Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 16:49
Behavioral task
behavioral1
Sample
NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe
-
Size
143KB
-
MD5
c3fd4ecccb1a3207b47d81f984d06a30
-
SHA1
6f82304fc7e257d5a2ffcd272c1f008fc1d33dbc
-
SHA256
ab17b310c0f849898f44c859e8a4fa24e4b1906e1d74f76bbe259d7e6aa264bd
-
SHA512
558529095ce0e35314e28c63da3d47b46ec026f3e3f68337f53f639eb9329cb87a5f68ac3cf590712de5baa49f94893903e18f4340b581a53c68eb4ef1806707
-
SSDEEP
3072:NOBkONXvyv5H5zPIh3eNpxNgmFO1gdd8jH:cxvSHpPIhutNtF0b
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbenacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenphjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkmaed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plijimee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgpkpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfdjpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agljom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhqeka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaffbqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pefhlcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodjdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgmhcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jijacjnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ingmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Felcbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaphmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnejbmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qndigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enbogmnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieohfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqqbgoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noplmlok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgejidgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ingmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmegkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opkccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfiabjjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkihofl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceapl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anolkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajkbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimcclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkbnp32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2392-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/memory/1328-18-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/memory/2392-6-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x001b000000015c5f-22.dat family_berbew behavioral1/files/0x001b000000015c5f-26.dat family_berbew behavioral1/files/0x0007000000015cc9-32.dat family_berbew behavioral1/files/0x0007000000015cc9-35.dat family_berbew behavioral1/files/0x0007000000015cc9-38.dat family_berbew behavioral1/files/0x0007000000015cc9-40.dat family_berbew behavioral1/memory/1424-39-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0009000000015e03-45.dat family_berbew behavioral1/files/0x0009000000015e03-51.dat family_berbew behavioral1/files/0x0009000000015e03-48.dat family_berbew behavioral1/files/0x0009000000015e03-47.dat family_berbew behavioral1/files/0x0007000000015cc9-34.dat family_berbew behavioral1/files/0x001b000000015c5f-25.dat family_berbew behavioral1/files/0x001b000000015c5f-21.dat family_berbew behavioral1/files/0x001b000000015c5f-19.dat family_berbew behavioral1/files/0x0009000000015e03-52.dat family_berbew behavioral1/files/0x0006000000016058-60.dat family_berbew behavioral1/files/0x0006000000016058-64.dat family_berbew behavioral1/files/0x0006000000016058-63.dat family_berbew behavioral1/files/0x0006000000016058-59.dat family_berbew behavioral1/files/0x0006000000016058-57.dat family_berbew behavioral1/files/0x00060000000162d5-69.dat family_berbew behavioral1/files/0x00060000000162d5-75.dat family_berbew behavioral1/files/0x00060000000162d5-72.dat family_berbew behavioral1/files/0x00060000000162d5-71.dat family_berbew behavioral1/files/0x00060000000162d5-76.dat family_berbew behavioral1/files/0x0006000000016594-81.dat family_berbew behavioral1/files/0x0006000000016594-84.dat family_berbew behavioral1/files/0x0006000000016594-83.dat family_berbew behavioral1/files/0x0006000000016594-88.dat family_berbew behavioral1/files/0x0006000000016594-87.dat family_berbew behavioral1/files/0x00060000000167f0-99.dat family_berbew behavioral1/files/0x00060000000167f0-100.dat family_berbew behavioral1/files/0x0006000000016ba2-111.dat family_berbew behavioral1/files/0x0006000000016ba2-112.dat family_berbew behavioral1/files/0x0006000000016ba2-108.dat family_berbew behavioral1/files/0x0006000000016ba2-107.dat family_berbew behavioral1/files/0x0006000000016ba2-105.dat family_berbew behavioral1/files/0x00060000000167f0-96.dat family_berbew behavioral1/files/0x00060000000167f0-95.dat family_berbew behavioral1/files/0x0006000000016c24-120.dat family_berbew behavioral1/files/0x0006000000016c24-123.dat family_berbew behavioral1/files/0x0006000000016c24-119.dat family_berbew behavioral1/files/0x0006000000016c24-117.dat family_berbew behavioral1/files/0x00060000000167f0-93.dat family_berbew behavioral1/files/0x0006000000016c24-124.dat family_berbew behavioral1/files/0x0006000000016c9c-132.dat family_berbew behavioral1/files/0x0006000000016c9c-136.dat family_berbew behavioral1/files/0x0006000000016c9c-135.dat family_berbew behavioral1/files/0x0006000000016c9c-131.dat family_berbew behavioral1/files/0x0006000000016c9c-129.dat family_berbew behavioral1/files/0x0006000000016cd8-148.dat family_berbew behavioral1/files/0x0006000000016cd8-141.dat family_berbew behavioral1/files/0x0006000000016cd8-147.dat family_berbew behavioral1/files/0x0006000000016cd8-144.dat family_berbew behavioral1/files/0x0006000000016cd8-143.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1328 Ecnmpa32.exe 1424 Eqamje32.exe 2664 Efnfbl32.exe 2624 Ekknjcfh.exe 2892 Eknkpbdf.exe 2516 Ebgclm32.exe 3024 Fnndan32.exe 484 Fkbdkb32.exe 2848 Fcmiod32.exe 2728 Fjgalndh.exe 1672 Fgkbeb32.exe 588 Fnejbmko.exe 2888 Fpffje32.exe 1584 Fiokbjgn.exe 1292 Fbgpkpnn.exe 2128 Gmmdiind.exe 1940 Gcglec32.exe 2080 Gicdnj32.exe 832 Gpnmjd32.exe 1080 Gblifo32.exe 1900 Gifaciae.exe 2176 Gnbjlpom.exe 1392 Gaafhloq.exe 1808 Glgjednf.exe 948 Gacbmk32.exe 1660 Ghmkjedk.exe 604 Gngcgp32.exe 1948 Hddlof32.exe 2956 Hjndlqal.exe 888 Hahlhkhi.exe 1980 Hdfhdfgl.exe 1212 Hjqqap32.exe 1596 Hmomml32.exe 2156 Hbleeb32.exe 2928 Hjcmgp32.exe 2044 Hdkape32.exe 2660 Helngnie.exe 2528 Hlffdh32.exe 2504 Hbqoqbho.exe 2556 Hijgml32.exe 2268 Ipdojfgh.exe 2684 Iimcclni.exe 3044 Ioilkblq.exe 2852 Iecdhm32.exe 2816 Ilnmdgkj.exe 1200 Iajemnia.exe 268 Idiaii32.exe 2896 Ionefb32.exe 1632 Idknoi32.exe 1692 Igijkd32.exe 2256 Iihfgp32.exe 2316 Jcpkpe32.exe 2948 Jkgcab32.exe 828 Jdpgjhbm.exe 2000 Jgncfcaa.exe 632 Jlklnjoh.exe 1908 Jgqpkc32.exe 1536 Lclgjg32.exe 940 Lobgoh32.exe 2132 Lpgajgeg.exe 1064 Ljabkeaf.exe 816 Mgebdipp.exe 752 Mjcoqdoc.exe 240 Mfjoeeeh.exe -
Loads dropped DLL 64 IoCs
pid Process 2392 NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe 2392 NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe 1328 Ecnmpa32.exe 1328 Ecnmpa32.exe 1424 Eqamje32.exe 1424 Eqamje32.exe 2664 Efnfbl32.exe 2664 Efnfbl32.exe 2624 Ekknjcfh.exe 2624 Ekknjcfh.exe 2892 Eknkpbdf.exe 2892 Eknkpbdf.exe 2516 Ebgclm32.exe 2516 Ebgclm32.exe 3024 Fnndan32.exe 3024 Fnndan32.exe 484 Fkbdkb32.exe 484 Fkbdkb32.exe 2848 Fcmiod32.exe 2848 Fcmiod32.exe 2728 Fjgalndh.exe 2728 Fjgalndh.exe 1672 Fgkbeb32.exe 1672 Fgkbeb32.exe 588 Fnejbmko.exe 588 Fnejbmko.exe 2888 Fpffje32.exe 2888 Fpffje32.exe 1584 Fiokbjgn.exe 1584 Fiokbjgn.exe 1292 Fbgpkpnn.exe 1292 Fbgpkpnn.exe 2128 Gmmdiind.exe 2128 Gmmdiind.exe 1940 Gcglec32.exe 1940 Gcglec32.exe 2080 Gicdnj32.exe 2080 Gicdnj32.exe 832 Gpnmjd32.exe 832 Gpnmjd32.exe 1080 Gblifo32.exe 1080 Gblifo32.exe 1900 Gifaciae.exe 1900 Gifaciae.exe 2176 Gnbjlpom.exe 2176 Gnbjlpom.exe 1392 Gaafhloq.exe 1392 Gaafhloq.exe 1808 Glgjednf.exe 1808 Glgjednf.exe 948 Gacbmk32.exe 948 Gacbmk32.exe 1660 Ghmkjedk.exe 1660 Ghmkjedk.exe 604 Gngcgp32.exe 604 Gngcgp32.exe 1948 Hddlof32.exe 1948 Hddlof32.exe 2956 Hjndlqal.exe 2956 Hjndlqal.exe 888 Hahlhkhi.exe 888 Hahlhkhi.exe 1980 Hdfhdfgl.exe 1980 Hdfhdfgl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmkcil32.exe Dgnjqe32.exe File created C:\Windows\SysWOW64\Gdfiofhn.exe Goiafp32.exe File created C:\Windows\SysWOW64\Afgdde32.dll Jbcelp32.exe File created C:\Windows\SysWOW64\Kbnhpdke.exe Kppldhla.exe File created C:\Windows\SysWOW64\Bojipjcj.exe Blkmdodf.exe File created C:\Windows\SysWOW64\Eclcon32.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Gpccgppq.exe Glhhgahg.exe File created C:\Windows\SysWOW64\Cfckcoen.exe Cqfbjhgf.exe File opened for modification C:\Windows\SysWOW64\Eponmmaj.exe Eiefqc32.exe File created C:\Windows\SysWOW64\Ecnmpa32.exe NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe File created C:\Windows\SysWOW64\Bfhmqhkd.exe Bpnddn32.exe File opened for modification C:\Windows\SysWOW64\Cofofolh.exe Chlgid32.exe File created C:\Windows\SysWOW64\Flhbifkd.dll Hjlemlnk.exe File created C:\Windows\SysWOW64\Ammmlcgi.exe Ajnqphhe.exe File created C:\Windows\SysWOW64\Jhikhefb.exe Jaoblk32.exe File opened for modification C:\Windows\SysWOW64\Kmbclj32.exe Kghkppbp.exe File created C:\Windows\SysWOW64\Hhhkbqea.exe Gkancm32.exe File created C:\Windows\SysWOW64\Ponklpcg.exe Plpopddd.exe File opened for modification C:\Windows\SysWOW64\Gpmjcg32.exe Ggdekbgb.exe File created C:\Windows\SysWOW64\Ceipknjl.dll Hnbcaome.exe File created C:\Windows\SysWOW64\Gcpolmao.dll Ieohfemq.exe File opened for modification C:\Windows\SysWOW64\Pmbpda32.exe Pdkgcd32.exe File created C:\Windows\SysWOW64\Piliii32.exe Phklaacg.exe File opened for modification C:\Windows\SysWOW64\Hjlemlnk.exe Hcblqb32.exe File created C:\Windows\SysWOW64\Omgipo32.dll Imogcj32.exe File created C:\Windows\SysWOW64\Gjdnoa32.dll Jbphgpfg.exe File opened for modification C:\Windows\SysWOW64\Pflbpg32.exe Oqojhp32.exe File created C:\Windows\SysWOW64\Kebdmn32.dll Laknfmgd.exe File created C:\Windows\SysWOW64\Fgibijkb.exe Fpojlp32.exe File created C:\Windows\SysWOW64\Nphbfplf.exe Ninjjf32.exe File created C:\Windows\SysWOW64\Omddmkhl.exe Olehbh32.exe File opened for modification C:\Windows\SysWOW64\Gdfiofhn.exe Goiafp32.exe File created C:\Windows\SysWOW64\Mgaajh32.dll Beadgdli.exe File created C:\Windows\SysWOW64\Hmockkok.dll Ibeloo32.exe File created C:\Windows\SysWOW64\Qqbecp32.exe Qndigd32.exe File opened for modification C:\Windows\SysWOW64\Fhdmph32.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Fdkmeiei.exe Fmaeho32.exe File created C:\Windows\SysWOW64\Doabjbci.exe Dmcfngde.exe File created C:\Windows\SysWOW64\Fnicaj32.dll Bhndnpnp.exe File created C:\Windows\SysWOW64\Eikimeff.exe Eepmlf32.exe File created C:\Windows\SysWOW64\Nomphm32.exe Nlocka32.exe File created C:\Windows\SysWOW64\Peoalc32.exe Poeipifl.exe File opened for modification C:\Windows\SysWOW64\Ccqhdmbc.exe Cdngip32.exe File created C:\Windows\SysWOW64\Nfgbdo32.dll Lfkhch32.exe File created C:\Windows\SysWOW64\Cnmlpd32.exe Bgcdcjpf.exe File created C:\Windows\SysWOW64\Hndnokni.dll Eaegaaah.exe File created C:\Windows\SysWOW64\Cknojl32.dll Ingmoj32.exe File created C:\Windows\SysWOW64\Fbjhch32.dll Gifaciae.exe File opened for modification C:\Windows\SysWOW64\Fnndan32.exe Ebgclm32.exe File opened for modification C:\Windows\SysWOW64\Hdfhdfgl.exe Hahlhkhi.exe File created C:\Windows\SysWOW64\Qndigd32.exe Pdldnomh.exe File created C:\Windows\SysWOW64\Nhadao32.dll Qndigd32.exe File created C:\Windows\SysWOW64\Dmgoif32.exe Dfngll32.exe File created C:\Windows\SysWOW64\Ckinbali.dll Ccqhdmbc.exe File created C:\Windows\SysWOW64\Aboaff32.exe Akeijlfq.exe File created C:\Windows\SysWOW64\Mgoaap32.exe Leqeed32.exe File opened for modification C:\Windows\SysWOW64\Dnfkefad.exe Dfpcdh32.exe File opened for modification C:\Windows\SysWOW64\Ljabkeaf.exe Lpgajgeg.exe File opened for modification C:\Windows\SysWOW64\Cafgle32.exe Cjmopkla.exe File opened for modification C:\Windows\SysWOW64\Peoanckj.exe Pbaebh32.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Phgannal.exe File created C:\Windows\SysWOW64\Njhbabif.exe Nbqjqehd.exe File created C:\Windows\SysWOW64\Qkgeifgn.dll Iggbdb32.exe File created C:\Windows\SysWOW64\Ehopnk32.exe Eaegaaah.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadacpgf.dll" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll" Lgejidgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikedjg32.dll" Fcqjfeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bchhqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdepqif.dll" Geloanjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Cdkkcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qomcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfiadlm.dll" Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggdekbgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddghpbab.dll" Bjgmka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlhddh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamkpm32.dll" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafopn32.dll" Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhhch32.dll" Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqohpf32.dll" Dbdham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcamln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigef32.dll" Lndqbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlmjgnaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gacbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcng32.dll" Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchdpibh.dll" Einlmkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcdgpcj.dll" Addhcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgclj32.dll" Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcmnk32.dll" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omeini32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibhieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkedenn.dll" Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmcfngde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efnfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnembih.dll" Ddnfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipkm32.dll" Glfgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efdmohmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Helngnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgeni32.dll" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbljdjk.dll" Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkbjlk32.dll" Gpagbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfaefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgkc32.dll" Agljom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbgdgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakbgif.dll" Cemjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfagoln.dll" Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dljkcb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1328 2392 NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe 28 PID 2392 wrote to memory of 1328 2392 NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe 28 PID 2392 wrote to memory of 1328 2392 NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe 28 PID 2392 wrote to memory of 1328 2392 NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe 28 PID 1328 wrote to memory of 1424 1328 Ecnmpa32.exe 29 PID 1328 wrote to memory of 1424 1328 Ecnmpa32.exe 29 PID 1328 wrote to memory of 1424 1328 Ecnmpa32.exe 29 PID 1328 wrote to memory of 1424 1328 Ecnmpa32.exe 29 PID 1424 wrote to memory of 2664 1424 Eqamje32.exe 30 PID 1424 wrote to memory of 2664 1424 Eqamje32.exe 30 PID 1424 wrote to memory of 2664 1424 Eqamje32.exe 30 PID 1424 wrote to memory of 2664 1424 Eqamje32.exe 30 PID 2664 wrote to memory of 2624 2664 Efnfbl32.exe 31 PID 2664 wrote to memory of 2624 2664 Efnfbl32.exe 31 PID 2664 wrote to memory of 2624 2664 Efnfbl32.exe 31 PID 2664 wrote to memory of 2624 2664 Efnfbl32.exe 31 PID 2624 wrote to memory of 2892 2624 Ekknjcfh.exe 32 PID 2624 wrote to memory of 2892 2624 Ekknjcfh.exe 32 PID 2624 wrote to memory of 2892 2624 Ekknjcfh.exe 32 PID 2624 wrote to memory of 2892 2624 Ekknjcfh.exe 32 PID 2892 wrote to memory of 2516 2892 Eknkpbdf.exe 33 PID 2892 wrote to memory of 2516 2892 Eknkpbdf.exe 33 PID 2892 wrote to memory of 2516 2892 Eknkpbdf.exe 33 PID 2892 wrote to memory of 2516 2892 Eknkpbdf.exe 33 PID 2516 wrote to memory of 3024 2516 Ebgclm32.exe 34 PID 2516 wrote to memory of 3024 2516 Ebgclm32.exe 34 PID 2516 wrote to memory of 3024 2516 Ebgclm32.exe 34 PID 2516 wrote to memory of 3024 2516 Ebgclm32.exe 34 PID 3024 wrote to memory of 484 3024 Fnndan32.exe 35 PID 3024 wrote to memory of 484 3024 Fnndan32.exe 35 PID 3024 wrote to memory of 484 3024 Fnndan32.exe 35 PID 3024 wrote to memory of 484 3024 Fnndan32.exe 35 PID 484 wrote to memory of 2848 484 Fkbdkb32.exe 36 PID 484 wrote to memory of 2848 484 Fkbdkb32.exe 36 PID 484 wrote to memory of 2848 484 Fkbdkb32.exe 36 PID 484 wrote to memory of 2848 484 Fkbdkb32.exe 36 PID 2848 wrote to memory of 2728 2848 Fcmiod32.exe 37 PID 2848 wrote to memory of 2728 2848 Fcmiod32.exe 37 PID 2848 wrote to memory of 2728 2848 Fcmiod32.exe 37 PID 2848 wrote to memory of 2728 2848 Fcmiod32.exe 37 PID 2728 wrote to memory of 1672 2728 Fjgalndh.exe 38 PID 2728 wrote to memory of 1672 2728 Fjgalndh.exe 38 PID 2728 wrote to memory of 1672 2728 Fjgalndh.exe 38 PID 2728 wrote to memory of 1672 2728 Fjgalndh.exe 38 PID 1672 wrote to memory of 588 1672 Fgkbeb32.exe 39 PID 1672 wrote to memory of 588 1672 Fgkbeb32.exe 39 PID 1672 wrote to memory of 588 1672 Fgkbeb32.exe 39 PID 1672 wrote to memory of 588 1672 Fgkbeb32.exe 39 PID 588 wrote to memory of 2888 588 Fnejbmko.exe 40 PID 588 wrote to memory of 2888 588 Fnejbmko.exe 40 PID 588 wrote to memory of 2888 588 Fnejbmko.exe 40 PID 588 wrote to memory of 2888 588 Fnejbmko.exe 40 PID 2888 wrote to memory of 1584 2888 Fpffje32.exe 41 PID 2888 wrote to memory of 1584 2888 Fpffje32.exe 41 PID 2888 wrote to memory of 1584 2888 Fpffje32.exe 41 PID 2888 wrote to memory of 1584 2888 Fpffje32.exe 41 PID 1584 wrote to memory of 1292 1584 Fiokbjgn.exe 42 PID 1584 wrote to memory of 1292 1584 Fiokbjgn.exe 42 PID 1584 wrote to memory of 1292 1584 Fiokbjgn.exe 42 PID 1584 wrote to memory of 1292 1584 Fiokbjgn.exe 42 PID 1292 wrote to memory of 2128 1292 Fbgpkpnn.exe 43 PID 1292 wrote to memory of 2128 1292 Fbgpkpnn.exe 43 PID 1292 wrote to memory of 2128 1292 Fbgpkpnn.exe 43 PID 1292 wrote to memory of 2128 1292 Fbgpkpnn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c3fd4ecccb1a3207b47d81f984d06a30.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe33⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe34⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe35⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe36⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe39⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe40⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe41⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe42⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe44⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe46⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe47⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe48⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe49⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe50⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe51⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe52⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe54⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe55⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe56⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe57⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe58⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe59⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe60⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe62⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe63⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe64⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe65⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe66⤵PID:2036
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe67⤵PID:2320
-
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe68⤵PID:2696
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe69⤵PID:2616
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe70⤵PID:2752
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe71⤵PID:2700
-
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe72⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe73⤵PID:2284
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe74⤵PID:2976
-
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe75⤵PID:2840
-
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe76⤵PID:2808
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe77⤵PID:524
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe78⤵PID:472
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe79⤵PID:1480
-
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe81⤵PID:2056
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe82⤵PID:1888
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe83⤵PID:2408
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe85⤵PID:2020
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe88⤵PID:1352
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe90⤵PID:1192
-
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe91⤵PID:2356
-
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe92⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe93⤵PID:2980
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe94⤵PID:2040
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe95⤵PID:2744
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe96⤵PID:2736
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe97⤵PID:2772
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe98⤵
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe101⤵PID:2844
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe102⤵PID:2988
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe103⤵PID:1152
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe104⤵PID:1524
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe105⤵PID:2120
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe106⤵PID:2352
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe107⤵PID:572
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe108⤵PID:1552
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe109⤵PID:1456
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe110⤵PID:1540
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe111⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe113⤵PID:580
-
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe114⤵PID:1984
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe115⤵PID:2800
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe116⤵PID:2732
-
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe118⤵PID:2584
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe119⤵PID:3004
-
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe120⤵PID:2804
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-