Analysis
-
max time kernel
170s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 18:24
Behavioral task
behavioral1
Sample
NEAS.9e422019c59511609132259fc09c2cd8_JC.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9e422019c59511609132259fc09c2cd8_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.9e422019c59511609132259fc09c2cd8_JC.exe
-
Size
357KB
-
MD5
9e422019c59511609132259fc09c2cd8
-
SHA1
2c3e32c34203b252650d6a7bb369d5663f09387a
-
SHA256
d5f87ce430c74bc1791015eca5d00fe76a31e7c9dd3ea7d1eb9192aa669b7912
-
SHA512
a712507d0c753fdd5b4a7a3e1ad5a5656a5d1d7f2138c81a888069c0626c7f57cf4f8d2d35911949d04042e97e250ca33fd2715190c2ee30c83bde7cbc022ea5
-
SSDEEP
6144:cw0cyNdH1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXFOFLaJP:cw0cyNDZoXpKtCe1eehil6ZR5ZrQeg3e
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olcklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efhjcifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkajg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbnlkbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaogja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjccna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlqohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpqgbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhohfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digeaenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgefg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdpanj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cakghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kndmfphj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loemgdmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidqdkkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fncbag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opgloh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbcnmogm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaobicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbndgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcffb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dibdok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liocgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goepgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjgpec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjgellfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgnkgkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkklbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihhmaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpfcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqddjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggoiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcqife32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklkmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaqcgbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpkfmfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knlbipjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolchc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoepmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqajjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekkkip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnpjegpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjhhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffeaichg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inhion32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmagpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hglflpok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoomnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehndhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkip32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022c98-6.dat family_berbew behavioral2/files/0x0007000000022c98-8.dat family_berbew behavioral2/files/0x0008000000022c93-10.dat family_berbew behavioral2/files/0x0008000000022c93-13.dat family_berbew behavioral2/files/0x0008000000022c93-16.dat family_berbew behavioral2/files/0x0008000000022c95-22.dat family_berbew behavioral2/files/0x0008000000022c95-24.dat family_berbew behavioral2/files/0x0009000000022c97-30.dat family_berbew behavioral2/files/0x0009000000022c97-32.dat family_berbew behavioral2/files/0x0009000000022c9b-38.dat family_berbew behavioral2/files/0x0009000000022c9b-40.dat family_berbew behavioral2/files/0x0007000000022c9e-41.dat family_berbew behavioral2/files/0x0007000000022c9e-46.dat family_berbew behavioral2/files/0x0007000000022c9e-48.dat family_berbew behavioral2/files/0x0007000000022ca0-55.dat family_berbew behavioral2/files/0x0007000000022ca0-54.dat family_berbew behavioral2/files/0x0007000000022ca2-62.dat family_berbew behavioral2/files/0x0007000000022ca2-64.dat family_berbew behavioral2/files/0x0007000000022ca4-70.dat family_berbew behavioral2/files/0x0007000000022ca4-72.dat family_berbew behavioral2/files/0x0007000000022caa-73.dat family_berbew behavioral2/files/0x0007000000022caa-78.dat family_berbew behavioral2/files/0x0007000000022caa-80.dat family_berbew behavioral2/files/0x0007000000022cb5-86.dat family_berbew behavioral2/files/0x0007000000022cb5-88.dat family_berbew behavioral2/files/0x0006000000022cba-94.dat family_berbew behavioral2/files/0x0006000000022cba-96.dat family_berbew behavioral2/files/0x0006000000022cbc-102.dat family_berbew behavioral2/files/0x0006000000022cbc-104.dat family_berbew behavioral2/files/0x0006000000022cbe-105.dat family_berbew behavioral2/files/0x0006000000022cbe-110.dat family_berbew behavioral2/files/0x0006000000022cbe-111.dat family_berbew behavioral2/files/0x0006000000022cc0-118.dat family_berbew behavioral2/files/0x0006000000022cc0-120.dat family_berbew behavioral2/files/0x0006000000022cc2-121.dat family_berbew behavioral2/files/0x0006000000022cc2-126.dat family_berbew behavioral2/files/0x0006000000022cc2-128.dat family_berbew behavioral2/files/0x0006000000022cc4-134.dat family_berbew behavioral2/files/0x0006000000022cc4-136.dat family_berbew behavioral2/files/0x0006000000022cc6-142.dat family_berbew behavioral2/files/0x0006000000022cc6-144.dat family_berbew behavioral2/files/0x0006000000022cc9-145.dat family_berbew behavioral2/files/0x0006000000022cc9-151.dat family_berbew behavioral2/files/0x0006000000022cc9-150.dat family_berbew behavioral2/files/0x0006000000022ccf-158.dat family_berbew behavioral2/files/0x0006000000022ccf-160.dat family_berbew behavioral2/files/0x0006000000022cd5-166.dat family_berbew behavioral2/files/0x0006000000022cd5-168.dat family_berbew behavioral2/files/0x0006000000022cd7-174.dat family_berbew behavioral2/files/0x0006000000022cd7-175.dat family_berbew behavioral2/files/0x0006000000022cda-182.dat family_berbew behavioral2/files/0x0006000000022cda-184.dat family_berbew behavioral2/files/0x0007000000022ccd-190.dat family_berbew behavioral2/files/0x0007000000022ccd-191.dat family_berbew behavioral2/files/0x0007000000022cd0-198.dat family_berbew behavioral2/files/0x0007000000022cd0-200.dat family_berbew behavioral2/files/0x0007000000022cd3-206.dat family_berbew behavioral2/files/0x0007000000022cd3-207.dat family_berbew behavioral2/files/0x0006000000022cde-214.dat family_berbew behavioral2/files/0x0006000000022cde-216.dat family_berbew behavioral2/files/0x0006000000022ce0-222.dat family_berbew behavioral2/files/0x0006000000022ce0-223.dat family_berbew behavioral2/files/0x0006000000022ce2-230.dat family_berbew behavioral2/files/0x0006000000022ce2-231.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4568 Aocmio32.exe 2724 Eoekde32.exe 4120 Ggoiap32.exe 1416 Gjghdj32.exe 812 Hgpbhmna.exe 2892 Icklhnop.exe 3324 Jfgefg32.exe 2128 Kmmmnp32.exe 1324 Lpjelibg.exe 2336 Mffjnc32.exe 2212 Npjnbg32.exe 4020 Qjcdih32.exe 3964 Abdoqd32.exe 3940 Bbkeacqo.exe 4052 Cnhlgc32.exe 1128 Cbknhqbl.exe 1044 Dhfcae32.exe 3228 Ebpqjmpd.exe 4840 Faopah32.exe 1936 Ghbkdald.exe 4308 Gkcdfl32.exe 2648 Hhiaepfl.exe 4864 Hccomh32.exe 1824 Ilcjgm32.exe 3728 Jcfejfag.exe 4592 Jcknee32.exe 1576 Kbgafqla.exe 4772 Lcpqgbkj.exe 3644 Lcbmlbig.exe 5056 Mihikgod.exe 724 Niiaae32.exe 3916 Cqmgigfk.exe 3180 Dklomnmf.exe 4824 Dgcoaock.exe 3492 Ekahhn32.exe 3652 Egoomnin.exe 4544 Fjdajhbi.exe 3996 Haobnpkc.exe 4012 Hkggfe32.exe 1312 Hoepmd32.exe 3004 Hdahek32.exe 3976 Hoglbc32.exe 4872 Hddejjdo.exe 1396 Ihdjfhhc.exe 488 Inhion32.exe 4196 Lmjkka32.exe 1364 Nlmdml32.exe 4856 Opgloh32.exe 4480 Pmpfcl32.exe 2148 Apeagd32.exe 1388 Bipcei32.exe 1888 Blchmdff.exe 4756 Cnealfkf.exe 3376 Cfpfqiha.exe 2468 Ccipelcf.exe 4064 Dflflg32.exe 2072 Dqajjp32.exe 4240 Dcbckk32.exe 3968 Dnhgidka.exe 2376 Ecnbgian.exe 2556 Eqbcqnph.exe 4080 Ffeaichg.exe 3156 Gjhdkajh.exe 4724 Hcjkje32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pgoejapi.exe Ojkepmqp.exe File opened for modification C:\Windows\SysWOW64\Kiejfo32.exe Jdddjq32.exe File created C:\Windows\SysWOW64\Ahenip32.exe Alnmdojp.exe File opened for modification C:\Windows\SysWOW64\Knlbipjb.exe Kcgnkgkl.exe File created C:\Windows\SysWOW64\Kamjmf32.exe Khdedapj.exe File opened for modification C:\Windows\SysWOW64\Eleiffho.exe Eekail32.exe File created C:\Windows\SysWOW64\Aggempll.dll Bipcei32.exe File created C:\Windows\SysWOW64\Pjffkhpl.exe Pnoefg32.exe File created C:\Windows\SysWOW64\Cfkenogb.exe Bmkjdj32.exe File created C:\Windows\SysWOW64\Ogajnn32.dll Headjael.exe File created C:\Windows\SysWOW64\Eomgchdn.dll Dmifdjio.exe File created C:\Windows\SysWOW64\Jckcfocl.dll Idjmfmgp.exe File opened for modification C:\Windows\SysWOW64\Cfhani32.exe Bqkifb32.exe File opened for modification C:\Windows\SysWOW64\Mklkepal.exe Mnhkklbb.exe File opened for modification C:\Windows\SysWOW64\Fojehjmo.exe Eimlpc32.exe File created C:\Windows\SysWOW64\Lcbmlbig.exe Lcpqgbkj.exe File created C:\Windows\SysWOW64\Jjopmh32.exe Jbdliejl.exe File created C:\Windows\SysWOW64\Bpfmidbh.dll Fnofkdno.exe File created C:\Windows\SysWOW64\Meljkeed.exe Mkgfnm32.exe File opened for modification C:\Windows\SysWOW64\Dqajjp32.exe Dflflg32.exe File created C:\Windows\SysWOW64\Oipfgk32.dll Piknfgmd.exe File created C:\Windows\SysWOW64\Epbkbnjj.exe Eihcedcm.exe File created C:\Windows\SysWOW64\Qfninn32.dll Nqdlpmce.exe File created C:\Windows\SysWOW64\Edqdij32.exe Dibmfb32.exe File opened for modification C:\Windows\SysWOW64\Goepgg32.exe Gmmmoppl.exe File opened for modification C:\Windows\SysWOW64\Mddbjg32.exe Mnjjmmkc.exe File created C:\Windows\SysWOW64\Goepgg32.exe Gmmmoppl.exe File created C:\Windows\SysWOW64\Hgbfai32.exe Hmmadpea.exe File opened for modification C:\Windows\SysWOW64\Hbgkno32.exe Hhagaf32.exe File opened for modification C:\Windows\SysWOW64\Lolchc32.exe Ldfokj32.exe File opened for modification C:\Windows\SysWOW64\Fipbnn32.exe Edqdij32.exe File created C:\Windows\SysWOW64\Cbknhqbl.exe Cnhlgc32.exe File opened for modification C:\Windows\SysWOW64\Mihikgod.exe Lcbmlbig.exe File opened for modification C:\Windows\SysWOW64\Hedaoa32.exe Hojibgkm.exe File created C:\Windows\SysWOW64\Hikqno32.dll Cdmokljp.exe File created C:\Windows\SysWOW64\Bfjofk32.dll Hfcihf32.exe File created C:\Windows\SysWOW64\Egoomnin.exe Ekahhn32.exe File opened for modification C:\Windows\SysWOW64\Ehjdejkj.exe Dhgoimlo.exe File opened for modification C:\Windows\SysWOW64\Okjbimal.exe Oqdnld32.exe File created C:\Windows\SysWOW64\Pdjphd32.dll Hheoci32.exe File created C:\Windows\SysWOW64\Ncfmhecp.exe Nhlpom32.exe File opened for modification C:\Windows\SysWOW64\Cplceg32.exe Cdebpfml.exe File created C:\Windows\SysWOW64\Eimlpc32.exe Ebcdcigk.exe File opened for modification C:\Windows\SysWOW64\Dkmebh32.exe Cfqmjajc.exe File created C:\Windows\SysWOW64\Ghbccc32.dll Ahkdhk32.exe File opened for modification C:\Windows\SysWOW64\Obfhgj32.exe Oljonc32.exe File opened for modification C:\Windows\SysWOW64\Mamljndl.exe Mdikpjeb.exe File opened for modification C:\Windows\SysWOW64\Lcbmlbig.exe Lcpqgbkj.exe File opened for modification C:\Windows\SysWOW64\Lhdqhp32.exe Lbghpinc.exe File created C:\Windows\SysWOW64\Lldfcn32.exe Lbjeei32.exe File created C:\Windows\SysWOW64\Kmbckqmj.dll Lhmapi32.exe File created C:\Windows\SysWOW64\Hjlagf32.dll Jakcal32.exe File created C:\Windows\SysWOW64\Hgieipmo.exe Hgdlnp32.exe File created C:\Windows\SysWOW64\Gepkfejp.dll Cmcoflhh.exe File created C:\Windows\SysWOW64\Dkmebh32.exe Cfqmjajc.exe File created C:\Windows\SysWOW64\Egkdne32.exe Cdmokljp.exe File created C:\Windows\SysWOW64\Jcogphcn.dll Liocgc32.exe File opened for modification C:\Windows\SysWOW64\Cdebpfml.exe Bldghjdd.exe File opened for modification C:\Windows\SysWOW64\Jcfejfag.exe Ilcjgm32.exe File opened for modification C:\Windows\SysWOW64\Pfeiedhm.exe Pqhammje.exe File opened for modification C:\Windows\SysWOW64\Ddnefeda.exe Demehnlb.exe File created C:\Windows\SysWOW64\Kpgfhddn.exe Klbgag32.exe File created C:\Windows\SysWOW64\Egdnmbif.dll Oemephgn.exe File opened for modification C:\Windows\SysWOW64\Dcjhhq32.exe Dibdok32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagemnef.dll" Nlcaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfcbodpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockqjkgb.dll" Pmpfcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inhion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhfbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flaibd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbllfboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqkifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqphpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djinjg32.dll" Hphglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpmgnmk.dll" Ebdcejpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbfgkan.dll" Qqcjnell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qejfeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haceil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbihdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgialkok.dll" Cleqoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohegbggk.dll" Moljgeco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffeaichg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfedgkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjemblq.dll" Bnkbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebimqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldpijknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihhkdiln.dll" Epbkbnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imkbooff.dll" Jacnegep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdqcglqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlhfa32.dll" Jemfbgiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eidqdkkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgcoigfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flhobcgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmhgjpl.dll" Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloilnih.dll" Nbkojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nloikqnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olcklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffiblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flaibd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggdiqkah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgbfai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Appjblkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgpbhmna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjcghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphiikma.dll" Ghbkdald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpijknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgjggkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjlhf32.dll" Eeodjeha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnlgk32.dll" Mbgjlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gngllfol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdlpjicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhojlfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggempll.dll" Bipcei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlfhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dflflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adanbffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfemfhje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcqife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekgkh32.dll" Aclpkffa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiejfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iejlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlbdmpg.dll" Pjgellfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopdmlcq.dll" Hgieipmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdcffci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojaoj32.dll" Lkgdaegl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4568 1620 NEAS.9e422019c59511609132259fc09c2cd8_JC.exe 93 PID 1620 wrote to memory of 4568 1620 NEAS.9e422019c59511609132259fc09c2cd8_JC.exe 93 PID 1620 wrote to memory of 4568 1620 NEAS.9e422019c59511609132259fc09c2cd8_JC.exe 93 PID 4568 wrote to memory of 2724 4568 Aocmio32.exe 94 PID 4568 wrote to memory of 2724 4568 Aocmio32.exe 94 PID 4568 wrote to memory of 2724 4568 Aocmio32.exe 94 PID 2724 wrote to memory of 4120 2724 Eoekde32.exe 95 PID 2724 wrote to memory of 4120 2724 Eoekde32.exe 95 PID 2724 wrote to memory of 4120 2724 Eoekde32.exe 95 PID 4120 wrote to memory of 1416 4120 Ggoiap32.exe 96 PID 4120 wrote to memory of 1416 4120 Ggoiap32.exe 96 PID 4120 wrote to memory of 1416 4120 Ggoiap32.exe 96 PID 1416 wrote to memory of 812 1416 Gjghdj32.exe 97 PID 1416 wrote to memory of 812 1416 Gjghdj32.exe 97 PID 1416 wrote to memory of 812 1416 Gjghdj32.exe 97 PID 812 wrote to memory of 2892 812 Hgpbhmna.exe 98 PID 812 wrote to memory of 2892 812 Hgpbhmna.exe 98 PID 812 wrote to memory of 2892 812 Hgpbhmna.exe 98 PID 2892 wrote to memory of 3324 2892 Icklhnop.exe 99 PID 2892 wrote to memory of 3324 2892 Icklhnop.exe 99 PID 2892 wrote to memory of 3324 2892 Icklhnop.exe 99 PID 3324 wrote to memory of 2128 3324 Jfgefg32.exe 100 PID 3324 wrote to memory of 2128 3324 Jfgefg32.exe 100 PID 3324 wrote to memory of 2128 3324 Jfgefg32.exe 100 PID 2128 wrote to memory of 1324 2128 Kmmmnp32.exe 101 PID 2128 wrote to memory of 1324 2128 Kmmmnp32.exe 101 PID 2128 wrote to memory of 1324 2128 Kmmmnp32.exe 101 PID 1324 wrote to memory of 2336 1324 Lpjelibg.exe 102 PID 1324 wrote to memory of 2336 1324 Lpjelibg.exe 102 PID 1324 wrote to memory of 2336 1324 Lpjelibg.exe 102 PID 2336 wrote to memory of 2212 2336 Mffjnc32.exe 103 PID 2336 wrote to memory of 2212 2336 Mffjnc32.exe 103 PID 2336 wrote to memory of 2212 2336 Mffjnc32.exe 103 PID 2212 wrote to memory of 4020 2212 Npjnbg32.exe 104 PID 2212 wrote to memory of 4020 2212 Npjnbg32.exe 104 PID 2212 wrote to memory of 4020 2212 Npjnbg32.exe 104 PID 4020 wrote to memory of 3964 4020 Qjcdih32.exe 105 PID 4020 wrote to memory of 3964 4020 Qjcdih32.exe 105 PID 4020 wrote to memory of 3964 4020 Qjcdih32.exe 105 PID 3964 wrote to memory of 3940 3964 Abdoqd32.exe 106 PID 3964 wrote to memory of 3940 3964 Abdoqd32.exe 106 PID 3964 wrote to memory of 3940 3964 Abdoqd32.exe 106 PID 3940 wrote to memory of 4052 3940 Bbkeacqo.exe 107 PID 3940 wrote to memory of 4052 3940 Bbkeacqo.exe 107 PID 3940 wrote to memory of 4052 3940 Bbkeacqo.exe 107 PID 4052 wrote to memory of 1128 4052 Cnhlgc32.exe 108 PID 4052 wrote to memory of 1128 4052 Cnhlgc32.exe 108 PID 4052 wrote to memory of 1128 4052 Cnhlgc32.exe 108 PID 1128 wrote to memory of 1044 1128 Cbknhqbl.exe 109 PID 1128 wrote to memory of 1044 1128 Cbknhqbl.exe 109 PID 1128 wrote to memory of 1044 1128 Cbknhqbl.exe 109 PID 1044 wrote to memory of 3228 1044 Dhfcae32.exe 110 PID 1044 wrote to memory of 3228 1044 Dhfcae32.exe 110 PID 1044 wrote to memory of 3228 1044 Dhfcae32.exe 110 PID 3228 wrote to memory of 4840 3228 Ebpqjmpd.exe 111 PID 3228 wrote to memory of 4840 3228 Ebpqjmpd.exe 111 PID 3228 wrote to memory of 4840 3228 Ebpqjmpd.exe 111 PID 4840 wrote to memory of 1936 4840 Faopah32.exe 112 PID 4840 wrote to memory of 1936 4840 Faopah32.exe 112 PID 4840 wrote to memory of 1936 4840 Faopah32.exe 112 PID 1936 wrote to memory of 4308 1936 Ghbkdald.exe 113 PID 1936 wrote to memory of 4308 1936 Ghbkdald.exe 113 PID 1936 wrote to memory of 4308 1936 Ghbkdald.exe 113 PID 4308 wrote to memory of 2648 4308 Gkcdfl32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9e422019c59511609132259fc09c2cd8_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9e422019c59511609132259fc09c2cd8_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Gjghdj32.exeC:\Windows\system32\Gjghdj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lpjelibg.exeC:\Windows\system32\Lpjelibg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Mffjnc32.exeC:\Windows\system32\Mffjnc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe23⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe24⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe26⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe28⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Lcpqgbkj.exeC:\Windows\system32\Lcpqgbkj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe31⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe32⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Cqmgigfk.exeC:\Windows\system32\Cqmgigfk.exe33⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe34⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Dgcoaock.exeC:\Windows\system32\Dgcoaock.exe35⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Egoomnin.exeC:\Windows\system32\Egoomnin.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe38⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe39⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe40⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Hdahek32.exeC:\Windows\system32\Hdahek32.exe42⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe43⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Hddejjdo.exeC:\Windows\system32\Hddejjdo.exe44⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Ihdjfhhc.exeC:\Windows\system32\Ihdjfhhc.exe45⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Inhion32.exeC:\Windows\system32\Inhion32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Lmjkka32.exeC:\Windows\system32\Lmjkka32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe48⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Opgloh32.exeC:\Windows\system32\Opgloh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Pmpfcl32.exeC:\Windows\system32\Pmpfcl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Apeagd32.exeC:\Windows\system32\Apeagd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bipcei32.exeC:\Windows\system32\Bipcei32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Blchmdff.exeC:\Windows\system32\Blchmdff.exe53⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Cnealfkf.exeC:\Windows\system32\Cnealfkf.exe54⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Cfpfqiha.exeC:\Windows\system32\Cfpfqiha.exe55⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Ccipelcf.exeC:\Windows\system32\Ccipelcf.exe56⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Dflflg32.exeC:\Windows\system32\Dflflg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Dcbckk32.exeC:\Windows\system32\Dcbckk32.exe59⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Dnhgidka.exeC:\Windows\system32\Dnhgidka.exe60⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe61⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Eqbcqnph.exeC:\Windows\system32\Eqbcqnph.exe62⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ffeaichg.exeC:\Windows\system32\Ffeaichg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe64⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe65⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Hphbpehj.exeC:\Windows\system32\Hphbpehj.exe66⤵PID:5092
-
C:\Windows\SysWOW64\Hmlbij32.exeC:\Windows\system32\Hmlbij32.exe67⤵PID:2700
-
C:\Windows\SysWOW64\Ifdgaond.exeC:\Windows\system32\Ifdgaond.exe68⤵PID:4680
-
C:\Windows\SysWOW64\Ionlhlld.exeC:\Windows\system32\Ionlhlld.exe69⤵PID:2924
-
C:\Windows\SysWOW64\Jacnegep.exeC:\Windows\system32\Jacnegep.exe70⤵
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Jphkfc32.exeC:\Windows\system32\Jphkfc32.exe71⤵PID:4900
-
C:\Windows\SysWOW64\Kaonaekb.exeC:\Windows\system32\Kaonaekb.exe72⤵PID:1812
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe73⤵PID:4684
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe74⤵PID:2172
-
C:\Windows\SysWOW64\Moljgeco.exeC:\Windows\system32\Moljgeco.exe75⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe76⤵PID:3944
-
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe77⤵
- Drops file in System32 directory
PID:4476 -
C:\Windows\SysWOW64\Nkjqme32.exeC:\Windows\system32\Nkjqme32.exe78⤵PID:5044
-
C:\Windows\SysWOW64\Nbkojo32.exeC:\Windows\system32\Nbkojo32.exe79⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe80⤵PID:5140
-
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5204 -
C:\Windows\SysWOW64\Dhgoimlo.exeC:\Windows\system32\Dhgoimlo.exe82⤵
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Ehjdejkj.exeC:\Windows\system32\Ehjdejkj.exe83⤵PID:5332
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe84⤵PID:5380
-
C:\Windows\SysWOW64\Idjmfmgp.exeC:\Windows\system32\Idjmfmgp.exe85⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Iannpa32.exeC:\Windows\system32\Iannpa32.exe86⤵PID:5464
-
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe87⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Jjklcf32.exeC:\Windows\system32\Jjklcf32.exe88⤵PID:5544
-
C:\Windows\SysWOW64\Jbfphh32.exeC:\Windows\system32\Jbfphh32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Jmkdeaee.exeC:\Windows\system32\Jmkdeaee.exe90⤵PID:5628
-
C:\Windows\SysWOW64\Jdembk32.exeC:\Windows\system32\Jdembk32.exe91⤵PID:5668
-
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe92⤵PID:5712
-
C:\Windows\SysWOW64\Jidbpa32.exeC:\Windows\system32\Jidbpa32.exe93⤵PID:5748
-
C:\Windows\SysWOW64\Jdjfmjhm.exeC:\Windows\system32\Jdjfmjhm.exe94⤵PID:5800
-
C:\Windows\SysWOW64\Kkfkod32.exeC:\Windows\system32\Kkfkod32.exe95⤵PID:5840
-
C:\Windows\SysWOW64\Kpjjhj32.exeC:\Windows\system32\Kpjjhj32.exe96⤵PID:5880
-
C:\Windows\SysWOW64\Lgdbedmc.exeC:\Windows\system32\Lgdbedmc.exe97⤵PID:5924
-
C:\Windows\SysWOW64\Lkgdfb32.exeC:\Windows\system32\Lkgdfb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Mdaedgdb.exeC:\Windows\system32\Mdaedgdb.exe99⤵PID:6024
-
C:\Windows\SysWOW64\Mnjjmmkc.exeC:\Windows\system32\Mnjjmmkc.exe100⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Mddbjg32.exeC:\Windows\system32\Mddbjg32.exe101⤵PID:6112
-
C:\Windows\SysWOW64\Mjqjbn32.exeC:\Windows\system32\Mjqjbn32.exe102⤵PID:3008
-
C:\Windows\SysWOW64\Mdfopf32.exeC:\Windows\system32\Mdfopf32.exe103⤵PID:3832
-
C:\Windows\SysWOW64\Mjcghm32.exeC:\Windows\system32\Mjcghm32.exe104⤵
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Mpmodg32.exeC:\Windows\system32\Mpmodg32.exe105⤵PID:1076
-
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe106⤵PID:4580
-
C:\Windows\SysWOW64\Ngpjgpec.exeC:\Windows\system32\Ngpjgpec.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200 -
C:\Windows\SysWOW64\Njcpok32.exeC:\Windows\system32\Njcpok32.exe108⤵PID:5184
-
C:\Windows\SysWOW64\Oqmhlego.exeC:\Windows\system32\Oqmhlego.exe109⤵PID:5272
-
C:\Windows\SysWOW64\Oqdnld32.exeC:\Windows\system32\Oqdnld32.exe110⤵
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Okjbimal.exeC:\Windows\system32\Okjbimal.exe111⤵PID:4076
-
C:\Windows\SysWOW64\Oqgkadod.exeC:\Windows\system32\Oqgkadod.exe112⤵PID:5356
-
C:\Windows\SysWOW64\Ojopki32.exeC:\Windows\system32\Ojopki32.exe113⤵PID:5428
-
C:\Windows\SysWOW64\Pgcpdn32.exeC:\Windows\system32\Pgcpdn32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Pbhdafdd.exeC:\Windows\system32\Pbhdafdd.exe115⤵PID:5496
-
C:\Windows\SysWOW64\Pnoefg32.exeC:\Windows\system32\Pnoefg32.exe116⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Pjffkhpl.exeC:\Windows\system32\Pjffkhpl.exe117⤵PID:5656
-
C:\Windows\SysWOW64\Ajphagha.exeC:\Windows\system32\Ajphagha.exe118⤵PID:5696
-
C:\Windows\SysWOW64\Bngdndfn.exeC:\Windows\system32\Bngdndfn.exe119⤵PID:5756
-
C:\Windows\SysWOW64\Bhohfj32.exeC:\Windows\system32\Bhohfj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Iiaein32.exeC:\Windows\system32\Iiaein32.exe121⤵PID:5888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-