Analysis
-
max time kernel
163s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:40
Behavioral task
behavioral1
Sample
NEAS.17d572a78c32d11d2640b0ca664821a0.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.17d572a78c32d11d2640b0ca664821a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.17d572a78c32d11d2640b0ca664821a0.exe
-
Size
161KB
-
MD5
17d572a78c32d11d2640b0ca664821a0
-
SHA1
14a5de0b3ddf10466013dad0c0e7077f13010a32
-
SHA256
556158fa1306dd6adc9c8c34a1fe461aeeca9d80394c05d0757eda0569fe9fd6
-
SHA512
41c0173ad6c88533b9e9a7e6163bf8880f89e9782c8acdcd78c3ffd1e5a038b70ed1db79a85f477e2d79124f8cee462ed490b6286c2f31e7fa4629796d619ff2
-
SSDEEP
3072:HxpUMuyg3vLRf3FzjYAfkcVwtCJXeex7rrIRZK8K8/kv:H3UDy4Vfx7kcVwtmeetrIyR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfdkiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hncmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpjkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnclamqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nklfho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghflgedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapclned.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goconkah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmiffhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddakdqff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhigbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enemjobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkciapkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qicepaef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggjpgmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlicp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphneijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebapednb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcneod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iioicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgclgcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfhdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maggggaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmobopb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcplle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohiliof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebejpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljqhdhpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmoefm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behbfqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iioicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llggeobk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcccol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioebdomd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcepfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnidcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomqmoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbiabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjfnlho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koljaeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfgjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahblp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oknnanhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgpnogo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjokpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aohbbqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmficce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefega32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjciano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iippne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pamikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blieeglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekmhnpfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldgflba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedaoa32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cd4-6.dat family_berbew behavioral2/files/0x0007000000022cd4-8.dat family_berbew behavioral2/files/0x0009000000022cd9-13.dat family_berbew behavioral2/files/0x0009000000022cd9-16.dat family_berbew behavioral2/files/0x0006000000022cdc-22.dat family_berbew behavioral2/files/0x0006000000022cdc-24.dat family_berbew behavioral2/files/0x0006000000022ce7-30.dat family_berbew behavioral2/files/0x0006000000022ce7-32.dat family_berbew behavioral2/files/0x0006000000022ce9-33.dat family_berbew behavioral2/files/0x0006000000022ce9-38.dat family_berbew behavioral2/files/0x0006000000022ce9-40.dat family_berbew behavioral2/files/0x0006000000022ceb-46.dat family_berbew behavioral2/files/0x0006000000022ceb-47.dat family_berbew behavioral2/files/0x0006000000022ced-49.dat family_berbew behavioral2/files/0x0006000000022ced-54.dat family_berbew behavioral2/files/0x0006000000022ced-56.dat family_berbew behavioral2/files/0x0006000000022cef-62.dat family_berbew behavioral2/files/0x0006000000022cef-64.dat family_berbew behavioral2/files/0x0007000000022ce0-70.dat family_berbew behavioral2/files/0x0007000000022ce0-71.dat family_berbew behavioral2/files/0x0006000000022cf5-74.dat family_berbew behavioral2/files/0x0006000000022cf5-78.dat family_berbew behavioral2/files/0x0006000000022cf5-80.dat family_berbew behavioral2/files/0x0006000000022cf7-87.dat family_berbew behavioral2/files/0x0006000000022cf7-89.dat family_berbew behavioral2/files/0x0006000000022cfa-96.dat family_berbew behavioral2/files/0x0006000000022cfa-98.dat family_berbew behavioral2/files/0x0006000000022cfc-105.dat family_berbew behavioral2/files/0x0006000000022cfc-106.dat family_berbew behavioral2/files/0x00050000000220da-114.dat family_berbew behavioral2/files/0x00050000000220da-116.dat family_berbew behavioral2/files/0x0006000000022d02-123.dat family_berbew behavioral2/files/0x0006000000022d02-125.dat family_berbew behavioral2/files/0x0006000000022d05-127.dat family_berbew behavioral2/files/0x0006000000022d05-132.dat family_berbew behavioral2/files/0x0006000000022d05-134.dat family_berbew behavioral2/files/0x0006000000022d07-141.dat family_berbew behavioral2/files/0x0006000000022d07-143.dat family_berbew behavioral2/files/0x0006000000022d09-149.dat family_berbew behavioral2/files/0x0006000000022d09-150.dat family_berbew behavioral2/files/0x0006000000022d0d-153.dat family_berbew behavioral2/files/0x0006000000022d0d-158.dat family_berbew behavioral2/files/0x0006000000022d0d-160.dat family_berbew behavioral2/files/0x0006000000022d10-167.dat family_berbew behavioral2/files/0x0006000000022d10-169.dat family_berbew behavioral2/files/0x0008000000022ce3-176.dat family_berbew behavioral2/files/0x0008000000022ce3-178.dat family_berbew behavioral2/files/0x0007000000022cf1-186.dat family_berbew behavioral2/files/0x0007000000022cf1-185.dat family_berbew behavioral2/files/0x0008000000022bd5-194.dat family_berbew behavioral2/files/0x0008000000022bd5-196.dat family_berbew behavioral2/files/0x0007000000022d0c-202.dat family_berbew behavioral2/files/0x0007000000022d0c-204.dat family_berbew behavioral2/files/0x0006000000022d15-213.dat family_berbew behavioral2/files/0x0006000000022d17-219.dat family_berbew behavioral2/files/0x0006000000022d15-211.dat family_berbew behavioral2/files/0x0006000000022d17-220.dat family_berbew behavioral2/files/0x0006000000022d19-228.dat family_berbew behavioral2/files/0x0006000000022d19-229.dat family_berbew behavioral2/files/0x0006000000022d1b-237.dat family_berbew behavioral2/files/0x0006000000022d1b-240.dat family_berbew behavioral2/files/0x0006000000022d21-241.dat family_berbew behavioral2/files/0x0006000000022d21-247.dat family_berbew behavioral2/files/0x0006000000022d21-249.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 60 Bgokdomj.exe 1788 Gckcap32.exe 1472 Ifihdi32.exe 2180 Jcihjl32.exe 4960 Kmpido32.exe 1512 Libido32.exe 4652 Nmlafk32.exe 3836 Oknnanhj.exe 3556 Aklciimh.exe 2896 Bkjpkg32.exe 3284 Dlmegd32.exe 3664 Engaon32.exe 5060 Faamghko.exe 4288 Gojgkl32.exe 4996 Hhiaepfl.exe 4752 Icjengld.exe 660 Iofpnhmc.exe 3560 Jcknee32.exe 432 Lcndab32.exe 1208 Mcnmhpoj.exe 4640 Mminfech.exe 2592 Ndgpnogo.exe 1716 Omigmc32.exe 796 Piikhc32.exe 992 Agfnhf32.exe 4608 Adohmidb.exe 456 Apfhajjf.exe 3260 Ajnmjp32.exe 2756 Bnclamqe.exe 2348 Eeimqc32.exe 4272 Fdobhm32.exe 496 Ghfnej32.exe 368 Hmlicp32.exe 2568 Ionbcb32.exe 4760 Kbkdgj32.exe 1840 Lofjam32.exe 32 Mokdllim.exe 3004 Momqblgj.exe 3816 Moomgl32.exe 2500 Mmcnap32.exe 3728 Mndjhhjp.exe 4908 Mijofaje.exe 3968 Nnidcg32.exe 3216 Npkmcj32.exe 2356 Nfeepdbg.exe 2676 Nnpjdfpb.exe 4732 Nppfnige.exe 4224 Onecof32.exe 4340 Oeoklp32.exe 3064 Aohbbqme.exe 3944 Bchgnoai.exe 2176 Djeegf32.exe 2620 Moofmeal.exe 5020 Okhmnc32.exe 2956 Oilmhhfd.exe 3544 Oecnmi32.exe 1824 Olmficce.exe 2700 Obgofmjb.exe 2280 Plocob32.exe 3456 Pihmcflg.exe 4756 Peonhg32.exe 5044 Aacjofkp.exe 2384 Aogkhjii.exe 2596 Bimoecio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Foocegea.exe Fghkdjdo.exe File created C:\Windows\SysWOW64\Jcihjl32.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Jgigan32.dll Plcdbghi.exe File created C:\Windows\SysWOW64\Nnhcfa32.dll Ngbeok32.exe File created C:\Windows\SysWOW64\Aklciimh.exe Oknnanhj.exe File created C:\Windows\SysWOW64\Mopdmgeq.dll Hillnoif.exe File created C:\Windows\SysWOW64\Bcqhfmhe.dll Pjgellfb.exe File created C:\Windows\SysWOW64\Cakmkp32.dll Ahpmckpn.exe File opened for modification C:\Windows\SysWOW64\Kjblcj32.exe Kloljf32.exe File created C:\Windows\SysWOW64\Pbpjbe32.exe Pbmnlf32.exe File created C:\Windows\SysWOW64\Dciflf32.dll Mgimmkgp.exe File created C:\Windows\SysWOW64\Ljobiofi.exe Lcejmeol.exe File created C:\Windows\SysWOW64\Gmhkpk32.dll Pglcjl32.exe File opened for modification C:\Windows\SysWOW64\Flgfqb32.exe Eaabci32.exe File created C:\Windows\SysWOW64\Kgfdfbhj.exe Jphcmp32.exe File created C:\Windows\SysWOW64\Dencgm32.dll Ipgkcabd.exe File created C:\Windows\SysWOW64\Eaddcnad.exe Ehlpjikd.exe File opened for modification C:\Windows\SysWOW64\Moofmeal.exe Djeegf32.exe File opened for modification C:\Windows\SysWOW64\Elbmebbj.exe Ecjhmm32.exe File created C:\Windows\SysWOW64\Ldgclgcl.exe Ljobiofi.exe File created C:\Windows\SysWOW64\Mbbibomd.dll Qiebea32.exe File created C:\Windows\SysWOW64\Hikfbeod.exe Gflapl32.exe File opened for modification C:\Windows\SysWOW64\Jioajliq.exe Jbeinb32.exe File created C:\Windows\SysWOW64\Dooaip32.exe Dnpdom32.exe File created C:\Windows\SysWOW64\Jlgeig32.exe Jghpkq32.exe File created C:\Windows\SysWOW64\Phjdggoj.exe Omdpio32.exe File created C:\Windows\SysWOW64\Fhoqmllo.dll Qepccqlm.exe File created C:\Windows\SysWOW64\Ednajepe.exe Ecmebm32.exe File opened for modification C:\Windows\SysWOW64\Lechfeoi.exe Kimgad32.exe File opened for modification C:\Windows\SysWOW64\Hkdjph32.exe Hlqmla32.exe File created C:\Windows\SysWOW64\Kllhqkbm.dll Hlblmd32.exe File opened for modification C:\Windows\SysWOW64\Pbgghn32.exe Piocoi32.exe File opened for modification C:\Windows\SysWOW64\Eaolen32.exe Ekddidel.exe File created C:\Windows\SysWOW64\Adockl32.exe Ajfobfaj.exe File opened for modification C:\Windows\SysWOW64\Jhkbnbhd.exe Jaajah32.exe File created C:\Windows\SysWOW64\Ldjjhh32.dll Eglkhk32.exe File opened for modification C:\Windows\SysWOW64\Fqfeag32.exe Eoocfegl.exe File opened for modification C:\Windows\SysWOW64\Ifcpgiji.exe Iippne32.exe File created C:\Windows\SysWOW64\Ekmhnpfl.exe Dndnjllg.exe File created C:\Windows\SysWOW64\Jioajliq.exe Jbeinb32.exe File created C:\Windows\SysWOW64\Pineca32.dll Kckqlpck.exe File opened for modification C:\Windows\SysWOW64\Ekoniian.exe Eqiilp32.exe File opened for modification C:\Windows\SysWOW64\Dljqjjnp.exe Dcalae32.exe File opened for modification C:\Windows\SysWOW64\Inbndi32.exe Geknje32.exe File opened for modification C:\Windows\SysWOW64\Jcknee32.exe Iofpnhmc.exe File created C:\Windows\SysWOW64\Nabpiocm.exe Npbcollj.exe File opened for modification C:\Windows\SysWOW64\Hlppgddh.exe Hijmjj32.exe File opened for modification C:\Windows\SysWOW64\Kmfmfigl.exe Jbjciano.exe File created C:\Windows\SysWOW64\Nnmmleja.exe Ngbeok32.exe File opened for modification C:\Windows\SysWOW64\Jlbecadc.exe Jbjqkl32.exe File opened for modification C:\Windows\SysWOW64\Jejjlg32.exe Jlbecadc.exe File opened for modification C:\Windows\SysWOW64\Lqndahiq.exe Ldgclgcl.exe File created C:\Windows\SysWOW64\Ekoniian.exe Eqiilp32.exe File created C:\Windows\SysWOW64\Cfjehfda.dll Ekmhnpfl.exe File opened for modification C:\Windows\SysWOW64\Fdfkhh32.exe Fnlcknle.exe File created C:\Windows\SysWOW64\Pofbggpf.dll Iofpnhmc.exe File created C:\Windows\SysWOW64\Fboellof.exe Fcneod32.exe File created C:\Windows\SysWOW64\Bikojc32.dll Fjqgpl32.exe File created C:\Windows\SysWOW64\Hillnoif.exe Hcpcehko.exe File opened for modification C:\Windows\SysWOW64\Nhmopp32.exe Nndjgjhe.exe File created C:\Windows\SysWOW64\Gnhmbo32.dll Lpjcnd32.exe File created C:\Windows\SysWOW64\Jlikdq32.exe Joekkl32.exe File created C:\Windows\SysWOW64\Bijdll32.dll Fjccpo32.exe File opened for modification C:\Windows\SysWOW64\Ohnelj32.exe Olgdgibf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dajlafon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ealanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkaepbjk.dll" Dogdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojgkahb.dll" Faamghko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkmghc32.dll" Gflapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cijpkmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpgkeodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhbpf32.dll" Hoadecal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecakp32.dll" Cbphncfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofjgmdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamhnnmk.dll" Dkgqpaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jioajliq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilafcomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pakleh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maggggaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caompged.dll" Eeimqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfqajkm.dll" Gbkdhjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaendej.dll" Jpbdfgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgimmkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjljnoam.dll" Mqpqghgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fboellof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obbnlkbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pknqhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbemgh32.dll" Ajnmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcmgphma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopdmgeq.dll" Hillnoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqhfmhe.dll" Pjgellfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dflmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndnjllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicboq32.dll" Jejjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjepfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpbgnlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bakmbcka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbkblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Libido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkphie32.dll" Imdndbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dikpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gifadggi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnidcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nconal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjaihcdi.dll" Bmofkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlblmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibpgjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alaaajmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ednajepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdhng32.dll" Ikickgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbqlhfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aohbbqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmbbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doiabgqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epikid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkedglkb.dll" Laachfbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccmcaicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kloljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nglhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajfhepb.dll" Ldgclgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olgdgibf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbkdhjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cefega32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pojccmii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 60 1064 NEAS.17d572a78c32d11d2640b0ca664821a0.exe 93 PID 1064 wrote to memory of 60 1064 NEAS.17d572a78c32d11d2640b0ca664821a0.exe 93 PID 1064 wrote to memory of 60 1064 NEAS.17d572a78c32d11d2640b0ca664821a0.exe 93 PID 60 wrote to memory of 1788 60 Bgokdomj.exe 94 PID 60 wrote to memory of 1788 60 Bgokdomj.exe 94 PID 60 wrote to memory of 1788 60 Bgokdomj.exe 94 PID 1788 wrote to memory of 1472 1788 Gckcap32.exe 95 PID 1788 wrote to memory of 1472 1788 Gckcap32.exe 95 PID 1788 wrote to memory of 1472 1788 Gckcap32.exe 95 PID 1472 wrote to memory of 2180 1472 Ifihdi32.exe 96 PID 1472 wrote to memory of 2180 1472 Ifihdi32.exe 96 PID 1472 wrote to memory of 2180 1472 Ifihdi32.exe 96 PID 2180 wrote to memory of 4960 2180 Jcihjl32.exe 97 PID 2180 wrote to memory of 4960 2180 Jcihjl32.exe 97 PID 2180 wrote to memory of 4960 2180 Jcihjl32.exe 97 PID 4960 wrote to memory of 1512 4960 Kmpido32.exe 98 PID 4960 wrote to memory of 1512 4960 Kmpido32.exe 98 PID 4960 wrote to memory of 1512 4960 Kmpido32.exe 98 PID 1512 wrote to memory of 4652 1512 Libido32.exe 100 PID 1512 wrote to memory of 4652 1512 Libido32.exe 100 PID 1512 wrote to memory of 4652 1512 Libido32.exe 100 PID 4652 wrote to memory of 3836 4652 Nmlafk32.exe 101 PID 4652 wrote to memory of 3836 4652 Nmlafk32.exe 101 PID 4652 wrote to memory of 3836 4652 Nmlafk32.exe 101 PID 3836 wrote to memory of 3556 3836 Oknnanhj.exe 102 PID 3836 wrote to memory of 3556 3836 Oknnanhj.exe 102 PID 3836 wrote to memory of 3556 3836 Oknnanhj.exe 102 PID 3556 wrote to memory of 2896 3556 Aklciimh.exe 103 PID 3556 wrote to memory of 2896 3556 Aklciimh.exe 103 PID 3556 wrote to memory of 2896 3556 Aklciimh.exe 103 PID 2896 wrote to memory of 3284 2896 Bkjpkg32.exe 104 PID 2896 wrote to memory of 3284 2896 Bkjpkg32.exe 104 PID 2896 wrote to memory of 3284 2896 Bkjpkg32.exe 104 PID 3284 wrote to memory of 3664 3284 Dlmegd32.exe 106 PID 3284 wrote to memory of 3664 3284 Dlmegd32.exe 106 PID 3284 wrote to memory of 3664 3284 Dlmegd32.exe 106 PID 3664 wrote to memory of 5060 3664 Engaon32.exe 107 PID 3664 wrote to memory of 5060 3664 Engaon32.exe 107 PID 3664 wrote to memory of 5060 3664 Engaon32.exe 107 PID 5060 wrote to memory of 4288 5060 Faamghko.exe 108 PID 5060 wrote to memory of 4288 5060 Faamghko.exe 108 PID 5060 wrote to memory of 4288 5060 Faamghko.exe 108 PID 4288 wrote to memory of 4996 4288 Gojgkl32.exe 109 PID 4288 wrote to memory of 4996 4288 Gojgkl32.exe 109 PID 4288 wrote to memory of 4996 4288 Gojgkl32.exe 109 PID 4996 wrote to memory of 4752 4996 Hhiaepfl.exe 110 PID 4996 wrote to memory of 4752 4996 Hhiaepfl.exe 110 PID 4996 wrote to memory of 4752 4996 Hhiaepfl.exe 110 PID 4752 wrote to memory of 660 4752 Icjengld.exe 111 PID 4752 wrote to memory of 660 4752 Icjengld.exe 111 PID 4752 wrote to memory of 660 4752 Icjengld.exe 111 PID 660 wrote to memory of 3560 660 Iofpnhmc.exe 112 PID 660 wrote to memory of 3560 660 Iofpnhmc.exe 112 PID 660 wrote to memory of 3560 660 Iofpnhmc.exe 112 PID 3560 wrote to memory of 432 3560 Jcknee32.exe 113 PID 3560 wrote to memory of 432 3560 Jcknee32.exe 113 PID 3560 wrote to memory of 432 3560 Jcknee32.exe 113 PID 432 wrote to memory of 1208 432 Lcndab32.exe 114 PID 432 wrote to memory of 1208 432 Lcndab32.exe 114 PID 432 wrote to memory of 1208 432 Lcndab32.exe 114 PID 1208 wrote to memory of 4640 1208 Mcnmhpoj.exe 115 PID 1208 wrote to memory of 4640 1208 Mcnmhpoj.exe 115 PID 1208 wrote to memory of 4640 1208 Mcnmhpoj.exe 115 PID 4640 wrote to memory of 2592 4640 Mminfech.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.17d572a78c32d11d2640b0ca664821a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.17d572a78c32d11d2640b0ca664821a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Jcihjl32.exeC:\Windows\system32\Jcihjl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Libido32.exeC:\Windows\system32\Libido32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Icjengld.exeC:\Windows\system32\Icjengld.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe24⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe25⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Agfnhf32.exeC:\Windows\system32\Agfnhf32.exe26⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Adohmidb.exeC:\Windows\system32\Adohmidb.exe27⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Apfhajjf.exeC:\Windows\system32\Apfhajjf.exe28⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Eeimqc32.exeC:\Windows\system32\Eeimqc32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Fdobhm32.exeC:\Windows\system32\Fdobhm32.exe32⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Ghfnej32.exeC:\Windows\system32\Ghfnej32.exe33⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Ionbcb32.exeC:\Windows\system32\Ionbcb32.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe36⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Lofjam32.exeC:\Windows\system32\Lofjam32.exe37⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mokdllim.exeC:\Windows\system32\Mokdllim.exe38⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Momqblgj.exeC:\Windows\system32\Momqblgj.exe39⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Moomgl32.exeC:\Windows\system32\Moomgl32.exe40⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe41⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mndjhhjp.exeC:\Windows\system32\Mndjhhjp.exe42⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe43⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Nnidcg32.exeC:\Windows\system32\Nnidcg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Npkmcj32.exeC:\Windows\system32\Npkmcj32.exe45⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Nfeepdbg.exeC:\Windows\system32\Nfeepdbg.exe46⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Nnpjdfpb.exeC:\Windows\system32\Nnpjdfpb.exe47⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe48⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Onecof32.exeC:\Windows\system32\Onecof32.exe49⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Oeoklp32.exeC:\Windows\system32\Oeoklp32.exe50⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Aohbbqme.exeC:\Windows\system32\Aohbbqme.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Bchgnoai.exeC:\Windows\system32\Bchgnoai.exe52⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Djeegf32.exeC:\Windows\system32\Djeegf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Moofmeal.exeC:\Windows\system32\Moofmeal.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Okhmnc32.exeC:\Windows\system32\Okhmnc32.exe55⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Oilmhhfd.exeC:\Windows\system32\Oilmhhfd.exe56⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Oecnmi32.exeC:\Windows\system32\Oecnmi32.exe57⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Obgofmjb.exeC:\Windows\system32\Obgofmjb.exe59⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Plocob32.exeC:\Windows\system32\Plocob32.exe60⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe61⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Peonhg32.exeC:\Windows\system32\Peonhg32.exe62⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Aacjofkp.exeC:\Windows\system32\Aacjofkp.exe63⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe64⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Bimoecio.exeC:\Windows\system32\Bimoecio.exe65⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Baojkdqb.exeC:\Windows\system32\Baojkdqb.exe66⤵PID:4636
-
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe67⤵PID:2104
-
C:\Windows\SysWOW64\Cpbgnlfo.exeC:\Windows\system32\Cpbgnlfo.exe68⤵
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Cefega32.exeC:\Windows\system32\Cefega32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Cpljdjnd.exeC:\Windows\system32\Cpljdjnd.exe70⤵PID:4852
-
C:\Windows\SysWOW64\Dpqcoj32.exeC:\Windows\system32\Dpqcoj32.exe71⤵PID:3724
-
C:\Windows\SysWOW64\Dcalae32.exeC:\Windows\system32\Dcalae32.exe72⤵
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Dljqjjnp.exeC:\Windows\system32\Dljqjjnp.exe73⤵PID:1472
-
C:\Windows\SysWOW64\Dohmff32.exeC:\Windows\system32\Dohmff32.exe74⤵PID:5032
-
C:\Windows\SysWOW64\Ehekjk32.exeC:\Windows\system32\Ehekjk32.exe75⤵PID:4948
-
C:\Windows\SysWOW64\Eoocfegl.exeC:\Windows\system32\Eoocfegl.exe76⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Fqfeag32.exeC:\Windows\system32\Fqfeag32.exe77⤵PID:500
-
C:\Windows\SysWOW64\Fcfocb32.exeC:\Windows\system32\Fcfocb32.exe78⤵PID:1948
-
C:\Windows\SysWOW64\Fjqgpl32.exeC:\Windows\system32\Fjqgpl32.exe79⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Fqjolfda.exeC:\Windows\system32\Fqjolfda.exe80⤵PID:864
-
C:\Windows\SysWOW64\Gflapl32.exeC:\Windows\system32\Gflapl32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Hikfbeod.exeC:\Windows\system32\Hikfbeod.exe82⤵PID:1512
-
C:\Windows\SysWOW64\Hfoflj32.exeC:\Windows\system32\Hfoflj32.exe83⤵PID:4796
-
C:\Windows\SysWOW64\Hpgkeodo.exeC:\Windows\system32\Hpgkeodo.exe84⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Iippne32.exeC:\Windows\system32\Iippne32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Ifcpgiji.exeC:\Windows\system32\Ifcpgiji.exe86⤵PID:5060
-
C:\Windows\SysWOW64\Idljll32.exeC:\Windows\system32\Idljll32.exe87⤵PID:4576
-
C:\Windows\SysWOW64\Imdndbkn.exeC:\Windows\system32\Imdndbkn.exe88⤵
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Ibagmiie.exeC:\Windows\system32\Ibagmiie.exe89⤵PID:2040
-
C:\Windows\SysWOW64\Kapclned.exeC:\Windows\system32\Kapclned.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4832 -
C:\Windows\SysWOW64\Kilhqq32.exeC:\Windows\system32\Kilhqq32.exe91⤵PID:4220
-
C:\Windows\SysWOW64\Kpepmkjl.exeC:\Windows\system32\Kpepmkjl.exe92⤵PID:1604
-
C:\Windows\SysWOW64\Liekgo32.exeC:\Windows\system32\Liekgo32.exe93⤵PID:4392
-
C:\Windows\SysWOW64\Njjmil32.exeC:\Windows\system32\Njjmil32.exe94⤵PID:1776
-
C:\Windows\SysWOW64\Nqdeefpi.exeC:\Windows\system32\Nqdeefpi.exe95⤵PID:4448
-
C:\Windows\SysWOW64\Nacboi32.exeC:\Windows\system32\Nacboi32.exe96⤵PID:1184
-
C:\Windows\SysWOW64\Ncenga32.exeC:\Windows\system32\Ncenga32.exe97⤵PID:2776
-
C:\Windows\SysWOW64\Nklfho32.exeC:\Windows\system32\Nklfho32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Onceji32.exeC:\Windows\system32\Onceji32.exe99⤵PID:5204
-
C:\Windows\SysWOW64\Ocqncp32.exeC:\Windows\system32\Ocqncp32.exe100⤵PID:5252
-
C:\Windows\SysWOW64\Pjdifibo.exeC:\Windows\system32\Pjdifibo.exe101⤵PID:5292
-
C:\Windows\SysWOW64\Panabc32.exeC:\Windows\system32\Panabc32.exe102⤵PID:5340
-
C:\Windows\SysWOW64\Pbmnlf32.exeC:\Windows\system32\Pbmnlf32.exe103⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Pbpjbe32.exeC:\Windows\system32\Pbpjbe32.exe104⤵PID:5424
-
C:\Windows\SysWOW64\Pglcjl32.exeC:\Windows\system32\Pglcjl32.exe105⤵
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Qnfkgfdp.exeC:\Windows\system32\Qnfkgfdp.exe106⤵PID:5512
-
C:\Windows\SysWOW64\Qepccqlm.exeC:\Windows\system32\Qepccqlm.exe107⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Aaianaoo.exeC:\Windows\system32\Aaianaoo.exe108⤵PID:5592
-
C:\Windows\SysWOW64\Aalndaml.exeC:\Windows\system32\Aalndaml.exe109⤵PID:5644
-
C:\Windows\SysWOW64\Alaaajmb.exeC:\Windows\system32\Alaaajmb.exe110⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Aanjiqki.exeC:\Windows\system32\Aanjiqki.exe111⤵PID:5732
-
C:\Windows\SysWOW64\Ahhbfkbf.exeC:\Windows\system32\Ahhbfkbf.exe112⤵PID:5768
-
C:\Windows\SysWOW64\Ajfobfaj.exeC:\Windows\system32\Ajfobfaj.exe113⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Adockl32.exeC:\Windows\system32\Adockl32.exe114⤵PID:5868
-
C:\Windows\SysWOW64\Blakhgoo.exeC:\Windows\system32\Blakhgoo.exe115⤵PID:5912
-
C:\Windows\SysWOW64\Cdolbijg.exeC:\Windows\system32\Cdolbijg.exe116⤵PID:5956
-
C:\Windows\SysWOW64\Cbcieqpd.exeC:\Windows\system32\Cbcieqpd.exe117⤵PID:6000
-
C:\Windows\SysWOW64\Cecbgl32.exeC:\Windows\system32\Cecbgl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Dkgqpaed.exeC:\Windows\system32\Dkgqpaed.exe119⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Dhkaif32.exeC:\Windows\system32\Dhkaif32.exe120⤵PID:6136
-
C:\Windows\SysWOW64\Ddbbngjb.exeC:\Windows\system32\Ddbbngjb.exe121⤵PID:5128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-