkiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demikn32.dll" Ecefjckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilfehcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpeplmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkpoha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iikmlnae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbbcmdai.dll" Ebapednb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amagqp32.dll" Dgliapic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmdak32.dll" Bffkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaoen32.dll" Ihlechfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmlnomif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdglfqjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpciecgl.dll" Hpjlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmkdlbea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edmhai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkmmbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqifkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppphkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkmebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbbmgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjgdgdma.dll" Bfenncdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmeqhd32.dll" Cmabpmjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimccgda.dll" Glpmkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogcnfheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbljoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdjn32.dll" Jdembk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfpchn.dll" Bnfmcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Daiegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpeplmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbjjkble.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iiipfnch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piapehkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acfhkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibadoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjhihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbnhma32.dll" Abhqolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoodog.dll" Klfjbpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqdbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbchnfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekddidel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pojccmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icdhojka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfcoekhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcpjpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihlechfj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2232 2980 NEAS.d25129dfad050228ccc2a6572c195b40.exe 93 PID 2980 wrote to memory of 2232 2980 NEAS.d25129dfad050228ccc2a6572c195b40.exe 93 PID 2980 wrote to memory of 2232 2980 NEAS.d25129dfad050228ccc2a6572c195b40.exe 93 PID 2232 wrote to memory of 1680 2232 Mhmcck32.exe 94 PID 2232 wrote to memory of 1680 2232 Mhmcck32.exe 94 PID 2232 wrote to memory of 1680 2232 Mhmcck32.exe 94 PID 1680 wrote to memory of 1052 1680 Pbdmdlie.exe 95 PID 1680 wrote to memory of 1052 1680 Pbdmdlie.exe 95 PID 1680 wrote to memory of 1052 1680 Pbdmdlie.exe 95 PID 1052 wrote to memory of 536 1052 Agaoca32.exe 96 PID 1052 wrote to memory of 536 1052 Agaoca32.exe 96 PID 1052 wrote to memory of 536 1052 Agaoca32.exe 96 PID 536 wrote to memory of 2004 536 Bpomem32.exe 97 PID 536 wrote to memory of 2004 536 Bpomem32.exe 97 PID 536 wrote to memory of 2004 536 Bpomem32.exe 97 PID 2004 wrote to memory of 3748 2004 Beobcdoi.exe 98 PID 2004 wrote to memory of 3748 2004 Beobcdoi.exe 98 PID 2004 wrote to memory of 3748 2004 Beobcdoi.exe 98 PID 3748 wrote to memory of 4596 3748 Bfpkbfdi.exe 99 PID 3748 wrote to memory of 4596 3748 Bfpkbfdi.exe 99 PID 3748 wrote to memory of 4596 3748 Bfpkbfdi.exe 99 PID 4596 wrote to memory of 1960 4596 Cfedmfqd.exe 100 PID 4596 wrote to memory of 1960 4596 Cfedmfqd.exe 100 PID 4596 wrote to memory of 1960 4596 Cfedmfqd.exe 100 PID 1960 wrote to memory of 4420 1960 Cppelkeb.exe 101 PID 1960 wrote to memory of 4420 1960 Cppelkeb.exe 101 PID 1960 wrote to memory of 4420 1960 Cppelkeb.exe 101 PID 4420 wrote to memory of 4684 4420 Dimcppgm.exe 102 PID 4420 wrote to memory of 4684 4420 Dimcppgm.exe 102 PID 4420 wrote to memory of 4684 4420 Dimcppgm.exe 102 PID 4684 wrote to memory of 4604 4684 Dbjade32.exe 103 PID 4684 wrote to memory of 4604 4684 Dbjade32.exe 103 PID 4684 wrote to memory of 4604 4684 Dbjade32.exe 103 PID 4604 wrote to memory of 3204 4604 Efopjbjg.exe 104 PID 4604 wrote to memory of 3204 4604 Efopjbjg.exe 104 PID 4604 wrote to memory of 3204 4604 Efopjbjg.exe 104 PID 3204 wrote to memory of 1392 3204 Fbjjkble.exe 105 PID 3204 wrote to memory of 1392 3204 Fbjjkble.exe 105 PID 3204 wrote to memory of 1392 3204 Fbjjkble.exe 105 PID 1392 wrote to memory of 2212 1392 Ghqeihbb.exe 106 PID 1392 wrote to memory of 2212 1392 Ghqeihbb.exe 106 PID 1392 wrote to memory of 2212 1392 Ghqeihbb.exe 106 PID 2212 wrote to memory of 4768 2212 Gjdknjep.exe 107 PID 2212 wrote to memory of 4768 2212 Gjdknjep.exe 107 PID 2212 wrote to memory of 4768 2212 Gjdknjep.exe 107 PID 4768 wrote to memory of 3352 4768 Hllkqdli.exe 108 PID 4768 wrote to memory of 3352 4768 Hllkqdli.exe 108 PID 4768 wrote to memory of 3352 4768 Hllkqdli.exe 108 PID 3352 wrote to memory of 1000 3352 Ifckkhfi.exe 109 PID 3352 wrote to memory of 1000 3352 Ifckkhfi.exe 109 PID 3352 wrote to memory of 1000 3352 Ifckkhfi.exe 109 PID 1000 wrote to memory of 4888 1000 Kplijk32.exe 110 PID 1000 wrote to memory of 4888 1000 Kplijk32.exe 110 PID 1000 wrote to memory of 4888 1000 Kplijk32.exe 110 PID 4888 wrote to memory of 740 4888 Lpbokjho.exe 111 PID 4888 wrote to memory of 740 4888 Lpbokjho.exe 111 PID 4888 wrote to memory of 740 4888 Lpbokjho.exe 111 PID 740 wrote to memory of 2624 740 Mpchbhjl.exe 112 PID 740 wrote to memory of 2624 740 Mpchbhjl.exe 112 PID 740 wrote to memory of 2624 740 Mpchbhjl.exe 112 PID 2624 wrote to memory of 4744 2624 Nfaijand.exe 113 PID 2624 wrote to memory of 4744 2624 Nfaijand.exe 113 PID 2624 wrote to memory of 4744 2624 Nfaijand.exe 113 PID 4744 wrote to memory of 4168 4744 Nalgbi32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d25129dfad050228ccc2a6572c195b40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d25129dfad050228ccc2a6572c195b40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Ghqeihbb.exeC:\Windows\system32\Ghqeihbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Gjdknjep.exeC:\Windows\system32\Gjdknjep.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Ifckkhfi.exeC:\Windows\system32\Ifckkhfi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe23⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe24⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe26⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe27⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe29⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe30⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe31⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe32⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe33⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Eihlahjd.exeC:\Windows\system32\Eihlahjd.exe34⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe35⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe37⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Fajgfiag.exeC:\Windows\system32\Fajgfiag.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe39⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe40⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Gaffbg32.exeC:\Windows\system32\Gaffbg32.exe41⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe42⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe43⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Icdhdfcj.exeC:\Windows\system32\Icdhdfcj.exe44⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe45⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Koiejemn.exeC:\Windows\system32\Koiejemn.exe46⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe47⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe48⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe49⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe50⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Mmfaafej.exeC:\Windows\system32\Mmfaafej.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Mbcjimda.exeC:\Windows\system32\Mbcjimda.exe53⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Nbjpjl32.exeC:\Windows\system32\Nbjpjl32.exe55⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe56⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe58⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Pindcboi.exeC:\Windows\system32\Pindcboi.exe59⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Pcfhlh32.exeC:\Windows\system32\Pcfhlh32.exe60⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe61⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe63⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe64⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Cjlilndf.exeC:\Windows\system32\Cjlilndf.exe65⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe66⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe67⤵PID:872
-
C:\Windows\SysWOW64\Cdicje32.exeC:\Windows\system32\Cdicje32.exe68⤵PID:4148
-
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe69⤵PID:4252
-
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe70⤵
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe71⤵PID:4404
-
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe72⤵PID:1764
-
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe73⤵PID:1540
-
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe74⤵PID:1544
-
C:\Windows\SysWOW64\Fejegaao.exeC:\Windows\system32\Fejegaao.exe75⤵PID:4460
-
C:\Windows\SysWOW64\Fjfnphpf.exeC:\Windows\system32\Fjfnphpf.exe76⤵PID:1612
-
C:\Windows\SysWOW64\Felbmqpl.exeC:\Windows\system32\Felbmqpl.exe77⤵PID:2104
-
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe78⤵PID:3920
-
C:\Windows\SysWOW64\Hldgkiki.exeC:\Windows\system32\Hldgkiki.exe79⤵PID:220
-
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe80⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe81⤵PID:2424
-
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe82⤵PID:3704
-
C:\Windows\SysWOW64\Idkkki32.exeC:\Windows\system32\Idkkki32.exe83⤵PID:2140
-
C:\Windows\SysWOW64\Incpdodg.exeC:\Windows\system32\Incpdodg.exe84⤵PID:640
-
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe85⤵PID:4924
-
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe86⤵PID:1944
-
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4960 -
C:\Windows\SysWOW64\Kdbjbfjl.exeC:\Windows\system32\Kdbjbfjl.exe88⤵PID:5160
-
C:\Windows\SysWOW64\Knmkak32.exeC:\Windows\system32\Knmkak32.exe89⤵PID:5204
-
C:\Windows\SysWOW64\Kdgcne32.exeC:\Windows\system32\Kdgcne32.exe90⤵PID:5244
-
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe91⤵PID:5312
-
C:\Windows\SysWOW64\Lofjam32.exeC:\Windows\system32\Lofjam32.exe92⤵PID:5360
-
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe93⤵PID:5400
-
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe94⤵PID:5456
-
C:\Windows\SysWOW64\Mmfjfp32.exeC:\Windows\system32\Mmfjfp32.exe95⤵PID:5508
-
C:\Windows\SysWOW64\Nfnooe32.exeC:\Windows\system32\Nfnooe32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Nfeepdbg.exeC:\Windows\system32\Nfeepdbg.exe97⤵PID:5632
-
C:\Windows\SysWOW64\Nmommn32.exeC:\Windows\system32\Nmommn32.exe98⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Nnpjdfpb.exeC:\Windows\system32\Nnpjdfpb.exe99⤵PID:5736
-
C:\Windows\SysWOW64\Oeoklp32.exeC:\Windows\system32\Oeoklp32.exe100⤵PID:5780
-
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe101⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Ommjnlnd.exeC:\Windows\system32\Ommjnlnd.exe102⤵PID:5864
-
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe103⤵PID:5912
-
C:\Windows\SysWOW64\Pifghmae.exeC:\Windows\system32\Pifghmae.exe104⤵PID:5956
-
C:\Windows\SysWOW64\Pfjgbapo.exeC:\Windows\system32\Pfjgbapo.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Pmdpok32.exeC:\Windows\system32\Pmdpok32.exe106⤵PID:6044
-
C:\Windows\SysWOW64\Qbeaba32.exeC:\Windows\system32\Qbeaba32.exe107⤵PID:6092
-
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe108⤵PID:6136
-
C:\Windows\SysWOW64\Cngnbfid.exeC:\Windows\system32\Cngnbfid.exe109⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Ccdgjm32.exeC:\Windows\system32\Ccdgjm32.exe110⤵PID:5236
-
C:\Windows\SysWOW64\Cphgca32.exeC:\Windows\system32\Cphgca32.exe111⤵PID:5340
-
C:\Windows\SysWOW64\Cgdlfk32.exeC:\Windows\system32\Cgdlfk32.exe112⤵PID:5432
-
C:\Windows\SysWOW64\Dnqaheai.exeC:\Windows\system32\Dnqaheai.exe113⤵PID:5624
-
C:\Windows\SysWOW64\Emanepld.exeC:\Windows\system32\Emanepld.exe114⤵PID:5696
-
C:\Windows\SysWOW64\Eglkmh32.exeC:\Windows\system32\Eglkmh32.exe115⤵
- Drops file in System32 directory
PID:5788 -
C:\Windows\SysWOW64\Egnhcgeb.exeC:\Windows\system32\Egnhcgeb.exe116⤵PID:5852
-
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe117⤵PID:6024
-
C:\Windows\SysWOW64\Gjkqpa32.exeC:\Windows\system32\Gjkqpa32.exe118⤵PID:6100
-
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe119⤵PID:5124
-
C:\Windows\SysWOW64\Hhhdpd32.exeC:\Windows\system32\Hhhdpd32.exe120⤵PID:5220
-
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe121⤵PID:5272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-