Analysis
-
max time kernel
149s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:52
Behavioral task
behavioral1
Sample
NEAS.f56c9e568441225ec2fb088692017db0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f56c9e568441225ec2fb088692017db0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f56c9e568441225ec2fb088692017db0.exe
-
Size
92KB
-
MD5
f56c9e568441225ec2fb088692017db0
-
SHA1
3d3415ec859d36935d24a26ec28b797dfea16cb1
-
SHA256
7e5532652f0818e364e442c7708bb4d675e7f1c59d2d9d8dbd6bd390a03fe61d
-
SHA512
a45a083fdae7370f6539236792277feecdb046b5465c5b0fc9ce140971b4830a609a0529a74d6062f6129340112856bbb6166b81d89ce1a49ba4b8ae3653e7a9
-
SSDEEP
1536:JajsUNcte9yAjYCoUvBDwW0UJbgD+zvBT2orgRQUn2RzBvrk3HR96TC+qRbDb1SY:JahczADwWTJby+zZTdge+203H/6TC+qZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoplop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmoglij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebdighb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkcehaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dejhgkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqkhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbimch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meknhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgieipmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjqbndk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mihbpalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loqjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hflclcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgieipmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmdojp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbeild32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohjebkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coigllel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhlbaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qalkfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfjocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ininloda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahgjnpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfedhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkbkffka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckpihef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojjfpjjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdqlgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lifjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apjdbqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecphmfbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acppniod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbndoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adqghpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibdpefnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafopmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cplceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bglpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppjbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pekkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odpjmcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fachob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihcclb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqoepgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dafpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pplhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odbgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abdoqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffmelmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckobg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnmdfknm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfpdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccofn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Logimckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iohjebkd.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cf2-8.dat family_berbew behavioral2/files/0x0007000000022cf2-6.dat family_berbew behavioral2/files/0x0007000000022cf4-14.dat family_berbew behavioral2/files/0x0007000000022cf4-16.dat family_berbew behavioral2/files/0x0008000000022cf6-17.dat family_berbew behavioral2/files/0x0008000000022cf6-22.dat family_berbew behavioral2/files/0x0008000000022cf6-24.dat family_berbew behavioral2/files/0x0008000000022cf9-30.dat family_berbew behavioral2/files/0x0008000000022cf9-32.dat family_berbew behavioral2/files/0x0006000000022cfb-38.dat family_berbew behavioral2/files/0x0006000000022cfb-40.dat family_berbew behavioral2/files/0x0006000000022cfd-45.dat family_berbew behavioral2/files/0x0006000000022cfd-47.dat family_berbew behavioral2/files/0x0006000000022cff-49.dat family_berbew behavioral2/files/0x0006000000022cff-54.dat family_berbew behavioral2/files/0x0006000000022cff-55.dat family_berbew behavioral2/files/0x0006000000022d01-62.dat family_berbew behavioral2/files/0x0006000000022d01-64.dat family_berbew behavioral2/files/0x0006000000022d03-70.dat family_berbew behavioral2/files/0x0006000000022d03-72.dat family_berbew behavioral2/files/0x0006000000022d05-73.dat family_berbew behavioral2/files/0x0006000000022d05-78.dat family_berbew behavioral2/files/0x0006000000022d05-80.dat family_berbew behavioral2/files/0x0006000000022d07-86.dat family_berbew behavioral2/files/0x0006000000022d07-88.dat family_berbew behavioral2/files/0x0006000000022d0a-94.dat family_berbew behavioral2/files/0x0006000000022d0a-96.dat family_berbew behavioral2/files/0x0006000000022d0d-102.dat family_berbew behavioral2/files/0x0006000000022d0d-104.dat family_berbew behavioral2/files/0x0006000000022d10-105.dat family_berbew behavioral2/files/0x0006000000022d10-110.dat family_berbew behavioral2/files/0x0006000000022d10-112.dat family_berbew behavioral2/files/0x0006000000022d12-118.dat family_berbew behavioral2/files/0x0006000000022d12-120.dat family_berbew behavioral2/files/0x0007000000022d15-126.dat family_berbew behavioral2/files/0x0007000000022d15-128.dat family_berbew behavioral2/files/0x0006000000022d17-134.dat family_berbew behavioral2/files/0x0006000000022d17-136.dat family_berbew behavioral2/files/0x0006000000022d19-142.dat family_berbew behavioral2/files/0x0006000000022d19-144.dat family_berbew behavioral2/files/0x0006000000022d1c-150.dat family_berbew behavioral2/files/0x0006000000022d1c-152.dat family_berbew behavioral2/files/0x0006000000022d23-158.dat family_berbew behavioral2/files/0x0006000000022d23-160.dat family_berbew behavioral2/files/0x0006000000022d29-166.dat family_berbew behavioral2/files/0x0006000000022d29-168.dat family_berbew behavioral2/files/0x0006000000022d2c-174.dat family_berbew behavioral2/files/0x0006000000022d2c-176.dat family_berbew behavioral2/files/0x0007000000022d20-182.dat family_berbew behavioral2/files/0x0007000000022d20-183.dat family_berbew behavioral2/files/0x0007000000022d22-191.dat family_berbew behavioral2/files/0x0007000000022d22-190.dat family_berbew behavioral2/files/0x0007000000022d26-198.dat family_berbew behavioral2/files/0x0007000000022d26-200.dat family_berbew behavioral2/files/0x0006000000022d2f-201.dat family_berbew behavioral2/files/0x0006000000022d2f-206.dat family_berbew behavioral2/files/0x0006000000022d2f-207.dat family_berbew behavioral2/files/0x0006000000022d31-214.dat family_berbew behavioral2/files/0x0006000000022d31-216.dat family_berbew behavioral2/files/0x0006000000022d33-222.dat family_berbew behavioral2/files/0x0006000000022d33-224.dat family_berbew behavioral2/files/0x0006000000022d35-230.dat family_berbew behavioral2/files/0x0006000000022d35-232.dat family_berbew behavioral2/files/0x0006000000022d37-238.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1676 Jonlimkg.exe 4136 Kclnfi32.exe 3576 Lfodmdni.exe 3616 Mhoind32.exe 2352 Niihlkdm.exe 2536 Okpkgm32.exe 3268 Odhppclh.exe 1708 Qhddgofo.exe 3640 Abdoqd32.exe 4568 Bkefphem.exe 3984 Bgodjiio.exe 3356 Djipbbne.exe 1508 Dhcfleff.exe 3532 Eejcki32.exe 3728 Fiaogfai.exe 1080 Giokid32.exe 1316 Hifaic32.exe 4864 Hcabhido.exe 540 Jllmml32.exe 3768 Jmepcj32.exe 4696 Kicfijal.exe 3504 Lkiiee32.exe 996 Mlgegcng.exe 1996 Nfhipj32.exe 4288 Ndliin32.exe 2540 Ollgiplp.exe 3288 Plejoode.exe 2056 Pmgcoaie.exe 956 Pllppnnm.exe 5064 Qibmoa32.exe 412 Qckbggad.exe 2724 Bdfnmhnj.exe 4856 Bpmobi32.exe 4300 Bglpjb32.exe 748 Cnmoglij.exe 1504 Enfjdh32.exe 2440 Fegiba32.exe 1344 Flfjjkgi.exe 2732 Gdkbdllj.exe 2836 Hdmojkjg.exe 416 Hoepmd32.exe 1232 Imofip32.exe 2684 Iamoon32.exe 1804 Iaahjmkn.exe 3548 Jliimf32.exe 560 Jhgpbf32.exe 4852 Kohnpoib.exe 2120 Klloichl.exe 920 Lmcejbbd.exe 2304 Lfkich32.exe 3696 Lbdgmh32.exe 4512 Mihbpalh.exe 4388 Obcled32.exe 4480 Pekkhn32.exe 4188 Pimmil32.exe 1364 Bcfkiock.exe 4176 Begcjjql.exe 1580 Cofndo32.exe 1088 Cphgca32.exe 764 Dgnolj32.exe 1416 Dqfceoje.exe 4824 Ecnbgian.exe 4896 Fpnfbi32.exe 4128 Fapobl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jgcafl32.exe Inmplh32.exe File created C:\Windows\SysWOW64\Modmkn32.dll Lnmbjd32.exe File created C:\Windows\SysWOW64\Paceoa32.dll Apmhbf32.exe File created C:\Windows\SysWOW64\Eoaianan.exe Edkddeag.exe File created C:\Windows\SysWOW64\Ajeljnae.dll Mingbhon.exe File opened for modification C:\Windows\SysWOW64\Locbpi32.exe Lifjgb32.exe File created C:\Windows\SysWOW64\Dqlodlcc.dll Mefmbbod.exe File created C:\Windows\SysWOW64\Iacnpjmg.exe Ilfehcnp.exe File created C:\Windows\SysWOW64\Jmfalnbn.dll Gcggec32.exe File created C:\Windows\SysWOW64\Blmogc32.dll Pcogglmf.exe File opened for modification C:\Windows\SysWOW64\Pflpfcbe.exe Pjeoablq.exe File opened for modification C:\Windows\SysWOW64\Mhncnodp.exe Mbqkfhfh.exe File opened for modification C:\Windows\SysWOW64\Peeakakg.exe Plmmbkdf.exe File created C:\Windows\SysWOW64\Ihlechfj.exe Gohaod32.exe File created C:\Windows\SysWOW64\Idebniil.exe Iohjebkd.exe File created C:\Windows\SysWOW64\Pcjioknl.exe Plpqba32.exe File created C:\Windows\SysWOW64\Dbndoa32.exe Bmjlpnpb.exe File opened for modification C:\Windows\SysWOW64\Hibape32.exe Fpjcpbdn.exe File opened for modification C:\Windows\SysWOW64\Kjgenjhe.exe Koodka32.exe File opened for modification C:\Windows\SysWOW64\Commjgga.exe Cccppgcp.exe File created C:\Windows\SysWOW64\Gokdoj32.exe Ghjfaa32.exe File opened for modification C:\Windows\SysWOW64\Dbhlbaed.exe Dipgik32.exe File created C:\Windows\SysWOW64\Mclajm32.dll Jhainmlc.exe File created C:\Windows\SysWOW64\Lfhadgdo.dll Nkapnbqo.exe File opened for modification C:\Windows\SysWOW64\Ffaogm32.exe Fpggkbfq.exe File created C:\Windows\SysWOW64\Qbimch32.exe Pbgqnhpl.exe File created C:\Windows\SysWOW64\Kegbegqm.dll Fomfpg32.exe File opened for modification C:\Windows\SysWOW64\Gcekocqp.exe Gbcngk32.exe File opened for modification C:\Windows\SysWOW64\Gnjollpe.exe Gcekocqp.exe File opened for modification C:\Windows\SysWOW64\Pmjpod32.exe Oloaamqf.exe File created C:\Windows\SysWOW64\Cjdeil32.dll Jplkig32.exe File created C:\Windows\SysWOW64\Niconj32.exe Mhmmchpd.exe File created C:\Windows\SysWOW64\Mcdeof32.exe Mjlafqbb.exe File opened for modification C:\Windows\SysWOW64\Kbbhjc32.exe Kglcmk32.exe File created C:\Windows\SysWOW64\Jflkmqpj.dll Nnmdfknm.exe File created C:\Windows\SysWOW64\Qibmoa32.exe Pllppnnm.exe File created C:\Windows\SysWOW64\Pblmpm32.dll Locbpi32.exe File created C:\Windows\SysWOW64\Hegeic32.dll Mihbpalh.exe File opened for modification C:\Windows\SysWOW64\Mdfopf32.exe Hcnnjoam.exe File created C:\Windows\SysWOW64\Jlphnbfe.exe Ipihiaqa.exe File opened for modification C:\Windows\SysWOW64\Ggjjfq32.exe Gnaemkjn.exe File created C:\Windows\SysWOW64\Oakamdee.dll Fbaabk32.exe File opened for modification C:\Windows\SysWOW64\Pilpoc32.exe Pcogglmf.exe File created C:\Windows\SysWOW64\Nbefmopd.exe Nhpbpepo.exe File opened for modification C:\Windows\SysWOW64\Ffnkggld.exe Epkpdn32.exe File created C:\Windows\SysWOW64\Ifdohl32.exe Iojgkbib.exe File opened for modification C:\Windows\SysWOW64\Noehlgol.exe Mplapkoj.exe File opened for modification C:\Windows\SysWOW64\Eddnbhfe.exe Enjfen32.exe File created C:\Windows\SysWOW64\Dfdnacbf.dll Mdkhficp.exe File created C:\Windows\SysWOW64\Obfhgj32.exe Odbgmf32.exe File created C:\Windows\SysWOW64\Lfodmdni.exe Kclnfi32.exe File opened for modification C:\Windows\SysWOW64\Cefolk32.exe Colfpace.exe File opened for modification C:\Windows\SysWOW64\Lankloml.exe Lgffci32.exe File opened for modification C:\Windows\SysWOW64\Pimmil32.exe Pekkhn32.exe File opened for modification C:\Windows\SysWOW64\Fdamph32.exe Ffmmgceo.exe File opened for modification C:\Windows\SysWOW64\Gjmffn32.exe Fbaabk32.exe File created C:\Windows\SysWOW64\Diehpa32.dll Cplceg32.exe File created C:\Windows\SysWOW64\Enjfen32.exe Egpnidgk.exe File created C:\Windows\SysWOW64\Eddnbhfe.exe Enjfen32.exe File opened for modification C:\Windows\SysWOW64\Abdoqd32.exe Qhddgofo.exe File created C:\Windows\SysWOW64\Goediekj.exe Gnfhob32.exe File opened for modification C:\Windows\SysWOW64\Mhmmchpd.exe Mjiljdaj.exe File created C:\Windows\SysWOW64\Onkbebpi.dll Piapehkd.exe File created C:\Windows\SysWOW64\Ncakglka.exe Meknhh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhemnd32.dll" Gplbcgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgghdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggglm32.dll" Apbnbali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epddbgjd.dll" Fdmahgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmcejbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Colfpace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdfpdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abedil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfdbnpl.dll" Mjlafqbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oojhpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pflpfcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekkgo32.dll" Pbgghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beefenie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fknimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomfdmah.dll" Kgbljkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aocamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdifhkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhpbpepo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlphnbfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdkbdllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceaealoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijdnf32.dll" Hfiffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpinq32.dll" Lhkghofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibdpefnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflkmqpj.dll" Nnmdfknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbedag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbibpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjep32.dll" Caqpdpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djijkocc.dll" Fnlcknle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbdgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbbmc32.dll" Aecnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhphfppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjhmknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomaf32.dll" Onneeceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ininloda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkanb32.dll" Enjfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecjhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqimje32.dll" Mbqkfhfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nahkeljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mccofn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojfcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonap32.dll" Giokid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hifaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nimbipim.dll" Ojjfpjjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbqkfhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakjpb32.dll" Koodka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkljb32.dll" Dkedjbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoigndf.dll" Iojgkbib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqmlmiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjnng32.dll" Hoepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnjqmcp.dll" Pflpfcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efoiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbcjbb32.dll" Nckkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cofndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkepbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnlqocj.dll" Jaqcgbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lejlioie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecnbgian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkgnbhm.dll" Gnfhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejjabq.dll" Leenanik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjahp32.dll" Pflmhnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcmjaloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndinf32.dll" Bcfkiock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongopg32.dll" Njlcdf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2652 wrote to memory of 1676 2652 NEAS.f56c9e568441225ec2fb088692017db0.exe 91 PID 2652 wrote to memory of 1676 2652 NEAS.f56c9e568441225ec2fb088692017db0.exe 91 PID 2652 wrote to memory of 1676 2652 NEAS.f56c9e568441225ec2fb088692017db0.exe 91 PID 1676 wrote to memory of 4136 1676 Jonlimkg.exe 92 PID 1676 wrote to memory of 4136 1676 Jonlimkg.exe 92 PID 1676 wrote to memory of 4136 1676 Jonlimkg.exe 92 PID 4136 wrote to memory of 3576 4136 Kclnfi32.exe 93 PID 4136 wrote to memory of 3576 4136 Kclnfi32.exe 93 PID 4136 wrote to memory of 3576 4136 Kclnfi32.exe 93 PID 3576 wrote to memory of 3616 3576 Lfodmdni.exe 94 PID 3576 wrote to memory of 3616 3576 Lfodmdni.exe 94 PID 3576 wrote to memory of 3616 3576 Lfodmdni.exe 94 PID 3616 wrote to memory of 2352 3616 Mhoind32.exe 95 PID 3616 wrote to memory of 2352 3616 Mhoind32.exe 95 PID 3616 wrote to memory of 2352 3616 Mhoind32.exe 95 PID 2352 wrote to memory of 2536 2352 Niihlkdm.exe 96 PID 2352 wrote to memory of 2536 2352 Niihlkdm.exe 96 PID 2352 wrote to memory of 2536 2352 Niihlkdm.exe 96 PID 2536 wrote to memory of 3268 2536 Okpkgm32.exe 97 PID 2536 wrote to memory of 3268 2536 Okpkgm32.exe 97 PID 2536 wrote to memory of 3268 2536 Okpkgm32.exe 97 PID 3268 wrote to memory of 1708 3268 Odhppclh.exe 98 PID 3268 wrote to memory of 1708 3268 Odhppclh.exe 98 PID 3268 wrote to memory of 1708 3268 Odhppclh.exe 98 PID 1708 wrote to memory of 3640 1708 Qhddgofo.exe 99 PID 1708 wrote to memory of 3640 1708 Qhddgofo.exe 99 PID 1708 wrote to memory of 3640 1708 Qhddgofo.exe 99 PID 3640 wrote to memory of 4568 3640 Abdoqd32.exe 100 PID 3640 wrote to memory of 4568 3640 Abdoqd32.exe 100 PID 3640 wrote to memory of 4568 3640 Abdoqd32.exe 100 PID 4568 wrote to memory of 3984 4568 Bkefphem.exe 102 PID 4568 wrote to memory of 3984 4568 Bkefphem.exe 102 PID 4568 wrote to memory of 3984 4568 Bkefphem.exe 102 PID 3984 wrote to memory of 3356 3984 Bgodjiio.exe 104 PID 3984 wrote to memory of 3356 3984 Bgodjiio.exe 104 PID 3984 wrote to memory of 3356 3984 Bgodjiio.exe 104 PID 3356 wrote to memory of 1508 3356 Djipbbne.exe 105 PID 3356 wrote to memory of 1508 3356 Djipbbne.exe 105 PID 3356 wrote to memory of 1508 3356 Djipbbne.exe 105 PID 1508 wrote to memory of 3532 1508 Dhcfleff.exe 106 PID 1508 wrote to memory of 3532 1508 Dhcfleff.exe 106 PID 1508 wrote to memory of 3532 1508 Dhcfleff.exe 106 PID 3532 wrote to memory of 3728 3532 Eejcki32.exe 107 PID 3532 wrote to memory of 3728 3532 Eejcki32.exe 107 PID 3532 wrote to memory of 3728 3532 Eejcki32.exe 107 PID 3728 wrote to memory of 1080 3728 Fiaogfai.exe 108 PID 3728 wrote to memory of 1080 3728 Fiaogfai.exe 108 PID 3728 wrote to memory of 1080 3728 Fiaogfai.exe 108 PID 1080 wrote to memory of 1316 1080 Giokid32.exe 109 PID 1080 wrote to memory of 1316 1080 Giokid32.exe 109 PID 1080 wrote to memory of 1316 1080 Giokid32.exe 109 PID 1316 wrote to memory of 4864 1316 Hifaic32.exe 110 PID 1316 wrote to memory of 4864 1316 Hifaic32.exe 110 PID 1316 wrote to memory of 4864 1316 Hifaic32.exe 110 PID 4864 wrote to memory of 540 4864 Hcabhido.exe 111 PID 4864 wrote to memory of 540 4864 Hcabhido.exe 111 PID 4864 wrote to memory of 540 4864 Hcabhido.exe 111 PID 540 wrote to memory of 3768 540 Jllmml32.exe 112 PID 540 wrote to memory of 3768 540 Jllmml32.exe 112 PID 540 wrote to memory of 3768 540 Jllmml32.exe 112 PID 3768 wrote to memory of 4696 3768 Jmepcj32.exe 113 PID 3768 wrote to memory of 4696 3768 Jmepcj32.exe 113 PID 3768 wrote to memory of 4696 3768 Jmepcj32.exe 113 PID 4696 wrote to memory of 3504 4696 Kicfijal.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f56c9e568441225ec2fb088692017db0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f56c9e568441225ec2fb088692017db0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Qhddgofo.exeC:\Windows\system32\Qhddgofo.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Bgodjiio.exeC:\Windows\system32\Bgodjiio.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Dhcfleff.exeC:\Windows\system32\Dhcfleff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Eejcki32.exeC:\Windows\system32\Eejcki32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Giokid32.exeC:\Windows\system32\Giokid32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Jllmml32.exeC:\Windows\system32\Jllmml32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe23⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe24⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe25⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe26⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe27⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe28⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Pmgcoaie.exeC:\Windows\system32\Pmgcoaie.exe29⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pllppnnm.exeC:\Windows\system32\Pllppnnm.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe31⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe32⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe33⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe34⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Bglpjb32.exeC:\Windows\system32\Bglpjb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe37⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Fegiba32.exeC:\Windows\system32\Fegiba32.exe38⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe39⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Gdkbdllj.exeC:\Windows\system32\Gdkbdllj.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Hdmojkjg.exeC:\Windows\system32\Hdmojkjg.exe41⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:416 -
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe43⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe44⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Iaahjmkn.exeC:\Windows\system32\Iaahjmkn.exe45⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe46⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Jhgpbf32.exeC:\Windows\system32\Jhgpbf32.exe47⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Kohnpoib.exeC:\Windows\system32\Kohnpoib.exe48⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Klloichl.exeC:\Windows\system32\Klloichl.exe49⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Lmcejbbd.exeC:\Windows\system32\Lmcejbbd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Lfkich32.exeC:\Windows\system32\Lfkich32.exe51⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Lbdgmh32.exeC:\Windows\system32\Lbdgmh32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Mihbpalh.exeC:\Windows\system32\Mihbpalh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\Obcled32.exeC:\Windows\system32\Obcled32.exe54⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe56⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Begcjjql.exeC:\Windows\system32\Begcjjql.exe58⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Cofndo32.exeC:\Windows\system32\Cofndo32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Cphgca32.exeC:\Windows\system32\Cphgca32.exe60⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe61⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Dqfceoje.exeC:\Windows\system32\Dqfceoje.exe62⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Fpnfbi32.exeC:\Windows\system32\Fpnfbi32.exe64⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Fapobl32.exeC:\Windows\system32\Fapobl32.exe65⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Gjojkpdp.exeC:\Windows\system32\Gjojkpdp.exe66⤵PID:1332
-
C:\Windows\SysWOW64\Gplbcgbg.exeC:\Windows\system32\Gplbcgbg.exe67⤵
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Gffkpa32.exeC:\Windows\system32\Gffkpa32.exe68⤵PID:3512
-
C:\Windows\SysWOW64\Galonj32.exeC:\Windows\system32\Galonj32.exe69⤵PID:1900
-
C:\Windows\SysWOW64\Ihcclb32.exeC:\Windows\system32\Ihcclb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Jdajabdc.exeC:\Windows\system32\Jdajabdc.exe71⤵PID:3032
-
C:\Windows\SysWOW64\Kaonaekb.exeC:\Windows\system32\Kaonaekb.exe72⤵PID:4252
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe73⤵PID:1144
-
C:\Windows\SysWOW64\Kgbljkca.exeC:\Windows\system32\Kgbljkca.exe74⤵
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Loqjlg32.exeC:\Windows\system32\Loqjlg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5116 -
C:\Windows\SysWOW64\Mdgejmdi.exeC:\Windows\system32\Mdgejmdi.exe76⤵PID:5216
-
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe77⤵PID:5300
-
C:\Windows\SysWOW64\Nicjaino.exeC:\Windows\system32\Nicjaino.exe78⤵PID:5356
-
C:\Windows\SysWOW64\Pgdgodhj.exeC:\Windows\system32\Pgdgodhj.exe79⤵PID:5404
-
C:\Windows\SysWOW64\Pelacg32.exeC:\Windows\system32\Pelacg32.exe80⤵PID:5444
-
C:\Windows\SysWOW64\Ppdbfpaa.exeC:\Windows\system32\Ppdbfpaa.exe81⤵PID:5484
-
C:\Windows\SysWOW64\Qecgcfmf.exeC:\Windows\system32\Qecgcfmf.exe82⤵PID:5524
-
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe83⤵PID:5568
-
C:\Windows\SysWOW64\Aejmdegn.exeC:\Windows\system32\Aejmdegn.exe84⤵PID:5608
-
C:\Windows\SysWOW64\Aocamk32.exeC:\Windows\system32\Aocamk32.exe85⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Ahnclp32.exeC:\Windows\system32\Ahnclp32.exe86⤵PID:5692
-
C:\Windows\SysWOW64\Bafgdfim.exeC:\Windows\system32\Bafgdfim.exe87⤵PID:5740
-
C:\Windows\SysWOW64\Bbjmih32.exeC:\Windows\system32\Bbjmih32.exe88⤵PID:5784
-
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe89⤵PID:5824
-
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe90⤵PID:5868
-
C:\Windows\SysWOW64\Cccppgcp.exeC:\Windows\system32\Cccppgcp.exe91⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Commjgga.exeC:\Windows\system32\Commjgga.exe92⤵PID:5960
-
C:\Windows\SysWOW64\Cefega32.exeC:\Windows\system32\Cefega32.exe93⤵PID:6020
-
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe94⤵PID:6076
-
C:\Windows\SysWOW64\Eqopqh32.exeC:\Windows\system32\Eqopqh32.exe95⤵PID:6120
-
C:\Windows\SysWOW64\Gqaeme32.exeC:\Windows\system32\Gqaeme32.exe96⤵PID:5224
-
C:\Windows\SysWOW64\Hcnnjoam.exeC:\Windows\system32\Hcnnjoam.exe97⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Mdfopf32.exeC:\Windows\system32\Mdfopf32.exe98⤵PID:5364
-
C:\Windows\SysWOW64\Ngedbp32.exeC:\Windows\system32\Ngedbp32.exe99⤵PID:5380
-
C:\Windows\SysWOW64\Okeinn32.exeC:\Windows\system32\Okeinn32.exe100⤵PID:5464
-
C:\Windows\SysWOW64\Ojjfpjjj.exeC:\Windows\system32\Ojjfpjjj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5508 -
C:\Windows\SysWOW64\Odpjmcjp.exeC:\Windows\system32\Odpjmcjp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3892 -
C:\Windows\SysWOW64\Pcjaio32.exeC:\Windows\system32\Pcjaio32.exe103⤵PID:2404
-
C:\Windows\SysWOW64\Pjdifibo.exeC:\Windows\system32\Pjdifibo.exe104⤵PID:5680
-
C:\Windows\SysWOW64\Pengna32.exeC:\Windows\system32\Pengna32.exe105⤵PID:5716
-
C:\Windows\SysWOW64\Anmagenh.exeC:\Windows\system32\Anmagenh.exe106⤵PID:5772
-
C:\Windows\SysWOW64\Acjjpllp.exeC:\Windows\system32\Acjjpllp.exe107⤵PID:5860
-
C:\Windows\SysWOW64\Aejfjocb.exeC:\Windows\system32\Aejfjocb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3640 -
C:\Windows\SysWOW64\Bbbpnc32.exeC:\Windows\system32\Bbbpnc32.exe109⤵PID:5936
-
C:\Windows\SysWOW64\Bhohfj32.exeC:\Windows\system32\Bhohfj32.exe110⤵PID:4812
-
C:\Windows\SysWOW64\Beefenie.exeC:\Windows\system32\Beefenie.exe111⤵
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Coepob32.exeC:\Windows\system32\Coepob32.exe112⤵PID:4364
-
C:\Windows\SysWOW64\Ceoillaj.exeC:\Windows\system32\Ceoillaj.exe113⤵PID:4796
-
C:\Windows\SysWOW64\Ceaealoh.exeC:\Windows\system32\Ceaealoh.exe114⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Colfpace.exeC:\Windows\system32\Colfpace.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Cefolk32.exeC:\Windows\system32\Cefolk32.exe116⤵PID:4308
-
C:\Windows\SysWOW64\Donceaac.exeC:\Windows\system32\Donceaac.exe117⤵PID:5272
-
C:\Windows\SysWOW64\Dkedjbgg.exeC:\Windows\system32\Dkedjbgg.exe118⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Dejhgkgm.exeC:\Windows\system32\Dejhgkgm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Dhnnoe32.exeC:\Windows\system32\Dhnnoe32.exe120⤵PID:540
-
C:\Windows\SysWOW64\Eojcao32.exeC:\Windows\system32\Eojcao32.exe121⤵PID:3876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-