Analysis
-
max time kernel
147s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:25
Behavioral task
behavioral1
Sample
NEAS.feaf11c1f052dec636866a686c93d930.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.feaf11c1f052dec636866a686c93d930.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.feaf11c1f052dec636866a686c93d930.exe
-
Size
109KB
-
MD5
feaf11c1f052dec636866a686c93d930
-
SHA1
c82fe7d5bfc7ebb5030074924c41efca2fcb1a4f
-
SHA256
082aff2e59309936987126738eac74e98be227c5afa5102de42b6718bbf6e776
-
SHA512
3622747bed8ed53f366c91a0f4618dea6e1c3d580e27d9d1a0524f605339334afdef5902b1f56950e9b69e39e66e4d33b420c48642dbca3c39d13995768edef7
-
SSDEEP
3072:Faff5vfoh7VnxSKgR6WFjJ98LCqwzBu1DjHLMVDqqkSpR:FiZonNM6MjJ9Ewtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpkkgbmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklpaeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nemcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oookbega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjehflie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihndgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjodch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edhjji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojljmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infhohhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbjgcnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heohinog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nliakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhkpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbefolao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npighq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnbhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcoaock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefgak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkajapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgfljqia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqfokblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmdogpmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbgjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iannkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enaaiifb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfbihll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcedfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpqgbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adadbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omhpcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnefoac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgelgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjejqcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdbcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plagmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmbofdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpcgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpcmagpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoecol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klkcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbkkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjbfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iklgkmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcafl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcgdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obnbjdfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhmebd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcmiofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabjkdcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjedpkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biklho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiiee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollgiplp.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4468-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00040000000222d5-6.dat family_berbew behavioral2/files/0x00040000000222d5-8.dat family_berbew behavioral2/memory/1532-7-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022e13-14.dat family_berbew behavioral2/memory/552-15-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022e13-16.dat family_berbew behavioral2/files/0x0007000000022e18-22.dat family_berbew behavioral2/memory/4308-23-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e18-24.dat family_berbew behavioral2/files/0x0007000000022e1b-30.dat family_berbew behavioral2/memory/4972-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e1b-32.dat family_berbew behavioral2/files/0x0007000000022e1e-38.dat family_berbew behavioral2/files/0x0007000000022e1e-40.dat family_berbew behavioral2/memory/4680-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e20-46.dat family_berbew behavioral2/memory/2188-47-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e20-48.dat family_berbew behavioral2/files/0x0007000000022e22-54.dat family_berbew behavioral2/memory/3144-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e22-56.dat family_berbew behavioral2/files/0x0007000000022e25-57.dat family_berbew behavioral2/files/0x0007000000022e25-62.dat family_berbew behavioral2/memory/1772-63-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e25-64.dat family_berbew behavioral2/memory/2936-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e27-70.dat family_berbew behavioral2/files/0x0007000000022e27-72.dat family_berbew behavioral2/files/0x0007000000022e29-78.dat family_berbew behavioral2/memory/2640-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e29-80.dat family_berbew behavioral2/files/0x0007000000022e2b-81.dat family_berbew behavioral2/files/0x0007000000022e2b-86.dat family_berbew behavioral2/files/0x0007000000022e2b-88.dat family_berbew behavioral2/memory/1312-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e2d-94.dat family_berbew behavioral2/memory/5092-95-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e2d-96.dat family_berbew behavioral2/files/0x0007000000022e30-102.dat family_berbew behavioral2/memory/1116-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e30-103.dat family_berbew behavioral2/files/0x0007000000022e33-110.dat family_berbew behavioral2/files/0x0007000000022e33-112.dat family_berbew behavioral2/memory/3420-111-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e35-118.dat family_berbew behavioral2/memory/4272-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e35-119.dat family_berbew behavioral2/files/0x0007000000022e38-126.dat family_berbew behavioral2/files/0x0007000000022e38-127.dat family_berbew behavioral2/memory/3696-128-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e3a-134.dat family_berbew behavioral2/memory/1364-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e3a-135.dat family_berbew behavioral2/files/0x0007000000022e3c-142.dat family_berbew behavioral2/memory/1224-143-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e3c-144.dat family_berbew behavioral2/files/0x0007000000022e3e-150.dat family_berbew behavioral2/memory/3748-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e3e-151.dat family_berbew behavioral2/files/0x0007000000022e40-158.dat family_berbew behavioral2/files/0x0007000000022e40-160.dat family_berbew behavioral2/memory/2872-159-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000022e42-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1532 Bmjkic32.exe 552 Bgbpaipl.exe 4308 Bgelgi32.exe 4972 Cpmapodj.exe 4680 Ckebcg32.exe 2188 Cglbhhga.exe 3144 Cpdgqmnb.exe 1772 Ckjknfnh.exe 2936 Cdbpgl32.exe 2640 Cnjdpaki.exe 1312 Dkndie32.exe 5092 Ddgibkpc.exe 1116 Dakikoom.exe 3420 Dggbcf32.exe 4272 Dqpfmlce.exe 3696 Dgjoif32.exe 1364 Dndgfpbo.exe 1224 Dglkoeio.exe 3748 Ebaplnie.exe 2872 Edplhjhi.exe 964 Enhpao32.exe 3076 Egaejeej.exe 1256 Ehpadhll.exe 1332 Ekonpckp.exe 3244 Eqlfhjig.exe 2808 Ebkbbmqj.exe 3816 Jhifomdj.exe 2508 Jbojlfdp.exe 2404 Joekag32.exe 3552 Jpgdai32.exe 2648 Klndfj32.exe 3884 Koonge32.exe 436 Kpnjah32.exe 2416 Kekbjo32.exe 4684 Khiofk32.exe 2296 Kabcopmg.exe 3972 Lohqnd32.exe 4736 Lindkm32.exe 840 Lcfidb32.exe 4484 Lpjjmg32.exe 3908 Legben32.exe 3932 Llqjbhdc.exe 3060 Lancko32.exe 4360 Lpochfji.exe 1540 Mfkkqmiq.exe 4396 Mhjhmhhd.exe 1404 Mpapnfhg.exe 3368 Mfnhfm32.exe 2892 Mofmobmo.exe 1872 Mjlalkmd.exe 1628 Mljmhflh.exe 4456 Mbgeqmjp.exe 2280 Mhanngbl.exe 4824 Mqhfoebo.exe 2456 Mjpjgj32.exe 4868 Momcpa32.exe 1320 Noppeaed.exe 1736 Nbnlaldg.exe 5104 Nmcpoedn.exe 4920 Nmfmde32.exe 3584 Ncpeaoih.exe 1448 Nimmifgo.exe 2960 Nqcejcha.exe 3064 Njljch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmlaecik.dll Hjolck32.exe File created C:\Windows\SysWOW64\Eekgliip.dll Ckjknfnh.exe File created C:\Windows\SysWOW64\Knofif32.exe Kkaimj32.exe File created C:\Windows\SysWOW64\Niadfpcn.exe Nfchjddj.exe File opened for modification C:\Windows\SysWOW64\Lhpepoel.exe Lebiddfi.exe File opened for modification C:\Windows\SysWOW64\Odqbdnod.exe Oljkcpnb.exe File opened for modification C:\Windows\SysWOW64\Hobcgdjm.exe Hldgkiki.exe File opened for modification C:\Windows\SysWOW64\Knipik32.exe Klkcmo32.exe File opened for modification C:\Windows\SysWOW64\Aoifoa32.exe Ahonbhig.exe File created C:\Windows\SysWOW64\Kqkplq32.dll Ppdbgncl.exe File created C:\Windows\SysWOW64\Mclpbqal.exe Mldhacpj.exe File created C:\Windows\SysWOW64\Henjoe32.exe Hndbbkhk.exe File created C:\Windows\SysWOW64\Haaocp32.exe Hobcgdjm.exe File opened for modification C:\Windows\SysWOW64\Kfnkeh32.exe Kbbodj32.exe File opened for modification C:\Windows\SysWOW64\Mkhkblii.exe Mijofaje.exe File created C:\Windows\SysWOW64\Ogmidbal.exe Oofacdaj.exe File opened for modification C:\Windows\SysWOW64\Amodnenk.exe Ajqgbjoh.exe File created C:\Windows\SysWOW64\Lnmnpe32.dll Qoecol32.exe File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe Obqanjdb.exe File created C:\Windows\SysWOW64\Cjeaqc32.dll Headon32.exe File created C:\Windows\SysWOW64\Iecmabmp.exe Ibdpefnl.exe File opened for modification C:\Windows\SysWOW64\Hmhphqoe.exe Hkiclepa.exe File created C:\Windows\SysWOW64\Ampfba32.dll Hkgnpn32.exe File created C:\Windows\SysWOW64\Kqlbncjp.dll Ehaieh32.exe File created C:\Windows\SysWOW64\Hbmffqbg.dll Eangimij.exe File created C:\Windows\SysWOW64\Gpmgph32.exe Fibocnnj.exe File created C:\Windows\SysWOW64\Ndjleb32.dll Fjhmknnd.exe File created C:\Windows\SysWOW64\Jhifomdj.exe Ipkdek32.exe File created C:\Windows\SysWOW64\Hopfadlp.exe Gehbio32.exe File opened for modification C:\Windows\SysWOW64\Dcdiahme.exe Dildibfd.exe File created C:\Windows\SysWOW64\Nolbfo32.dll Ocmchdmh.exe File created C:\Windows\SysWOW64\Kndodehf.exe Kgjggkqi.exe File created C:\Windows\SysWOW64\Ekeacmel.exe Enaaiifb.exe File created C:\Windows\SysWOW64\Fejegaao.exe Fmbnfcam.exe File opened for modification C:\Windows\SysWOW64\Igcojdhp.exe Ibffbnjh.exe File created C:\Windows\SysWOW64\Kbnpmdbe.dll Capbaacl.exe File created C:\Windows\SysWOW64\Leplndhk.exe Lcapbi32.exe File created C:\Windows\SysWOW64\Moacnh32.exe Mlcgam32.exe File opened for modification C:\Windows\SysWOW64\Jbnopbdl.exe Joobdfei.exe File created C:\Windows\SysWOW64\Kmcnihan.dll Adjnaj32.exe File opened for modification C:\Windows\SysWOW64\Cqinng32.exe Cjofambd.exe File created C:\Windows\SysWOW64\Jndhkmfe.exe Jkeloa32.exe File opened for modification C:\Windows\SysWOW64\Aqmldddb.exe Ajcdhj32.exe File opened for modification C:\Windows\SysWOW64\Lnihod32.exe Kgopbj32.exe File opened for modification C:\Windows\SysWOW64\Nobdlqnc.exe Nhhlog32.exe File created C:\Windows\SysWOW64\Jnkajg32.exe Jjpejikg.exe File created C:\Windows\SysWOW64\Qdhlclpe.dll Jpgdai32.exe File opened for modification C:\Windows\SysWOW64\Bmidnm32.exe Bfolacnc.exe File opened for modification C:\Windows\SysWOW64\Nblfee32.exe Nlbnhkqo.exe File created C:\Windows\SysWOW64\Hmckanfp.dll Gdbmalja.exe File created C:\Windows\SysWOW64\Bqkifb32.exe Bidqddgp.exe File opened for modification C:\Windows\SysWOW64\Jnklnfpq.exe Jklpakam.exe File created C:\Windows\SysWOW64\Jgcafl32.exe Jdddjq32.exe File created C:\Windows\SysWOW64\Ghohdk32.exe Gmjcgb32.exe File created C:\Windows\SysWOW64\Cekmph32.dll Mkdagm32.exe File opened for modification C:\Windows\SysWOW64\Embdofop.exe Ejdhcjpl.exe File created C:\Windows\SysWOW64\Dmenne32.dll Nohdaf32.exe File created C:\Windows\SysWOW64\Cadllq32.exe Cimckcoe.exe File opened for modification C:\Windows\SysWOW64\Gkgeipah.exe Ghhhmebd.exe File created C:\Windows\SysWOW64\Omjmli32.dll Qkhjim32.exe File opened for modification C:\Windows\SysWOW64\Pboblika.exe Ppafpm32.exe File opened for modification C:\Windows\SysWOW64\Dmiaig32.exe Djjemlhf.exe File created C:\Windows\SysWOW64\Eidbbp32.exe Effffd32.exe File created C:\Windows\SysWOW64\Almifk32.exe Ajnmjp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplgij32.dll" Geeecogb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfakon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jilnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbijq32.dll" Ljglnmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqigee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadllq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaqmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidgmfgl.dll" Jbpkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meocjp32.dll" Khnfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pllnbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqafpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppickpjh.dll" Dpqonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkmihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjidpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mldhacpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Falmabki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flcndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehndh32.dll" Jkcpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpjgpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaadfkaa.dll" Mlnijmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqhfmhe.dll" Acfoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkkai32.dll" Hgdlnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojljmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcggec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfcqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpbbl32.dll" Lmmokgne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lppbdmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mefmbbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpapnfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbjjok32.dll" Ngpjgpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekpdoll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egkdne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhmilcf.dll" Jnkajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpmdqpl.dll" Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll" Aplaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opbcdieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhhlog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaaoi32.dll" Ibdpefnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmjkic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll" Cienon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhjoilop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfhfjhli.dll" Mflbjejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kimgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkaenf32.dll" Aepklffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negaqbji.dll" Mbbloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgnmn32.dll" Bcinie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedgjq32.dll" Lfpcngdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famhnjcj.dll" Mnpami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeocfd32.dll" Nbbefafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkbcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlihek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momhii32.dll" Dgcmdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggpbcaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnklnfpq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1532 4468 NEAS.feaf11c1f052dec636866a686c93d930.exe 89 PID 4468 wrote to memory of 1532 4468 NEAS.feaf11c1f052dec636866a686c93d930.exe 89 PID 4468 wrote to memory of 1532 4468 NEAS.feaf11c1f052dec636866a686c93d930.exe 89 PID 1532 wrote to memory of 552 1532 Bmjkic32.exe 90 PID 1532 wrote to memory of 552 1532 Bmjkic32.exe 90 PID 1532 wrote to memory of 552 1532 Bmjkic32.exe 90 PID 552 wrote to memory of 4308 552 Bgbpaipl.exe 91 PID 552 wrote to memory of 4308 552 Bgbpaipl.exe 91 PID 552 wrote to memory of 4308 552 Bgbpaipl.exe 91 PID 4308 wrote to memory of 4972 4308 Bgelgi32.exe 92 PID 4308 wrote to memory of 4972 4308 Bgelgi32.exe 92 PID 4308 wrote to memory of 4972 4308 Bgelgi32.exe 92 PID 4972 wrote to memory of 4680 4972 Cpmapodj.exe 93 PID 4972 wrote to memory of 4680 4972 Cpmapodj.exe 93 PID 4972 wrote to memory of 4680 4972 Cpmapodj.exe 93 PID 4680 wrote to memory of 2188 4680 Ckebcg32.exe 94 PID 4680 wrote to memory of 2188 4680 Ckebcg32.exe 94 PID 4680 wrote to memory of 2188 4680 Ckebcg32.exe 94 PID 2188 wrote to memory of 3144 2188 Cglbhhga.exe 95 PID 2188 wrote to memory of 3144 2188 Cglbhhga.exe 95 PID 2188 wrote to memory of 3144 2188 Cglbhhga.exe 95 PID 3144 wrote to memory of 1772 3144 Cpdgqmnb.exe 96 PID 3144 wrote to memory of 1772 3144 Cpdgqmnb.exe 96 PID 3144 wrote to memory of 1772 3144 Cpdgqmnb.exe 96 PID 1772 wrote to memory of 2936 1772 Ckjknfnh.exe 97 PID 1772 wrote to memory of 2936 1772 Ckjknfnh.exe 97 PID 1772 wrote to memory of 2936 1772 Ckjknfnh.exe 97 PID 2936 wrote to memory of 2640 2936 Cdbpgl32.exe 98 PID 2936 wrote to memory of 2640 2936 Cdbpgl32.exe 98 PID 2936 wrote to memory of 2640 2936 Cdbpgl32.exe 98 PID 2640 wrote to memory of 1312 2640 Cnjdpaki.exe 99 PID 2640 wrote to memory of 1312 2640 Cnjdpaki.exe 99 PID 2640 wrote to memory of 1312 2640 Cnjdpaki.exe 99 PID 1312 wrote to memory of 5092 1312 Dkndie32.exe 100 PID 1312 wrote to memory of 5092 1312 Dkndie32.exe 100 PID 1312 wrote to memory of 5092 1312 Dkndie32.exe 100 PID 5092 wrote to memory of 1116 5092 Ddgibkpc.exe 101 PID 5092 wrote to memory of 1116 5092 Ddgibkpc.exe 101 PID 5092 wrote to memory of 1116 5092 Ddgibkpc.exe 101 PID 1116 wrote to memory of 3420 1116 Dakikoom.exe 102 PID 1116 wrote to memory of 3420 1116 Dakikoom.exe 102 PID 1116 wrote to memory of 3420 1116 Dakikoom.exe 102 PID 3420 wrote to memory of 4272 3420 Dggbcf32.exe 103 PID 3420 wrote to memory of 4272 3420 Dggbcf32.exe 103 PID 3420 wrote to memory of 4272 3420 Dggbcf32.exe 103 PID 4272 wrote to memory of 3696 4272 Dqpfmlce.exe 104 PID 4272 wrote to memory of 3696 4272 Dqpfmlce.exe 104 PID 4272 wrote to memory of 3696 4272 Dqpfmlce.exe 104 PID 3696 wrote to memory of 1364 3696 Dgjoif32.exe 105 PID 3696 wrote to memory of 1364 3696 Dgjoif32.exe 105 PID 3696 wrote to memory of 1364 3696 Dgjoif32.exe 105 PID 1364 wrote to memory of 1224 1364 Dndgfpbo.exe 106 PID 1364 wrote to memory of 1224 1364 Dndgfpbo.exe 106 PID 1364 wrote to memory of 1224 1364 Dndgfpbo.exe 106 PID 1224 wrote to memory of 3748 1224 Dglkoeio.exe 107 PID 1224 wrote to memory of 3748 1224 Dglkoeio.exe 107 PID 1224 wrote to memory of 3748 1224 Dglkoeio.exe 107 PID 3748 wrote to memory of 2872 3748 Ebaplnie.exe 108 PID 3748 wrote to memory of 2872 3748 Ebaplnie.exe 108 PID 3748 wrote to memory of 2872 3748 Ebaplnie.exe 108 PID 2872 wrote to memory of 964 2872 Edplhjhi.exe 109 PID 2872 wrote to memory of 964 2872 Edplhjhi.exe 109 PID 2872 wrote to memory of 964 2872 Edplhjhi.exe 109 PID 964 wrote to memory of 3076 964 Enhpao32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.feaf11c1f052dec636866a686c93d930.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.feaf11c1f052dec636866a686c93d930.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe23⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe24⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe25⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe26⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe27⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe28⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe29⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe30⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe31⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3552 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Koonge32.exeC:\Windows\system32\Koonge32.exe34⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe35⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe36⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe38⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe40⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe41⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Lpjjmg32.exeC:\Windows\system32\Lpjjmg32.exe42⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe43⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe44⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe45⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe46⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe47⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe48⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe50⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe51⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe52⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe53⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe54⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe55⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe56⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe57⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe58⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe59⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe61⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe62⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe63⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe65⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Njljch32.exeC:\Windows\system32\Njljch32.exe66⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe67⤵PID:2856
-
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe68⤵PID:1876
-
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe69⤵PID:1132
-
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe70⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe71⤵PID:4812
-
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe72⤵PID:5112
-
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe73⤵PID:3128
-
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe74⤵PID:3576
-
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe75⤵PID:2288
-
C:\Windows\SysWOW64\Obqanjdb.exeC:\Windows\system32\Obqanjdb.exe76⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe77⤵PID:848
-
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe78⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe79⤵PID:5184
-
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe80⤵PID:5228
-
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe81⤵PID:5264
-
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe82⤵PID:5316
-
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe83⤵PID:5360
-
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe84⤵PID:5400
-
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe85⤵PID:5444
-
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe86⤵PID:5492
-
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe87⤵PID:5528
-
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe88⤵PID:5576
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe89⤵PID:5620
-
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe90⤵PID:5672
-
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe91⤵PID:5712
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe92⤵PID:5756
-
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe93⤵PID:5800
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe94⤵PID:5848
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe95⤵PID:5892
-
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe96⤵PID:5952
-
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe97⤵PID:5988
-
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe98⤵PID:6040
-
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe99⤵PID:6100
-
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe100⤵PID:6136
-
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe101⤵PID:5240
-
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe102⤵PID:5324
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe103⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe104⤵PID:5460
-
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe105⤵PID:5524
-
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe106⤵PID:5608
-
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe107⤵PID:5668
-
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe108⤵PID:5764
-
C:\Windows\SysWOW64\Banjnm32.exeC:\Windows\system32\Banjnm32.exe109⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe111⤵PID:6132
-
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe112⤵PID:5176
-
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe113⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe114⤵PID:5432
-
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe115⤵PID:5572
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe116⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe117⤵PID:5856
-
C:\Windows\SysWOW64\Bdeiqgkj.exeC:\Windows\system32\Bdeiqgkj.exe118⤵PID:6088
-
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe120⤵PID:5512
-
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe121⤵
- Modifies registry class
PID:5632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-