Analysis
-
max time kernel
156s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 19:10
Behavioral task
behavioral1
Sample
NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe
-
Size
113KB
-
MD5
c45927908b53e76a3f0001f04f5624c0
-
SHA1
87704493e387e0526b4b8558791aa83fc20856a1
-
SHA256
b2e17bab7f4b8c9bf4679f4fb83dfe1c633d1ebf939f69d60aca5760e3fb15d8
-
SHA512
d6c03a79beea742eaa719e844eaeee270f1dd53d1004cc2fff81d53aa30dd1dd6123237ac7212579d77c26633f5ae19638d37afcbe8cf61c5df309ed265876af
-
SSDEEP
3072:qWRKMS7EEQLTxV+ugCe8uvQa7gRj9/S2Kn:qiK8EKdV+ISMRNF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqhknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adbiojfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meogbcel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokceaoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfogohpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdffkgpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahblp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofgioah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmfba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbkiho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchljlpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbndjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdnna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnbgaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algiaepd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjggede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmgof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejmdegn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmnpano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhijcohe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhjegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhfif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmbomp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedohfmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkofh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbngfbdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgmkbna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blenhmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gighom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clhbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpneom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdpnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbelp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpmpkoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plapdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicefid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofaeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcooaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoaianan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjefhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehecpgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehecpgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcimmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidpbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaabci32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0009000000022cd1-7.dat family_berbew behavioral2/files/0x0009000000022cd1-8.dat family_berbew behavioral2/files/0x0008000000022cd3-17.dat family_berbew behavioral2/files/0x0008000000022cd3-15.dat family_berbew behavioral2/files/0x0009000000022cd5-25.dat family_berbew behavioral2/files/0x0009000000022cd5-23.dat family_berbew behavioral2/files/0x0009000000022cd8-32.dat family_berbew behavioral2/files/0x0009000000022cd8-31.dat family_berbew behavioral2/files/0x0007000000022cda-39.dat family_berbew behavioral2/files/0x0007000000022cda-41.dat family_berbew behavioral2/files/0x0007000000022cdc-47.dat family_berbew behavioral2/files/0x0007000000022cdc-49.dat family_berbew behavioral2/files/0x0007000000022cde-51.dat family_berbew behavioral2/files/0x0007000000022cde-55.dat family_berbew behavioral2/files/0x0007000000022cde-57.dat family_berbew behavioral2/files/0x0007000000022ce0-65.dat family_berbew behavioral2/files/0x0007000000022ce0-64.dat family_berbew behavioral2/files/0x0006000000022ce3-72.dat family_berbew behavioral2/files/0x0006000000022ce3-74.dat family_berbew behavioral2/files/0x0006000000022ce6-75.dat family_berbew behavioral2/files/0x0006000000022ce6-80.dat family_berbew behavioral2/files/0x0006000000022ce6-82.dat family_berbew behavioral2/files/0x0006000000022ce8-88.dat family_berbew behavioral2/files/0x0006000000022cea-92.dat family_berbew behavioral2/files/0x0006000000022ce8-90.dat family_berbew behavioral2/files/0x0006000000022cea-96.dat family_berbew behavioral2/files/0x0006000000022cea-98.dat family_berbew behavioral2/files/0x0006000000022cec-104.dat family_berbew behavioral2/files/0x0006000000022cee-108.dat family_berbew behavioral2/files/0x0006000000022cec-106.dat family_berbew behavioral2/files/0x0006000000022cee-114.dat family_berbew behavioral2/files/0x0006000000022cee-112.dat family_berbew behavioral2/files/0x0006000000022cf0-122.dat family_berbew behavioral2/files/0x0006000000022cf0-120.dat family_berbew behavioral2/files/0x0006000000022cf2-128.dat family_berbew behavioral2/files/0x0006000000022cf2-130.dat family_berbew behavioral2/files/0x0006000000022cf4-136.dat family_berbew behavioral2/files/0x0006000000022cf4-138.dat family_berbew behavioral2/files/0x0006000000022cf6-144.dat family_berbew behavioral2/files/0x0006000000022cf6-145.dat family_berbew behavioral2/files/0x0006000000022cf8-152.dat family_berbew behavioral2/files/0x0006000000022cf8-154.dat family_berbew behavioral2/files/0x0006000000022cfa-160.dat family_berbew behavioral2/files/0x0006000000022cfa-161.dat family_berbew behavioral2/files/0x0006000000022cfc-167.dat family_berbew behavioral2/files/0x0006000000022cfc-169.dat family_berbew behavioral2/files/0x0006000000022cfe-176.dat family_berbew behavioral2/files/0x0006000000022cfe-178.dat family_berbew behavioral2/files/0x0006000000022d00-184.dat family_berbew behavioral2/files/0x0006000000022d00-186.dat family_berbew behavioral2/files/0x0006000000022d02-192.dat family_berbew behavioral2/files/0x0006000000022d02-193.dat family_berbew behavioral2/files/0x0006000000022d04-200.dat family_berbew behavioral2/files/0x0006000000022d04-202.dat family_berbew behavioral2/files/0x0006000000022d07-208.dat family_berbew behavioral2/files/0x0006000000022d07-209.dat family_berbew behavioral2/files/0x0006000000022d0a-216.dat family_berbew behavioral2/files/0x0006000000022d0a-218.dat family_berbew behavioral2/files/0x0006000000022d0d-224.dat family_berbew behavioral2/files/0x0006000000022d0d-226.dat family_berbew behavioral2/files/0x0006000000022d0f-227.dat family_berbew behavioral2/files/0x0006000000022d0f-232.dat family_berbew behavioral2/files/0x0006000000022d0f-233.dat family_berbew behavioral2/files/0x0006000000022d11-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4640 Kcmmhj32.exe 4252 Qpcecb32.exe 3424 Ahaceo32.exe 232 Boihcf32.exe 2740 Dojqjdbl.exe 4536 Ebdlangb.exe 4768 Filapfbo.exe 3920 Gbbajjlp.exe 2496 Ghojbq32.exe 2720 Ihbponja.exe 668 Jhgiim32.exe 3524 Kcjjhdjb.exe 3556 Kcapicdj.exe 60 Lcfidb32.exe 4316 Mledmg32.exe 5104 Nmaciefp.exe 2804 Nqcejcha.exe 2276 Pplhhm32.exe 4132 Aadghn32.exe 240 Cgmhcaac.exe 3936 Dalofi32.exe 2184 Ecdbop32.exe 4436 Fdmaoahm.exe 724 Gjaphgpl.exe 2320 Gdgdeppb.exe 1784 Gjhfif32.exe 2616 Hccggl32.exe 3968 Hannao32.exe 1112 Hnbnjc32.exe 4136 Iccpniqp.exe 4684 Iloajfml.exe 4112 Jnbgaa32.exe 3124 Kocphojh.exe 652 Leabphmp.exe 4648 Mdbnmbhj.exe 4164 Nkeipk32.exe 1544 Ncaklhdi.exe 1456 Obkahddl.exe 1768 Pbddobla.exe 3404 Pfbmdabh.exe 3764 Pbljoafi.exe 3540 Afnlpohj.exe 3828 Bbefln32.exe 4628 Clgmkbna.exe 2268 Dipgpf32.exe 4360 Didqkeeq.exe 2164 Epcbbohh.exe 5084 Edcgnmml.exe 3264 Fpoaom32.exe 5112 Flhoinbl.exe 3612 Gdfmkjlg.exe 936 Gnanioad.exe 5076 Ggicbe32.exe 4580 Gqagkjne.exe 3344 Hmkeekag.exe 1908 Hdffah32.exe 1820 Ijhhenhf.exe 4788 Ifoijonj.exe 1144 Imnjbhaa.exe 236 Jgcooaah.exe 3436 Kebodc32.exe 2760 Kmncif32.exe 4816 Lfmnbjcg.exe 4740 Lhadgmge.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kppmgb32.dll Jdddjq32.exe File created C:\Windows\SysWOW64\Hknnckao.dll Dmooak32.exe File created C:\Windows\SysWOW64\Aknmjgje.dll Pbljoafi.exe File created C:\Windows\SysWOW64\Jfeoip32.exe Jpkfmfok.exe File opened for modification C:\Windows\SysWOW64\Kehhjfif.exe Jlocaabf.exe File opened for modification C:\Windows\SysWOW64\Afcffb32.exe Adbiojfo.exe File created C:\Windows\SysWOW64\Fjfegl32.exe Fifhmi32.exe File created C:\Windows\SysWOW64\Bmqhlk32.exe Agfpoqog.exe File opened for modification C:\Windows\SysWOW64\Dgomaf32.exe Dbbdip32.exe File created C:\Windows\SysWOW64\Cbnpja32.exe Bdmpljlj.exe File created C:\Windows\SysWOW64\Mpdkol32.exe Meogbcel.exe File created C:\Windows\SysWOW64\Iomood32.exe Imkbglei.exe File opened for modification C:\Windows\SysWOW64\Bpgnmcdh.exe Amibqhed.exe File opened for modification C:\Windows\SysWOW64\Dhkjooqb.exe Daqbbe32.exe File opened for modification C:\Windows\SysWOW64\Mpdkol32.exe Meogbcel.exe File opened for modification C:\Windows\SysWOW64\Fimonh32.exe Ffobbmpp.exe File created C:\Windows\SysWOW64\Chepehne.exe Cakghn32.exe File opened for modification C:\Windows\SysWOW64\Cdnmphag.exe Ckeigc32.exe File created C:\Windows\SysWOW64\Gfahlfko.dll Bacjmh32.exe File created C:\Windows\SysWOW64\Deboiojb.dll Jolhjj32.exe File created C:\Windows\SysWOW64\Anadho32.exe Agglld32.exe File created C:\Windows\SysWOW64\Kjnjip32.dll Lopmbomp.exe File opened for modification C:\Windows\SysWOW64\Dofpqfof.exe Dapcab32.exe File created C:\Windows\SysWOW64\Dhnbkfek.exe Cdnmphag.exe File opened for modification C:\Windows\SysWOW64\Anmagenh.exe Pjkofh32.exe File opened for modification C:\Windows\SysWOW64\Dhdaao32.exe Dnondf32.exe File created C:\Windows\SysWOW64\Fgfdeo32.dll Mmfaafej.exe File created C:\Windows\SysWOW64\Bdmdng32.exe Bnclamqe.exe File opened for modification C:\Windows\SysWOW64\Dbndoa32.exe Dmakgj32.exe File created C:\Windows\SysWOW64\Pjfloq32.dll Mccfnc32.exe File opened for modification C:\Windows\SysWOW64\Glgckl32.exe Gmafjp32.exe File created C:\Windows\SysWOW64\Naoedh32.dll Ocihqc32.exe File created C:\Windows\SysWOW64\Cefega32.exe Commjgga.exe File created C:\Windows\SysWOW64\Edknjonl.exe Dodbkiho.exe File opened for modification C:\Windows\SysWOW64\Gpmofe32.exe Gicgjk32.exe File created C:\Windows\SysWOW64\Jhgiim32.exe Ihbponja.exe File created C:\Windows\SysWOW64\Ldhbnhlm.exe Lmnjan32.exe File opened for modification C:\Windows\SysWOW64\Mnhdae32.exe Mgkoolil.exe File opened for modification C:\Windows\SysWOW64\Apmhbf32.exe Qanhkk32.exe File created C:\Windows\SysWOW64\Djojepof.dll Ecdbop32.exe File created C:\Windows\SysWOW64\Pkkdci32.exe Pdalfo32.exe File created C:\Windows\SysWOW64\Dbdohk32.dll Opjnai32.exe File opened for modification C:\Windows\SysWOW64\Fbajlo32.exe Fjfegl32.exe File created C:\Windows\SysWOW64\Giilml32.dll Oiagcg32.exe File opened for modification C:\Windows\SysWOW64\Dbllkohi.exe Dlbcoe32.exe File created C:\Windows\SysWOW64\Fhoecana.dll Nlhkqngo.exe File opened for modification C:\Windows\SysWOW64\Fflobgng.exe Fihnhc32.exe File created C:\Windows\SysWOW64\Ladekn32.dll Oifpijea.exe File opened for modification C:\Windows\SysWOW64\Didqkeeq.exe Dipgpf32.exe File created C:\Windows\SysWOW64\Cnhell32.exe Ccbaoc32.exe File created C:\Windows\SysWOW64\Bbifobho.exe Bhdbaihi.exe File created C:\Windows\SysWOW64\Efepln32.exe Eplgod32.exe File created C:\Windows\SysWOW64\Ecipeb32.exe Emphhhoh.exe File opened for modification C:\Windows\SysWOW64\Gqagkjne.exe Ggicbe32.exe File opened for modification C:\Windows\SysWOW64\Commjgga.exe Ceppfbef.exe File opened for modification C:\Windows\SysWOW64\Lhammfci.exe Lagepl32.exe File opened for modification C:\Windows\SysWOW64\Gblbmg32.exe Glbjpmdd.exe File created C:\Windows\SysWOW64\Mjddehlk.dll Lqfpoope.exe File opened for modification C:\Windows\SysWOW64\Mdgejmdi.exe Mbhina32.exe File opened for modification C:\Windows\SysWOW64\Pehghhgc.exe Oiagcg32.exe File opened for modification C:\Windows\SysWOW64\Bochfc32.exe Boqlqd32.exe File created C:\Windows\SysWOW64\Ogajnn32.dll Himqjpme.exe File created C:\Windows\SysWOW64\Fbmoabde.exe Fkcgdh32.exe File opened for modification C:\Windows\SysWOW64\Epcbbohh.exe Didqkeeq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeahnij.dll" Agjhadmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlocaabf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhmfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhocgqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdaigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpje32.dll" Kaehepeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkolf32.dll" Jgfcfajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjdkikf.dll" Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokdpc32.dll" Ebkbmqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbchc32.dll" Gochceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeojdk32.dll" Ebcmjqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joahjcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdjccol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefhfm32.dll" Hdffah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apaofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbkfood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flkdpnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgomaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdaigi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocihqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbcnmogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgiflnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdim32.dll" Hlkfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkggfeam.dll" Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoqbkld.dll" Fifhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakmkp32.dll" Akniofoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnjip32.dll" Lopmbomp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbajjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpelbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqkkcghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqlclga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjnece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnihod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbegmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ookokeqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgoik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiomkim.dll" Gdmmlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnhkklbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnmphag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canjpp32.dll" Bmqhlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbefkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcflpb32.dll" Eplgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faklheqo.dll" Lqndahiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coohbbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogkcihgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhlipla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjobl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpkok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acheqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqhaolli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jolhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmgmd32.dll" Ecipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poimigfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbcpboc.dll" Gfkjef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpjfi32.dll" Afcffb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acicefid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhidahm.dll" Ncfmhecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllibo32.dll" Jqhaolli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakobdbb.dll" Agfpoqog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgebnc32.dll" Cmipkb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4640 4760 NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe 91 PID 4760 wrote to memory of 4640 4760 NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe 91 PID 4760 wrote to memory of 4640 4760 NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe 91 PID 4640 wrote to memory of 4252 4640 Kcmmhj32.exe 92 PID 4640 wrote to memory of 4252 4640 Kcmmhj32.exe 92 PID 4640 wrote to memory of 4252 4640 Kcmmhj32.exe 92 PID 4252 wrote to memory of 3424 4252 Qpcecb32.exe 93 PID 4252 wrote to memory of 3424 4252 Qpcecb32.exe 93 PID 4252 wrote to memory of 3424 4252 Qpcecb32.exe 93 PID 3424 wrote to memory of 232 3424 Ahaceo32.exe 94 PID 3424 wrote to memory of 232 3424 Ahaceo32.exe 94 PID 3424 wrote to memory of 232 3424 Ahaceo32.exe 94 PID 232 wrote to memory of 2740 232 Boihcf32.exe 95 PID 232 wrote to memory of 2740 232 Boihcf32.exe 95 PID 232 wrote to memory of 2740 232 Boihcf32.exe 95 PID 2740 wrote to memory of 4536 2740 Dojqjdbl.exe 96 PID 2740 wrote to memory of 4536 2740 Dojqjdbl.exe 96 PID 2740 wrote to memory of 4536 2740 Dojqjdbl.exe 96 PID 4536 wrote to memory of 4768 4536 Ebdlangb.exe 97 PID 4536 wrote to memory of 4768 4536 Ebdlangb.exe 97 PID 4536 wrote to memory of 4768 4536 Ebdlangb.exe 97 PID 4768 wrote to memory of 3920 4768 Filapfbo.exe 98 PID 4768 wrote to memory of 3920 4768 Filapfbo.exe 98 PID 4768 wrote to memory of 3920 4768 Filapfbo.exe 98 PID 3920 wrote to memory of 2496 3920 Gbbajjlp.exe 99 PID 3920 wrote to memory of 2496 3920 Gbbajjlp.exe 99 PID 3920 wrote to memory of 2496 3920 Gbbajjlp.exe 99 PID 2496 wrote to memory of 2720 2496 Ghojbq32.exe 100 PID 2496 wrote to memory of 2720 2496 Ghojbq32.exe 100 PID 2496 wrote to memory of 2720 2496 Ghojbq32.exe 100 PID 2720 wrote to memory of 668 2720 Ihbponja.exe 101 PID 2720 wrote to memory of 668 2720 Ihbponja.exe 101 PID 2720 wrote to memory of 668 2720 Ihbponja.exe 101 PID 668 wrote to memory of 3524 668 Jhgiim32.exe 102 PID 668 wrote to memory of 3524 668 Jhgiim32.exe 102 PID 668 wrote to memory of 3524 668 Jhgiim32.exe 102 PID 3524 wrote to memory of 3556 3524 Kcjjhdjb.exe 103 PID 3524 wrote to memory of 3556 3524 Kcjjhdjb.exe 103 PID 3524 wrote to memory of 3556 3524 Kcjjhdjb.exe 103 PID 3556 wrote to memory of 60 3556 Kcapicdj.exe 104 PID 3556 wrote to memory of 60 3556 Kcapicdj.exe 104 PID 3556 wrote to memory of 60 3556 Kcapicdj.exe 104 PID 60 wrote to memory of 4316 60 Lcfidb32.exe 105 PID 60 wrote to memory of 4316 60 Lcfidb32.exe 105 PID 60 wrote to memory of 4316 60 Lcfidb32.exe 105 PID 4316 wrote to memory of 5104 4316 Mledmg32.exe 106 PID 4316 wrote to memory of 5104 4316 Mledmg32.exe 106 PID 4316 wrote to memory of 5104 4316 Mledmg32.exe 106 PID 5104 wrote to memory of 2804 5104 Nmaciefp.exe 107 PID 5104 wrote to memory of 2804 5104 Nmaciefp.exe 107 PID 5104 wrote to memory of 2804 5104 Nmaciefp.exe 107 PID 2804 wrote to memory of 2276 2804 Nqcejcha.exe 108 PID 2804 wrote to memory of 2276 2804 Nqcejcha.exe 108 PID 2804 wrote to memory of 2276 2804 Nqcejcha.exe 108 PID 2276 wrote to memory of 4132 2276 Pplhhm32.exe 109 PID 2276 wrote to memory of 4132 2276 Pplhhm32.exe 109 PID 2276 wrote to memory of 4132 2276 Pplhhm32.exe 109 PID 4132 wrote to memory of 240 4132 Aadghn32.exe 110 PID 4132 wrote to memory of 240 4132 Aadghn32.exe 110 PID 4132 wrote to memory of 240 4132 Aadghn32.exe 110 PID 240 wrote to memory of 3936 240 Cgmhcaac.exe 111 PID 240 wrote to memory of 3936 240 Cgmhcaac.exe 111 PID 240 wrote to memory of 3936 240 Cgmhcaac.exe 111 PID 3936 wrote to memory of 2184 3936 Dalofi32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c45927908b53e76a3f0001f04f5624c0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe24⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe25⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe26⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe28⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe29⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe30⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe31⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe32⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe34⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe35⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe36⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe37⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe38⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe39⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe40⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe41⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe43⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe44⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe48⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe49⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe50⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe51⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe52⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe53⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe55⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe56⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe58⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe59⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe60⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe62⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe63⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe64⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe65⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe66⤵PID:1920
-
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe67⤵PID:5096
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe68⤵PID:5164
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe69⤵PID:5204
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe70⤵PID:5244
-
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe71⤵PID:5288
-
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe72⤵PID:5328
-
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe74⤵PID:5428
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe75⤵
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe76⤵PID:5524
-
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe77⤵PID:5560
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe78⤵PID:5604
-
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe80⤵PID:5688
-
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe81⤵PID:5732
-
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe82⤵PID:5776
-
C:\Windows\SysWOW64\Hcfcmnce.exeC:\Windows\system32\Hcfcmnce.exe83⤵PID:5816
-
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe84⤵PID:5856
-
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe85⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6036 -
C:\Windows\SysWOW64\Kcbkpj32.exeC:\Windows\system32\Kcbkpj32.exe87⤵PID:6128
-
C:\Windows\SysWOW64\Kpnepk32.exeC:\Windows\system32\Kpnepk32.exe88⤵PID:5144
-
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe89⤵PID:5236
-
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe90⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe91⤵PID:5348
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe92⤵PID:5420
-
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe93⤵PID:4860
-
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe94⤵PID:5496
-
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe95⤵PID:2752
-
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe96⤵PID:5552
-
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe97⤵PID:5640
-
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe98⤵PID:5656
-
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe99⤵PID:3800
-
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe100⤵PID:5720
-
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4192 -
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe103⤵PID:5920
-
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe104⤵PID:5988
-
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe105⤵PID:6032
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe106⤵PID:2808
-
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe107⤵PID:6064
-
C:\Windows\SysWOW64\Dbbdip32.exeC:\Windows\system32\Dbbdip32.exe108⤵
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe109⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe110⤵PID:668
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe111⤵PID:3884
-
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe112⤵PID:2140
-
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe113⤵PID:1204
-
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe114⤵PID:60
-
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe115⤵PID:584
-
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4984 -
C:\Windows\SysWOW64\Glngep32.exeC:\Windows\system32\Glngep32.exe118⤵PID:5676
-
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe119⤵PID:5772
-
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe120⤵PID:2124
-
C:\Windows\SysWOW64\Gclimi32.exeC:\Windows\system32\Gclimi32.exe121⤵PID:5924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-