Analysis
-
max time kernel
112s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 05:36
Behavioral task
behavioral1
Sample
NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe
-
Size
398KB
-
MD5
ea7dca003c7e8c41e1069ed595500ce0
-
SHA1
7cf817b9701f64c36d96d6c3299ea6a4dce813ea
-
SHA256
98ddefa441dbe5800da1b0a9599847fc983a9571fed95d518eca33a57c08aa2e
-
SHA512
d4fcfdc86801614a3d4fce6202f6cbdd371e21658133d1edb4094a1fafa98c57fc19b7936b30d297ae821489c68097f3734f5b6bfca082c23b5730107c1e8053
-
SSDEEP
12288:nl6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:l6t3XGpvr4B9f01ZmQvrimipWf0Aq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ialhdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olhlaoea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iblfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfpabbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhbnhlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpokm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfohjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kojkeogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkopgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chagiqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdhalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqgiel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knipik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpncbemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkllghoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahdpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gokdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hihbco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaemilci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakjnnap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqpeaeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goabhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdkoef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebokodfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgliie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkaqqoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnpmqef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnhabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imklncch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpocciba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjnqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbnchlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnfmcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhfhnfhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngcdkjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npognfpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaffbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndliin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdfefkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqdhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehhgpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foebmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnddqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gajpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfqjkljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbkojo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgghoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khbhdn32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0009000000022bf4-6.dat family_berbew behavioral2/files/0x0009000000022bf4-8.dat family_berbew behavioral2/files/0x0009000000022c0c-14.dat family_berbew behavioral2/files/0x0009000000022c0c-16.dat family_berbew behavioral2/files/0x000a000000022c16-22.dat family_berbew behavioral2/files/0x000a000000022c16-24.dat family_berbew behavioral2/files/0x0009000000022cae-25.dat family_berbew behavioral2/files/0x0009000000022cae-30.dat family_berbew behavioral2/files/0x0009000000022cae-31.dat family_berbew behavioral2/files/0x0007000000022cb4-38.dat family_berbew behavioral2/files/0x0007000000022cb4-40.dat family_berbew behavioral2/files/0x0007000000022cb6-46.dat family_berbew behavioral2/files/0x0007000000022cb6-48.dat family_berbew behavioral2/files/0x0007000000022cb8-55.dat family_berbew behavioral2/files/0x0007000000022cb8-54.dat family_berbew behavioral2/files/0x0007000000022cba-62.dat family_berbew behavioral2/files/0x0007000000022cba-64.dat family_berbew behavioral2/files/0x0007000000022cbc-65.dat family_berbew behavioral2/files/0x0007000000022cbc-72.dat family_berbew behavioral2/files/0x0007000000022cbc-70.dat family_berbew behavioral2/files/0x0007000000022cbe-78.dat family_berbew behavioral2/files/0x0007000000022cbe-80.dat family_berbew behavioral2/files/0x0007000000022cc0-86.dat family_berbew behavioral2/files/0x0007000000022cc0-88.dat family_berbew behavioral2/files/0x0007000000022cc2-94.dat family_berbew behavioral2/files/0x0007000000022cc2-96.dat family_berbew behavioral2/files/0x0007000000022cc4-102.dat family_berbew behavioral2/files/0x0007000000022cc4-104.dat family_berbew behavioral2/files/0x0007000000022cc6-105.dat family_berbew behavioral2/files/0x0007000000022cc6-110.dat family_berbew behavioral2/files/0x0007000000022cc6-111.dat family_berbew behavioral2/files/0x0007000000022cc8-118.dat family_berbew behavioral2/files/0x0007000000022cc8-120.dat family_berbew behavioral2/files/0x0007000000022cca-126.dat family_berbew behavioral2/files/0x0007000000022cca-128.dat family_berbew behavioral2/files/0x0007000000022ccc-134.dat family_berbew behavioral2/files/0x0007000000022ccc-136.dat family_berbew behavioral2/files/0x0007000000022cce-142.dat family_berbew behavioral2/files/0x0007000000022cce-144.dat family_berbew behavioral2/files/0x0007000000022cd0-150.dat family_berbew behavioral2/files/0x0007000000022cd0-152.dat family_berbew behavioral2/files/0x0007000000022cd2-158.dat family_berbew behavioral2/files/0x0007000000022cd2-159.dat family_berbew behavioral2/files/0x0007000000022cd4-161.dat family_berbew behavioral2/files/0x0007000000022cd4-165.dat family_berbew behavioral2/files/0x0007000000022cd4-168.dat family_berbew behavioral2/files/0x0007000000022cd6-174.dat family_berbew behavioral2/files/0x0007000000022cd6-176.dat family_berbew behavioral2/files/0x0007000000022cd8-178.dat family_berbew behavioral2/files/0x0007000000022cd8-182.dat family_berbew behavioral2/files/0x0007000000022cd8-184.dat family_berbew behavioral2/files/0x0007000000022cda-190.dat family_berbew behavioral2/files/0x0007000000022cda-192.dat family_berbew behavioral2/files/0x0007000000022cdc-199.dat family_berbew behavioral2/files/0x0007000000022cdc-198.dat family_berbew behavioral2/files/0x0007000000022cde-206.dat family_berbew behavioral2/files/0x0007000000022cde-208.dat family_berbew behavioral2/files/0x0007000000022ce0-216.dat family_berbew behavioral2/files/0x0007000000022ce0-214.dat family_berbew behavioral2/files/0x0007000000022ce2-222.dat family_berbew behavioral2/files/0x0007000000022ce2-223.dat family_berbew behavioral2/files/0x0007000000022ce5-230.dat family_berbew behavioral2/files/0x0007000000022ce5-232.dat family_berbew behavioral2/files/0x0007000000022ce7-238.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2772 Gbnhoj32.exe 3956 Jhifomdj.exe 460 Jbepme32.exe 3324 Kiphjo32.exe 1192 Kidben32.exe 3716 Kpccmhdg.exe 4196 Lljdai32.exe 3896 Lcmodajm.exe 3360 Mhoahh32.exe 3356 Mfbaalbi.exe 4304 Nciopppp.exe 3576 Nbbeml32.exe 4600 Nmjfodne.exe 2000 Opbean32.exe 4148 Pfojdh32.exe 4332 Pmmlla32.exe 2856 Ppnenlka.exe 3004 Afappe32.exe 2884 Ajaelc32.exe 4684 Bpqjjjjl.exe 3388 Bkkhbb32.exe 860 Cajjjk32.exe 1880 Cmbgdl32.exe 3436 Cdolgfbp.exe 4112 Ddfbgelh.exe 4780 Dcnlnaom.exe 1500 Epffbd32.exe 3452 Ekngemhd.exe 3204 Eqkondfl.exe 1728 Fcneeo32.exe 1524 Fcbnpnme.exe 4992 Fqikob32.exe 808 Gndbie32.exe 4880 Hchqbkkm.exe 3940 Hnmeodjc.exe 1424 Ilkhog32.exe 4532 Iecmhlhb.exe 4280 Jnnnfalp.exe 5088 Jdjfohjg.exe 3376 Jaemilci.exe 4504 Kdkoef32.exe 1504 Kdmlkfjb.exe 3432 Lkiamp32.exe 4852 Lhmafcnf.exe 2180 Logicn32.exe 4480 Lhdggb32.exe 116 Ldkhlcnb.exe 4312 Mkepineo.exe 2636 Mociol32.exe 4836 Nchhfild.exe 4856 Nkeipk32.exe 3812 Nlefjnno.exe 1816 Odjmdocp.exe 3948 Pilpfm32.exe 1316 Pbddobla.exe 4700 Qbngeadf.exe 3996 Abpcja32.exe 4448 Amfhgj32.exe 4696 Abgjkpll.exe 4544 Bfhofnpp.exe 1580 Bppcpc32.exe 1508 Bikeni32.exe 3092 Ddcogo32.exe 3704 Edoncm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cabfagee.exe Cfmacoep.exe File opened for modification C:\Windows\SysWOW64\Cajjjk32.exe Bkkhbb32.exe File opened for modification C:\Windows\SysWOW64\Kjlmbnof.exe Jjgcgo32.exe File opened for modification C:\Windows\SysWOW64\Nfeepdbg.exe Nnidcg32.exe File opened for modification C:\Windows\SysWOW64\Chhkmh32.exe Bopgdcnc.exe File opened for modification C:\Windows\SysWOW64\Cdiohhbm.exe Ckpjob32.exe File created C:\Windows\SysWOW64\Egpofhkf.dll Apeagd32.exe File created C:\Windows\SysWOW64\Gjapfjnb.exe Gqhknd32.exe File created C:\Windows\SysWOW64\Hjagmjpi.dll Ldhbnhlm.exe File created C:\Windows\SysWOW64\Pempol32.dll Gfimpfmj.exe File created C:\Windows\SysWOW64\Ncfdbk32.exe Nllleapo.exe File created C:\Windows\SysWOW64\Pgiojf32.exe Pdkcnklf.exe File created C:\Windows\SysWOW64\Pbbnbkpe.exe Pijiif32.exe File opened for modification C:\Windows\SysWOW64\Jmpnppap.exe Jfffcf32.exe File opened for modification C:\Windows\SysWOW64\Ocbdni32.exe Olhlaoea.exe File created C:\Windows\SysWOW64\Jbnlan32.dll Process not Found File created C:\Windows\SysWOW64\Mnheca32.dll Cnbmolhd.exe File created C:\Windows\SysWOW64\Fnoboc32.exe Fhbifl32.exe File opened for modification C:\Windows\SysWOW64\Ngjcgdba.exe Mpnnek32.exe File created C:\Windows\SysWOW64\Pilpfm32.exe Odjmdocp.exe File opened for modification C:\Windows\SysWOW64\Ecpomiok.exe Ecnbgian.exe File opened for modification C:\Windows\SysWOW64\Mdhkefnj.exe Mjcghm32.exe File created C:\Windows\SysWOW64\Ekqgenqi.dll Jiageecb.exe File created C:\Windows\SysWOW64\Lhmafcnf.exe Lkiamp32.exe File opened for modification C:\Windows\SysWOW64\Pgaelcgm.exe Philfgdh.exe File opened for modification C:\Windows\SysWOW64\Kdlcbjfj.exe Kmbkfp32.exe File opened for modification C:\Windows\SysWOW64\Lifqbi32.exe Lpnlicne.exe File created C:\Windows\SysWOW64\Lboklcod.dll Meadgc32.exe File opened for modification C:\Windows\SysWOW64\Nojagf32.exe Nhpijldj.exe File created C:\Windows\SysWOW64\Fcdpakhk.dll Bbpeghpe.exe File opened for modification C:\Windows\SysWOW64\Agkgceeh.exe Admkgifd.exe File opened for modification C:\Windows\SysWOW64\Qdpmij32.exe Process not Found File created C:\Windows\SysWOW64\Hidkhm32.dll Inmggo32.exe File created C:\Windows\SysWOW64\Ifofkacc.dll Lkbmih32.exe File created C:\Windows\SysWOW64\Eoljhi32.dll Kjlmbnof.exe File created C:\Windows\SysWOW64\Ennaaohb.dll Iaokdn32.exe File created C:\Windows\SysWOW64\Fjoonj32.dll Hikkdc32.exe File created C:\Windows\SysWOW64\Habeni32.exe Hpchdf32.exe File opened for modification C:\Windows\SysWOW64\Mhgkfkhl.exe Mbmbiqqp.exe File created C:\Windows\SysWOW64\Ffbnin32.exe Fjlmdmqj.exe File created C:\Windows\SysWOW64\Gdckjqqj.dll Jijhom32.exe File created C:\Windows\SysWOW64\Oeipko32.dll Mlciobhj.exe File created C:\Windows\SysWOW64\Eahhcd32.exe Egbdekcg.exe File created C:\Windows\SysWOW64\Mjopnl32.dll Hihbco32.exe File created C:\Windows\SysWOW64\Qbngeadf.exe Pbddobla.exe File created C:\Windows\SysWOW64\Fempbm32.exe Foakpc32.exe File created C:\Windows\SysWOW64\Gplged32.exe Gchflq32.exe File created C:\Windows\SysWOW64\Odiekomi.dll Ccldebeo.exe File created C:\Windows\SysWOW64\Bcgjjgkh.dll Hklpaeno.exe File created C:\Windows\SysWOW64\Mnocfn32.dll Aified32.exe File created C:\Windows\SysWOW64\Elcpkeef.dll Mjcghm32.exe File created C:\Windows\SysWOW64\Qdpmij32.exe Process not Found File created C:\Windows\SysWOW64\Eoollocp.exe Edihof32.exe File created C:\Windows\SysWOW64\Pgaelcgm.exe Philfgdh.exe File created C:\Windows\SysWOW64\Jjgcgo32.exe Jkomhhae.exe File opened for modification C:\Windows\SysWOW64\Hpchdf32.exe Hnblmnfa.exe File created C:\Windows\SysWOW64\Kiakgkoe.dll Eqalfgll.exe File created C:\Windows\SysWOW64\Gfamco32.dll Bhaeli32.exe File opened for modification C:\Windows\SysWOW64\Eaonccme.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ilcjgm32.exe Icjengld.exe File created C:\Windows\SysWOW64\Qahkch32.exe Qhofjbnl.exe File opened for modification C:\Windows\SysWOW64\Hihbco32.exe Hckjjh32.exe File created C:\Windows\SysWOW64\Emojjn32.dll Kpgfhddn.exe File created C:\Windows\SysWOW64\Kimgad32.exe Kngcdkjo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6868 5460 Process not Found 1361 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Andqnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhlebfjp.dll" Gajpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdijhno.dll" Hpnhoqmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcpcehko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjnbfmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbmjegm.dll" Bplammmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdaedgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hheoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipkneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cppfmf32.dll" Qkpmcddi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfglahbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jabgkpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgffka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcheq32.dll" Nicjaino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coddlo32.dll" Ocdqcikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgiggcgj.dll" Obafjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gplged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jioajliq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkllghoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kngcdkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ififkj32.dll" Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglkbd32.dll" Hbegakcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfmigmgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olehai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgigan32.dll" Phhhbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edoncm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bplammmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anmagenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpcicpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmajl32.dll" Bagmpoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epffbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkklkejm.dll" Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nacboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennikm32.dll" Kfiajinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lldfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbkm32.dll" Fefcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admhlq32.dll" Mbmbiqqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbddah32.dll" Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdmbh32.dll" Lkiqla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggnif32.dll" Hpfdkiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Andqnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klfjbpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clnanlhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjcghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nddkaddm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmihgd32.dll" Kmiqfoie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcimei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfamco32.dll" Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mingbhon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcfjfqah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgebfhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cadcfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpdogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjoeoedo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nngoddkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdjfohjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmbdmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afkipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Migcpneb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 2772 916 NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe 92 PID 916 wrote to memory of 2772 916 NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe 92 PID 916 wrote to memory of 2772 916 NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe 92 PID 2772 wrote to memory of 3956 2772 Gbnhoj32.exe 93 PID 2772 wrote to memory of 3956 2772 Gbnhoj32.exe 93 PID 2772 wrote to memory of 3956 2772 Gbnhoj32.exe 93 PID 3956 wrote to memory of 460 3956 Jhifomdj.exe 94 PID 3956 wrote to memory of 460 3956 Jhifomdj.exe 94 PID 3956 wrote to memory of 460 3956 Jhifomdj.exe 94 PID 460 wrote to memory of 3324 460 Jbepme32.exe 95 PID 460 wrote to memory of 3324 460 Jbepme32.exe 95 PID 460 wrote to memory of 3324 460 Jbepme32.exe 95 PID 3324 wrote to memory of 1192 3324 Kiphjo32.exe 96 PID 3324 wrote to memory of 1192 3324 Kiphjo32.exe 96 PID 3324 wrote to memory of 1192 3324 Kiphjo32.exe 96 PID 1192 wrote to memory of 3716 1192 Kidben32.exe 97 PID 1192 wrote to memory of 3716 1192 Kidben32.exe 97 PID 1192 wrote to memory of 3716 1192 Kidben32.exe 97 PID 3716 wrote to memory of 4196 3716 Kpccmhdg.exe 98 PID 3716 wrote to memory of 4196 3716 Kpccmhdg.exe 98 PID 3716 wrote to memory of 4196 3716 Kpccmhdg.exe 98 PID 4196 wrote to memory of 3896 4196 Lljdai32.exe 99 PID 4196 wrote to memory of 3896 4196 Lljdai32.exe 99 PID 4196 wrote to memory of 3896 4196 Lljdai32.exe 99 PID 3896 wrote to memory of 3360 3896 Lcmodajm.exe 100 PID 3896 wrote to memory of 3360 3896 Lcmodajm.exe 100 PID 3896 wrote to memory of 3360 3896 Lcmodajm.exe 100 PID 3360 wrote to memory of 3356 3360 Mhoahh32.exe 101 PID 3360 wrote to memory of 3356 3360 Mhoahh32.exe 101 PID 3360 wrote to memory of 3356 3360 Mhoahh32.exe 101 PID 3356 wrote to memory of 4304 3356 Mfbaalbi.exe 102 PID 3356 wrote to memory of 4304 3356 Mfbaalbi.exe 102 PID 3356 wrote to memory of 4304 3356 Mfbaalbi.exe 102 PID 4304 wrote to memory of 3576 4304 Nciopppp.exe 103 PID 4304 wrote to memory of 3576 4304 Nciopppp.exe 103 PID 4304 wrote to memory of 3576 4304 Nciopppp.exe 103 PID 3576 wrote to memory of 4600 3576 Nbbeml32.exe 104 PID 3576 wrote to memory of 4600 3576 Nbbeml32.exe 104 PID 3576 wrote to memory of 4600 3576 Nbbeml32.exe 104 PID 4600 wrote to memory of 2000 4600 Nmjfodne.exe 105 PID 4600 wrote to memory of 2000 4600 Nmjfodne.exe 105 PID 4600 wrote to memory of 2000 4600 Nmjfodne.exe 105 PID 2000 wrote to memory of 4148 2000 Opbean32.exe 106 PID 2000 wrote to memory of 4148 2000 Opbean32.exe 106 PID 2000 wrote to memory of 4148 2000 Opbean32.exe 106 PID 4148 wrote to memory of 4332 4148 Pfojdh32.exe 107 PID 4148 wrote to memory of 4332 4148 Pfojdh32.exe 107 PID 4148 wrote to memory of 4332 4148 Pfojdh32.exe 107 PID 4332 wrote to memory of 2856 4332 Pmmlla32.exe 108 PID 4332 wrote to memory of 2856 4332 Pmmlla32.exe 108 PID 4332 wrote to memory of 2856 4332 Pmmlla32.exe 108 PID 2856 wrote to memory of 3004 2856 Ppnenlka.exe 109 PID 2856 wrote to memory of 3004 2856 Ppnenlka.exe 109 PID 2856 wrote to memory of 3004 2856 Ppnenlka.exe 109 PID 3004 wrote to memory of 2884 3004 Afappe32.exe 110 PID 3004 wrote to memory of 2884 3004 Afappe32.exe 110 PID 3004 wrote to memory of 2884 3004 Afappe32.exe 110 PID 2884 wrote to memory of 4684 2884 Ajaelc32.exe 111 PID 2884 wrote to memory of 4684 2884 Ajaelc32.exe 111 PID 2884 wrote to memory of 4684 2884 Ajaelc32.exe 111 PID 4684 wrote to memory of 3388 4684 Bpqjjjjl.exe 112 PID 4684 wrote to memory of 3388 4684 Bpqjjjjl.exe 112 PID 4684 wrote to memory of 3388 4684 Bpqjjjjl.exe 112 PID 3388 wrote to memory of 860 3388 Bkkhbb32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ea7dca003c7e8c41e1069ed595500ce0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe23⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe24⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe25⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe26⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe27⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe29⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe30⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe31⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe32⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe33⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe34⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe35⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe36⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe37⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe38⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe39⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe43⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe45⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe46⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe47⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe48⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe49⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe50⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe51⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe52⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe53⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe55⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe57⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe58⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe59⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe60⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe61⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe62⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe63⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe64⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe66⤵PID:2536
-
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe67⤵PID:2004
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe68⤵PID:804
-
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe69⤵PID:1824
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe70⤵PID:3740
-
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe71⤵PID:5136
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe72⤵PID:5180
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe73⤵PID:5216
-
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe74⤵PID:5260
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe75⤵PID:5296
-
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe76⤵PID:5344
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe77⤵PID:5384
-
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe78⤵PID:5424
-
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe79⤵PID:5556
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe80⤵PID:5596
-
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe82⤵PID:5680
-
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe83⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe84⤵PID:5768
-
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe85⤵PID:5808
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe86⤵PID:5856
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe87⤵PID:5900
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe88⤵PID:5944
-
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe89⤵PID:5988
-
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe90⤵PID:6032
-
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe91⤵
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe92⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe93⤵PID:5144
-
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe94⤵PID:5208
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe95⤵PID:5284
-
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe96⤵PID:2268
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe97⤵PID:5372
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe99⤵PID:5524
-
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe101⤵PID:5584
-
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe102⤵PID:5660
-
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe103⤵PID:5708
-
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe104⤵PID:5800
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe105⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe106⤵PID:5932
-
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe107⤵PID:6028
-
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe108⤵PID:6068
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe109⤵PID:6128
-
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe111⤵PID:5280
-
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe112⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe113⤵PID:5416
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe114⤵PID:5504
-
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe115⤵PID:5592
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe116⤵PID:5712
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe117⤵PID:5852
-
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe118⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe119⤵PID:6040
-
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe120⤵PID:6100
-
C:\Windows\SysWOW64\Dfemdcba.exeC:\Windows\system32\Dfemdcba.exe121⤵PID:5252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-