Analysis
-
max time kernel
165s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 16:42
Behavioral task
behavioral1
Sample
NEAS.39c9f5cc1466f49d836a761eaabc2580.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.39c9f5cc1466f49d836a761eaabc2580.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.39c9f5cc1466f49d836a761eaabc2580.exe
-
Size
664KB
-
MD5
39c9f5cc1466f49d836a761eaabc2580
-
SHA1
89e897af37ce3d8fa797efb58ce51b6e66705c35
-
SHA256
52334b4ca78548397c3d13d7116796732753ebf6ce538ace0bdea4d56f942311
-
SHA512
170009a19fa529580a9ae1feba30ae03faefdce538ee4baee42212211cc6baf3012c22adf802044b3cc88c75b1dac59ed218eb96527bf366ad08e5a8741e785f
-
SSDEEP
12288:BqngDb/pV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYx:u4W4XWleKWNUir2MhNl6zX3w9As/xO2k
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcplp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkllghoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmhejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfchjddj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflnpild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhqoaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiibnib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogndki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpbpmhjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olqofjhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenmgab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okaabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liaqlcep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnlhgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkpokhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdckm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fchdnkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Docmqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miomnaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjedpkne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiknkco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbellhbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiagi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnmjkahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifnkeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaekmdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oocmcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemephgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioffhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmlicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiocde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngehoqdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpbhmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngehoqdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plhcglil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeklh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banabi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccblbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifcnpch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjbjjdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geohdago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihbaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amfqikko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oofacdaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knnhdied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjcjpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiocde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfgfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhqoaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbfhne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobmjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghlcga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblakh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpmdh32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022cdd-6.dat family_berbew behavioral2/files/0x0006000000022cdd-8.dat family_berbew behavioral2/files/0x0007000000022ccd-14.dat family_berbew behavioral2/files/0x0007000000022ccd-16.dat family_berbew behavioral2/files/0x0007000000022ccf-22.dat family_berbew behavioral2/files/0x0007000000022ccf-24.dat family_berbew behavioral2/files/0x0008000000022cd1-30.dat family_berbew behavioral2/files/0x0008000000022cd1-32.dat family_berbew behavioral2/files/0x0009000000022cd8-38.dat family_berbew behavioral2/files/0x0009000000022cd8-40.dat family_berbew behavioral2/files/0x0007000000022cda-45.dat family_berbew behavioral2/files/0x0007000000022cda-48.dat family_berbew behavioral2/files/0x0006000000022ce0-53.dat family_berbew behavioral2/files/0x0006000000022ce0-56.dat family_berbew behavioral2/files/0x0006000000022ce2-61.dat family_berbew behavioral2/files/0x0006000000022ce2-63.dat family_berbew behavioral2/files/0x0006000000022ce4-64.dat family_berbew behavioral2/files/0x0006000000022ce4-69.dat family_berbew behavioral2/files/0x0006000000022ce4-71.dat family_berbew behavioral2/files/0x0006000000022ce6-77.dat family_berbew behavioral2/files/0x0006000000022ce6-79.dat family_berbew behavioral2/files/0x0006000000022ce8-85.dat family_berbew behavioral2/files/0x0006000000022ce8-87.dat family_berbew behavioral2/files/0x0006000000022cea-93.dat family_berbew behavioral2/files/0x0006000000022cea-95.dat family_berbew behavioral2/files/0x0006000000022ced-101.dat family_berbew behavioral2/files/0x0006000000022ced-103.dat family_berbew behavioral2/files/0x0006000000022cef-109.dat family_berbew behavioral2/files/0x0006000000022cef-111.dat family_berbew behavioral2/files/0x0006000000022cf1-112.dat family_berbew behavioral2/files/0x0006000000022cf1-117.dat family_berbew behavioral2/files/0x0006000000022cf1-119.dat family_berbew behavioral2/files/0x0006000000022cf3-125.dat family_berbew behavioral2/files/0x0006000000022cf3-127.dat family_berbew behavioral2/files/0x0006000000022cf5-133.dat family_berbew behavioral2/files/0x0006000000022cf5-135.dat family_berbew behavioral2/files/0x0006000000022cf7-141.dat family_berbew behavioral2/files/0x0006000000022cf7-143.dat family_berbew behavioral2/files/0x0006000000022cf9-149.dat family_berbew behavioral2/files/0x0006000000022cf9-151.dat family_berbew behavioral2/files/0x0006000000022d02-157.dat family_berbew behavioral2/files/0x0006000000022d02-159.dat family_berbew behavioral2/files/0x0006000000022d04-165.dat family_berbew behavioral2/files/0x0006000000022d04-167.dat family_berbew behavioral2/files/0x0006000000022d06-173.dat family_berbew behavioral2/files/0x0006000000022d06-175.dat family_berbew behavioral2/files/0x0006000000022d08-181.dat family_berbew behavioral2/files/0x0006000000022d08-183.dat family_berbew behavioral2/files/0x0006000000022d0a-189.dat family_berbew behavioral2/files/0x0006000000022d0a-191.dat family_berbew behavioral2/files/0x0006000000022d0e-197.dat family_berbew behavioral2/files/0x0006000000022d0e-198.dat family_berbew behavioral2/files/0x0006000000022d10-205.dat family_berbew behavioral2/files/0x0006000000022d10-206.dat family_berbew behavioral2/files/0x0006000000022d12-214.dat family_berbew behavioral2/files/0x0006000000022d12-213.dat family_berbew behavioral2/files/0x0006000000022d14-221.dat family_berbew behavioral2/files/0x0006000000022d14-223.dat family_berbew behavioral2/files/0x0006000000022d16-230.dat family_berbew behavioral2/files/0x0006000000022d16-229.dat family_berbew behavioral2/files/0x0006000000022d18-237.dat family_berbew behavioral2/files/0x0006000000022d18-239.dat family_berbew behavioral2/files/0x0006000000022d1f-245.dat family_berbew behavioral2/files/0x0006000000022d1f-246.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 760 Mbdiknlb.exe 1028 Qbonoghb.exe 1380 Aimogakj.exe 5100 Abjmkf32.exe 2996 Bipecnkd.exe 1312 Ccblbb32.exe 1344 Eafbmgad.exe 780 Iloajfml.exe 1260 Jldkeeig.exe 4692 Kopcbo32.exe 2776 Lefkkg32.exe 1084 Nlnpio32.exe 1124 Okmpqjad.exe 3524 Ofijnbkb.exe 1556 Qfgfpp32.exe 3228 Aehbmk32.exe 2232 Cifdjg32.exe 3480 Dfonnk32.exe 4880 Ecoaijio.exe 3756 Hdicggla.exe 4564 Imiagi32.exe 1840 Janpnfee.exe 2700 Kfanflne.exe 2300 Lennpb32.exe 2688 Moeoje32.exe 4344 Nnabladg.exe 3204 Oacdmo32.exe 4720 Pfbfjk32.exe 4944 Qhekaejj.exe 2916 Qoocnpag.exe 1496 Adqeaf32.exe 4284 Anncek32.exe 1160 Blkgen32.exe 4576 Cemndbci.exe 4772 Dfcqod32.exe 2056 Eikpan32.exe 3476 Gohapb32.exe 1240 Gpjjpe32.exe 320 Hgpbhmna.exe 1016 Igghilhi.exe 3292 Ioffhn32.exe 2228 Kcbkpj32.exe 4560 Kiaqnagj.exe 1168 Kclnfi32.exe 372 Lagepl32.exe 3852 Njmejp32.exe 2676 Nalgbi32.exe 1528 Omgabj32.exe 3752 Paomog32.exe 4272 Pddokabk.exe 2212 Adkelplc.exe 416 Ajhndgjj.exe 2292 Aklciimh.exe 2264 Bjcmpepm.exe 2972 Cicjokll.exe 3488 Dbbdip32.exe 4716 Enpknplq.exe 3120 Fefcgh32.exe 4844 Flddoa32.exe 2152 Gahcgg32.exe 3216 Ghdhja32.exe 3832 Gekeie32.exe 2524 Iibaeb32.exe 4176 Ilcjgm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dooaip32.exe Dbkpokhf.exe File opened for modification C:\Windows\SysWOW64\Fmmmqnaf.exe Fqfmlm32.exe File created C:\Windows\SysWOW64\Kboldq32.exe Jfcbcp32.exe File opened for modification C:\Windows\SysWOW64\Pebfen32.exe Oofacdaj.exe File created C:\Windows\SysWOW64\Jfedkmem.dll Enomic32.exe File opened for modification C:\Windows\SysWOW64\Pgfljqia.exe Plagmh32.exe File opened for modification C:\Windows\SysWOW64\Hdhlhd32.exe Hkpgooim.exe File created C:\Windows\SysWOW64\Mkbdql32.dll Okmpqjad.exe File opened for modification C:\Windows\SysWOW64\Hdicggla.exe Ecoaijio.exe File created C:\Windows\SysWOW64\Kicdke32.exe Jgdhab32.exe File opened for modification C:\Windows\SysWOW64\Kkomgkoj.exe Jbfhne32.exe File created C:\Windows\SysWOW64\Analdh32.dll Aqkgikip.exe File opened for modification C:\Windows\SysWOW64\Bnfiapfj.exe Bhipiihc.exe File opened for modification C:\Windows\SysWOW64\Gemkobia.exe Goccbhae.exe File created C:\Windows\SysWOW64\Dhdjka32.dll Kgacaopj.exe File opened for modification C:\Windows\SysWOW64\Mjjbjjdd.exe Lmheph32.exe File opened for modification C:\Windows\SysWOW64\Foplnb32.exe Echbad32.exe File created C:\Windows\SysWOW64\Fdmjoamc.dll Ggpbcaei.exe File opened for modification C:\Windows\SysWOW64\Mnfnfl32.exe Mndapl32.exe File created C:\Windows\SysWOW64\Ghfebfje.dll Kkbohc32.exe File created C:\Windows\SysWOW64\Ehonkbcm.dll Odooqo32.exe File created C:\Windows\SysWOW64\Jfdafa32.exe Ifnkeb32.exe File created C:\Windows\SysWOW64\Iecmlknh.dll Cmdhnhkp.exe File created C:\Windows\SysWOW64\Omjhgoco.exe Odocbmfd.exe File created C:\Windows\SysWOW64\Eajehd32.exe Eaekmdep.exe File created C:\Windows\SysWOW64\Jjfngi32.exe Iacbbh32.exe File created C:\Windows\SysWOW64\Ohfkehcl.dll Akqfef32.exe File created C:\Windows\SysWOW64\Mbjnlfnn.exe Miaica32.exe File created C:\Windows\SysWOW64\Moeoje32.exe Lennpb32.exe File opened for modification C:\Windows\SysWOW64\Hgpbhmna.exe Gpjjpe32.exe File opened for modification C:\Windows\SysWOW64\Hboaql32.exe Hfhqkk32.exe File created C:\Windows\SysWOW64\Oadjbbmp.dll Efeiahdo.exe File created C:\Windows\SysWOW64\Cllfcdpd.dll Ikickgnf.exe File opened for modification C:\Windows\SysWOW64\Bphgoe32.exe Bogkgmho.exe File created C:\Windows\SysWOW64\Fbellhbi.exe Fmhcda32.exe File opened for modification C:\Windows\SysWOW64\Iimjan32.exe Ibcadcgf.exe File opened for modification C:\Windows\SysWOW64\Paomog32.exe Omgabj32.exe File opened for modification C:\Windows\SysWOW64\Dbbdip32.exe Cicjokll.exe File created C:\Windows\SysWOW64\Andmah32.dll Ddpjjd32.exe File created C:\Windows\SysWOW64\Moanja32.dll Eajehd32.exe File created C:\Windows\SysWOW64\Lblakh32.exe Lhfmmp32.exe File opened for modification C:\Windows\SysWOW64\Qhinmb32.exe Pkencn32.exe File created C:\Windows\SysWOW64\Dhbelp32.exe Dnmaog32.exe File created C:\Windows\SysWOW64\Ebggep32.exe Eiobmjkd.exe File created C:\Windows\SysWOW64\Hboaql32.exe Hfhqkk32.exe File opened for modification C:\Windows\SysWOW64\Gdncfl32.exe Goqkne32.exe File created C:\Windows\SysWOW64\Mafbec32.dll Jnkchmdl.exe File opened for modification C:\Windows\SysWOW64\Phdngljk.exe Poliog32.exe File created C:\Windows\SysWOW64\Abjmkf32.exe Aimogakj.exe File created C:\Windows\SysWOW64\Ljmfdp32.exe Kmhejk32.exe File created C:\Windows\SysWOW64\Cmdhnhkp.exe Ckclfp32.exe File created C:\Windows\SysWOW64\Odocbmfd.exe Ofncde32.exe File opened for modification C:\Windows\SysWOW64\Olmdln32.exe Oagpne32.exe File opened for modification C:\Windows\SysWOW64\Dgbhbm32.exe Dafpjf32.exe File created C:\Windows\SysWOW64\Jiejgm32.dll Keinepch.exe File created C:\Windows\SysWOW64\Hkhbaj32.dll Kknfmdko.exe File created C:\Windows\SysWOW64\Jbjpohpp.dll Pdcaahbk.exe File opened for modification C:\Windows\SysWOW64\Nmenmgab.exe Nhheepbk.exe File created C:\Windows\SysWOW64\Coigllel.exe Bphgoe32.exe File created C:\Windows\SysWOW64\Jnkpfgcf.dll Pagbklae.exe File created C:\Windows\SysWOW64\Cmimlalm.dll Flddoa32.exe File opened for modification C:\Windows\SysWOW64\Gnaodbhl.exe Fdijkmbl.exe File created C:\Windows\SysWOW64\Egbnomjg.dll Fkllghoq.exe File opened for modification C:\Windows\SysWOW64\Janpnfee.exe Imiagi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faakickc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjfngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmnmagm.dll" Phpkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ponfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnfkp32.dll" Kfanflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faijmmkf.dll" Fefcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feoqiq32.dll" Gmmmoppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklfkfie.dll" Hfhqkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fooecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcegdd32.dll" Akccje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkfanqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgpdg32.dll" Gohapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njghkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdncfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ompmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhbelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjcjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcggjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbepgej.dll" Pgpmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aamkgpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpanb32.dll" Kgiibnib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dphipidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Echbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnmnpano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nalgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhfobnm.dll" Cnokmkfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlnjlkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idpbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbfbhnnh.dll" Hmpclnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll" Abjmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gahcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqdpilb.dll" Pmjpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbhqcam.dll" Fpdckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mphfjhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkligd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efepln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglbanmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caagofme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbbmbea.dll" Dfclmfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciinhk32.dll" Docmqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dacebkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phpkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkfanqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lklbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plapdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmned32.dll" Oblmnmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilglbjbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icelfhmg.dll" Iaqapggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldbjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjadp32.dll" Nhheepbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdako32.dll" Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghgbakhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjnnclb.dll" Ipckqnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbjegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nemcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpgooim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpdckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmoapj32.dll" Bacjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bleebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gokdoj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 760 4736 NEAS.39c9f5cc1466f49d836a761eaabc2580.exe 93 PID 4736 wrote to memory of 760 4736 NEAS.39c9f5cc1466f49d836a761eaabc2580.exe 93 PID 4736 wrote to memory of 760 4736 NEAS.39c9f5cc1466f49d836a761eaabc2580.exe 93 PID 760 wrote to memory of 1028 760 Mbdiknlb.exe 94 PID 760 wrote to memory of 1028 760 Mbdiknlb.exe 94 PID 760 wrote to memory of 1028 760 Mbdiknlb.exe 94 PID 1028 wrote to memory of 1380 1028 Qbonoghb.exe 95 PID 1028 wrote to memory of 1380 1028 Qbonoghb.exe 95 PID 1028 wrote to memory of 1380 1028 Qbonoghb.exe 95 PID 1380 wrote to memory of 5100 1380 Aimogakj.exe 96 PID 1380 wrote to memory of 5100 1380 Aimogakj.exe 96 PID 1380 wrote to memory of 5100 1380 Aimogakj.exe 96 PID 5100 wrote to memory of 2996 5100 Abjmkf32.exe 97 PID 5100 wrote to memory of 2996 5100 Abjmkf32.exe 97 PID 5100 wrote to memory of 2996 5100 Abjmkf32.exe 97 PID 2996 wrote to memory of 1312 2996 Bipecnkd.exe 98 PID 2996 wrote to memory of 1312 2996 Bipecnkd.exe 98 PID 2996 wrote to memory of 1312 2996 Bipecnkd.exe 98 PID 1312 wrote to memory of 1344 1312 Ccblbb32.exe 99 PID 1312 wrote to memory of 1344 1312 Ccblbb32.exe 99 PID 1312 wrote to memory of 1344 1312 Ccblbb32.exe 99 PID 1344 wrote to memory of 780 1344 Eafbmgad.exe 100 PID 1344 wrote to memory of 780 1344 Eafbmgad.exe 100 PID 1344 wrote to memory of 780 1344 Eafbmgad.exe 100 PID 780 wrote to memory of 1260 780 Iloajfml.exe 101 PID 780 wrote to memory of 1260 780 Iloajfml.exe 101 PID 780 wrote to memory of 1260 780 Iloajfml.exe 101 PID 1260 wrote to memory of 4692 1260 Jldkeeig.exe 102 PID 1260 wrote to memory of 4692 1260 Jldkeeig.exe 102 PID 1260 wrote to memory of 4692 1260 Jldkeeig.exe 102 PID 4692 wrote to memory of 2776 4692 Kopcbo32.exe 103 PID 4692 wrote to memory of 2776 4692 Kopcbo32.exe 103 PID 4692 wrote to memory of 2776 4692 Kopcbo32.exe 103 PID 2776 wrote to memory of 1084 2776 Lefkkg32.exe 104 PID 2776 wrote to memory of 1084 2776 Lefkkg32.exe 104 PID 2776 wrote to memory of 1084 2776 Lefkkg32.exe 104 PID 1084 wrote to memory of 1124 1084 Nlnpio32.exe 105 PID 1084 wrote to memory of 1124 1084 Nlnpio32.exe 105 PID 1084 wrote to memory of 1124 1084 Nlnpio32.exe 105 PID 1124 wrote to memory of 3524 1124 Okmpqjad.exe 106 PID 1124 wrote to memory of 3524 1124 Okmpqjad.exe 106 PID 1124 wrote to memory of 3524 1124 Okmpqjad.exe 106 PID 3524 wrote to memory of 1556 3524 Ofijnbkb.exe 107 PID 3524 wrote to memory of 1556 3524 Ofijnbkb.exe 107 PID 3524 wrote to memory of 1556 3524 Ofijnbkb.exe 107 PID 1556 wrote to memory of 3228 1556 Qfgfpp32.exe 108 PID 1556 wrote to memory of 3228 1556 Qfgfpp32.exe 108 PID 1556 wrote to memory of 3228 1556 Qfgfpp32.exe 108 PID 3228 wrote to memory of 2232 3228 Aehbmk32.exe 109 PID 3228 wrote to memory of 2232 3228 Aehbmk32.exe 109 PID 3228 wrote to memory of 2232 3228 Aehbmk32.exe 109 PID 2232 wrote to memory of 3480 2232 Cifdjg32.exe 111 PID 2232 wrote to memory of 3480 2232 Cifdjg32.exe 111 PID 2232 wrote to memory of 3480 2232 Cifdjg32.exe 111 PID 3480 wrote to memory of 4880 3480 Dfonnk32.exe 112 PID 3480 wrote to memory of 4880 3480 Dfonnk32.exe 112 PID 3480 wrote to memory of 4880 3480 Dfonnk32.exe 112 PID 4880 wrote to memory of 3756 4880 Ecoaijio.exe 113 PID 4880 wrote to memory of 3756 4880 Ecoaijio.exe 113 PID 4880 wrote to memory of 3756 4880 Ecoaijio.exe 113 PID 3756 wrote to memory of 4564 3756 Hdicggla.exe 115 PID 3756 wrote to memory of 4564 3756 Hdicggla.exe 115 PID 3756 wrote to memory of 4564 3756 Hdicggla.exe 115 PID 4564 wrote to memory of 1840 4564 Imiagi32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.39c9f5cc1466f49d836a761eaabc2580.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.39c9f5cc1466f49d836a761eaabc2580.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe23⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe26⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe27⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe28⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe29⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe30⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe31⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe32⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe33⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe34⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe35⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe36⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe37⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Gpjjpe32.exeC:\Windows\system32\Gpjjpe32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe41⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ioffhn32.exeC:\Windows\system32\Ioffhn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Kcbkpj32.exeC:\Windows\system32\Kcbkpj32.exe43⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Kiaqnagj.exeC:\Windows\system32\Kiaqnagj.exe44⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe45⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe46⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe50⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe51⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe52⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ajhndgjj.exeC:\Windows\system32\Ajhndgjj.exe53⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe54⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe55⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Dbbdip32.exeC:\Windows\system32\Dbbdip32.exe57⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Enpknplq.exeC:\Windows\system32\Enpknplq.exe58⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe62⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe63⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe64⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe65⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe67⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Lbqdmodg.exeC:\Windows\system32\Lbqdmodg.exe68⤵PID:3632
-
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe69⤵PID:440
-
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe70⤵PID:4204
-
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe71⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Mjjbjjdd.exeC:\Windows\system32\Mjjbjjdd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe73⤵PID:4968
-
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe74⤵PID:3124
-
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe75⤵PID:2028
-
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4120 -
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe77⤵PID:1260
-
C:\Windows\SysWOW64\Aneppo32.exeC:\Windows\system32\Aneppo32.exe78⤵PID:1604
-
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe79⤵PID:1380
-
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe80⤵PID:2768
-
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe81⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe83⤵
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Dgjmkqke.exeC:\Windows\system32\Dgjmkqke.exe84⤵PID:2852
-
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe85⤵
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Djoohk32.exeC:\Windows\system32\Djoohk32.exe86⤵PID:452
-
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe87⤵PID:2824
-
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe88⤵PID:3680
-
C:\Windows\SysWOW64\Gjpaffhl.exeC:\Windows\system32\Gjpaffhl.exe89⤵PID:4268
-
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe90⤵PID:4736
-
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5100 -
C:\Windows\SysWOW64\Jhpjbgne.exeC:\Windows\system32\Jhpjbgne.exe92⤵PID:4820
-
C:\Windows\SysWOW64\Jlponebi.exeC:\Windows\system32\Jlponebi.exe93⤵PID:4784
-
C:\Windows\SysWOW64\Lbmqmi32.exeC:\Windows\system32\Lbmqmi32.exe94⤵PID:1992
-
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe95⤵PID:3500
-
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe96⤵PID:4952
-
C:\Windows\SysWOW64\Mkdagm32.exeC:\Windows\system32\Mkdagm32.exe97⤵PID:3380
-
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe98⤵PID:2408
-
C:\Windows\SysWOW64\Moajmk32.exeC:\Windows\system32\Moajmk32.exe99⤵PID:984
-
C:\Windows\SysWOW64\Npfchkop.exeC:\Windows\system32\Npfchkop.exe100⤵PID:860
-
C:\Windows\SysWOW64\Nfchjddj.exeC:\Windows\system32\Nfchjddj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe102⤵PID:5140
-
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe103⤵PID:5180
-
C:\Windows\SysWOW64\Opgloh32.exeC:\Windows\system32\Opgloh32.exe104⤵PID:5228
-
C:\Windows\SysWOW64\Oecego32.exeC:\Windows\system32\Oecego32.exe105⤵PID:5332
-
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe106⤵PID:5384
-
C:\Windows\SysWOW64\Bleebc32.exeC:\Windows\system32\Bleebc32.exe107⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe108⤵PID:5468
-
C:\Windows\SysWOW64\Dnekcd32.exeC:\Windows\system32\Dnekcd32.exe109⤵PID:5540
-
C:\Windows\SysWOW64\Dfclmfhl.exeC:\Windows\system32\Dfclmfhl.exe110⤵
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Enomic32.exeC:\Windows\system32\Enomic32.exe111⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Eodclj32.exeC:\Windows\system32\Eodclj32.exe112⤵PID:5696
-
C:\Windows\SysWOW64\Fqfmlm32.exeC:\Windows\system32\Fqfmlm32.exe113⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Fmmmqnaf.exeC:\Windows\system32\Fmmmqnaf.exe114⤵PID:5784
-
C:\Windows\SysWOW64\Fnmjkahi.exeC:\Windows\system32\Fnmjkahi.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5828 -
C:\Windows\SysWOW64\Fjcjpb32.exeC:\Windows\system32\Fjcjpb32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Gadimkpb.exeC:\Windows\system32\Gadimkpb.exe118⤵PID:5956
-
C:\Windows\SysWOW64\Gaibhj32.exeC:\Windows\system32\Gaibhj32.exe119⤵PID:6000
-
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Hoibmmpi.exeC:\Windows\system32\Hoibmmpi.exe121⤵PID:6092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-