Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 17:01
Behavioral task
behavioral1
Sample
NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe
-
Size
354KB
-
MD5
f27fa0a6e3e6fc05f343a699a41868d4
-
SHA1
7d7cf0220a70e47a6aebb244bea1809cd837afbf
-
SHA256
1ea58bee63d6885e281aa0a40f9352def0e05de2f352d02f752847bbf19f921d
-
SHA512
7dabad28f6d15345ecf3a32b2354dcc5b7b34e7fe44f7ffcba9ffdeb6c150f0b6a369f25484150d7fb939bedc8f2e6fce632f37091ee1b175e3242a7fb4d65e9
-
SSDEEP
6144:MXZc6IKH35plkMgm9khUmKyIxLp3tTs8A9Y5CUmKyIxL6iUw:eZc6fUMgm9kh3kK9N36Uw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akgjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcompnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfpocjfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omnjojpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmdhnhkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakfglhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnofpqff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgmiiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecjpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcfhhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niblafgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foifmcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megdmhbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeailhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjhla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmcbdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebijnak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facjlhil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaodkmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqofippg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcfeola.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhapmphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbfpaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemmac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmegkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhdmplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfkjef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debfpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glinjqhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhgojef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diafqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhpkldp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfnej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmiagbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdgaond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgggaamn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoadecal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjiipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echbad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphmbjhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbbfnlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcggga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhcdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jliimf32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00040000000006e5-6.dat family_berbew behavioral2/files/0x00040000000006e5-8.dat family_berbew behavioral2/files/0x0008000000022dc3-14.dat family_berbew behavioral2/files/0x0008000000022dc3-16.dat family_berbew behavioral2/files/0x0006000000022ddc-22.dat family_berbew behavioral2/files/0x0006000000022ddc-24.dat family_berbew behavioral2/files/0x0006000000022de3-30.dat family_berbew behavioral2/files/0x0006000000022de3-31.dat family_berbew behavioral2/files/0x0006000000022de6-38.dat family_berbew behavioral2/files/0x0006000000022de6-39.dat family_berbew behavioral2/files/0x0006000000022deb-46.dat family_berbew behavioral2/files/0x0006000000022deb-47.dat family_berbew behavioral2/files/0x0006000000022ded-55.dat family_berbew behavioral2/files/0x0006000000022df1-69.dat family_berbew behavioral2/files/0x0006000000022def-63.dat family_berbew behavioral2/files/0x0006000000022def-62.dat family_berbew behavioral2/files/0x0006000000022ded-54.dat family_berbew behavioral2/files/0x0006000000022df1-70.dat family_berbew behavioral2/files/0x0006000000022df3-78.dat family_berbew behavioral2/files/0x0006000000022df3-80.dat family_berbew behavioral2/files/0x0006000000022df6-86.dat family_berbew behavioral2/files/0x0006000000022df8-94.dat family_berbew behavioral2/files/0x0006000000022df8-95.dat family_berbew behavioral2/files/0x0006000000022dfa-102.dat family_berbew behavioral2/files/0x0006000000022df6-87.dat family_berbew behavioral2/files/0x0006000000022dfa-104.dat family_berbew behavioral2/files/0x0007000000022dfd-111.dat family_berbew behavioral2/files/0x0007000000022dfd-110.dat family_berbew behavioral2/files/0x0006000000022e01-117.dat family_berbew behavioral2/files/0x0006000000022e01-120.dat family_berbew behavioral2/files/0x0006000000022e03-121.dat family_berbew behavioral2/files/0x0006000000022e06-136.dat family_berbew behavioral2/files/0x0006000000022e06-138.dat family_berbew behavioral2/files/0x0006000000022e03-128.dat family_berbew behavioral2/files/0x0006000000022e03-126.dat family_berbew behavioral2/files/0x0006000000022e09-144.dat family_berbew behavioral2/files/0x0006000000022e09-145.dat family_berbew behavioral2/files/0x0006000000022e0e-152.dat family_berbew behavioral2/files/0x0006000000022e0e-154.dat family_berbew behavioral2/files/0x0006000000022e16-161.dat family_berbew behavioral2/files/0x0006000000022e16-160.dat family_berbew behavioral2/files/0x0006000000022e1c-168.dat family_berbew behavioral2/files/0x0006000000022e1c-170.dat family_berbew behavioral2/files/0x0006000000022e23-177.dat family_berbew behavioral2/files/0x0006000000022e23-176.dat family_berbew behavioral2/files/0x0006000000022e25-184.dat family_berbew behavioral2/files/0x0006000000022e27-193.dat family_berbew behavioral2/files/0x0006000000022e29-200.dat family_berbew behavioral2/files/0x0006000000022e29-201.dat family_berbew behavioral2/files/0x0006000000022e27-192.dat family_berbew behavioral2/files/0x0006000000022e25-185.dat family_berbew behavioral2/files/0x0006000000022e2b-202.dat family_berbew behavioral2/files/0x0006000000022e2b-208.dat family_berbew behavioral2/files/0x0006000000022e2b-209.dat family_berbew behavioral2/files/0x0007000000022e0c-216.dat family_berbew behavioral2/files/0x0007000000022e0c-218.dat family_berbew behavioral2/files/0x0007000000022e18-224.dat family_berbew behavioral2/files/0x0007000000022e18-226.dat family_berbew behavioral2/files/0x0008000000022de8-227.dat family_berbew behavioral2/files/0x0008000000022de8-232.dat family_berbew behavioral2/files/0x0008000000022de8-234.dat family_berbew behavioral2/files/0x0006000000022e33-240.dat family_berbew behavioral2/files/0x0006000000022e33-241.dat family_berbew behavioral2/files/0x0006000000022e35-248.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3784 Jcllonma.exe 1912 Kdqejn32.exe 2304 Fibojhim.exe 4636 Mjpbam32.exe 824 Cobkhb32.exe 3064 Gmggfp32.exe 2084 Gfokoelp.exe 1092 Gdcliikj.exe 1232 Gkmdecbg.exe 4052 Hdehni32.exe 3212 Hmbfbn32.exe 924 Hiiggoaf.exe 1968 Hdokdg32.exe 2284 Ikkpgafg.exe 4828 Iciaqc32.exe 2232 Jdmgfedl.exe 2916 Aolblopj.exe 1084 Anaomkdb.exe 4432 Aoalgn32.exe 384 Bnfihkqm.exe 4272 Bhbcfbjk.exe 4100 Ckclhn32.exe 3980 Cdlqqcnl.exe 696 Cfkmkf32.exe 3808 Ckhecmcf.exe 2456 Cbbnpg32.exe 3876 Ckmonl32.exe 3316 Cbfgkffn.exe 4464 Dmohno32.exe 788 Dmadco32.exe 1680 Dnbakghm.exe 3740 Dflfac32.exe 2056 Dfnbgc32.exe 644 Ekkkoj32.exe 2360 Eecphp32.exe 2748 Eoideh32.exe 1100 Eiahnnph.exe 2548 Ebimgcfi.exe 4232 Ekaapi32.exe 4716 Gfeaopqo.exe 2920 Gnqfcbnj.exe 5088 Gifkpknp.exe 4292 Gncchb32.exe 3696 Glgcbf32.exe 5056 Gikdkj32.exe 1940 Gbchdp32.exe 2216 Gmimai32.exe 720 Gbeejp32.exe 5004 Hmkigh32.exe 2580 Hfcnpn32.exe 2492 Hplbickp.exe 4300 Hidgai32.exe 2212 Hemdlj32.exe 1836 Hpchib32.exe 392 Iliinc32.exe 4928 Ifomll32.exe 2800 Iojbpo32.exe 4836 Ilnbicff.exe 2928 Iibccgep.exe 1072 Igfclkdj.exe 4256 Ipoheakj.exe 820 Jocefm32.exe 4548 Jiiicf32.exe 4304 Jofalmmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibgkgjnj.dll Ejdhcjpl.exe File created C:\Windows\SysWOW64\Fnollh32.dll Eaegqc32.exe File created C:\Windows\SysWOW64\Mjnnjedj.dll Lbgcch32.exe File created C:\Windows\SysWOW64\Npjelo32.exe Njploeoi.exe File created C:\Windows\SysWOW64\Ehjdejkj.exe Ebplhp32.exe File created C:\Windows\SysWOW64\Baekjn32.dll Hodgei32.exe File opened for modification C:\Windows\SysWOW64\Hnmnpano.exe Hgcfcg32.exe File created C:\Windows\SysWOW64\Njhgbp32.exe Npbceggm.exe File created C:\Windows\SysWOW64\Dgfpihkg.dll Omdppiif.exe File opened for modification C:\Windows\SysWOW64\Galfhpmf.exe Gkbnkfei.exe File created C:\Windows\SysWOW64\Algbfo32.exe Aaanif32.exe File created C:\Windows\SysWOW64\Dbhida32.dll Jhdlbp32.exe File opened for modification C:\Windows\SysWOW64\Ceppfbef.exe Ccacjgfb.exe File opened for modification C:\Windows\SysWOW64\Eckogc32.exe Ejbknnid.exe File created C:\Windows\SysWOW64\Jllimj32.dll Ceoillaj.exe File opened for modification C:\Windows\SysWOW64\Ekaapi32.exe Ebimgcfi.exe File created C:\Windows\SysWOW64\Bgagea32.dll Nfohgqlg.exe File created C:\Windows\SysWOW64\Gbkkik32.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Oiohgjga.dll Icjengld.exe File created C:\Windows\SysWOW64\Cgeqej32.dll Qmkanmel.exe File opened for modification C:\Windows\SysWOW64\Dnkbcp32.exe Decmjjie.exe File created C:\Windows\SysWOW64\Ohcdlepj.dll Hhmdeink.exe File created C:\Windows\SysWOW64\Hfoflj32.exe Habndbpf.exe File created C:\Windows\SysWOW64\Nfcabp32.exe Nagiji32.exe File created C:\Windows\SysWOW64\Eoepebho.exe Dhgonidg.exe File opened for modification C:\Windows\SysWOW64\Hifmmb32.exe Hnphoj32.exe File opened for modification C:\Windows\SysWOW64\Nncoaq32.exe Lokldg32.exe File created C:\Windows\SysWOW64\Mhokhn32.dll Gaglma32.exe File created C:\Windows\SysWOW64\Aqpcbbed.dll Knphfklg.exe File created C:\Windows\SysWOW64\Jhdlbp32.exe Jajdff32.exe File created C:\Windows\SysWOW64\Hfmpchij.dll Boldcj32.exe File created C:\Windows\SysWOW64\Eklikcef.dll Glgcbf32.exe File created C:\Windows\SysWOW64\Pnogfchm.dll Ngnppfgb.exe File opened for modification C:\Windows\SysWOW64\Lfqjhmhk.exe Lmheph32.exe File created C:\Windows\SysWOW64\Emlgedge.exe Ejmkiiha.exe File created C:\Windows\SysWOW64\Onhhkb32.exe Ocbdni32.exe File created C:\Windows\SysWOW64\Qqdqilph.exe Qjjhla32.exe File opened for modification C:\Windows\SysWOW64\Kinefp32.exe Kgphje32.exe File opened for modification C:\Windows\SysWOW64\Abpcicpi.exe Alfkli32.exe File created C:\Windows\SysWOW64\Dnadmp32.dll Ckladcoa.exe File opened for modification C:\Windows\SysWOW64\Hihbco32.exe Hbnjfefo.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Ebimgcfi.exe File created C:\Windows\SysWOW64\Hholim32.dll Jcmkjeko.exe File opened for modification C:\Windows\SysWOW64\Anqfepaj.exe Akbjidbf.exe File opened for modification C:\Windows\SysWOW64\Fcbehbim.exe Ehjdejkj.exe File created C:\Windows\SysWOW64\Fcjpffmj.dll Foifmcoa.exe File created C:\Windows\SysWOW64\Colfpace.exe Chbncg32.exe File created C:\Windows\SysWOW64\Gggnif32.dll Icbpkg32.exe File created C:\Windows\SysWOW64\Pogmdm32.dll Onhhkb32.exe File created C:\Windows\SysWOW64\Gbeejp32.exe Gmimai32.exe File opened for modification C:\Windows\SysWOW64\Cglbhhga.exe Coqncejg.exe File created C:\Windows\SysWOW64\Anhcpeon.exe Ababkdij.exe File created C:\Windows\SysWOW64\Qhdpkoii.dll Glinjqhb.exe File created C:\Windows\SysWOW64\Gnfhob32.exe Gglpbh32.exe File created C:\Windows\SysWOW64\Aqilaplo.exe Agqhik32.exe File created C:\Windows\SysWOW64\Nifele32.exe Ndjldo32.exe File opened for modification C:\Windows\SysWOW64\Faqflb32.exe Fnbjpf32.exe File created C:\Windows\SysWOW64\Hjhfgi32.exe Hcnnjoam.exe File created C:\Windows\SysWOW64\Hdokdg32.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Gmimai32.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Ilnbicff.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Nfohgqlg.exe Npepkf32.exe File created C:\Windows\SysWOW64\Olgbff32.dll Edgkif32.exe File created C:\Windows\SysWOW64\Pfmbaplc.dll Bminokil.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cebllbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcafo32.dll" Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nngoddkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpocpj32.dll" Jjemle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbkeacqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clldhljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlknbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdfopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcpkeef.dll" Mnochl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padjnado.dll" Hihbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beobcdoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alioloje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll" Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbnhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djbbhafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhglhbni.dll" Fiheheka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmbkipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcepbooa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofalmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbbnbkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccldb32.dll" Hgliie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hakidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knmkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdkcnklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhbnh32.dll" Djklgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioechgii.dll" Cmdhnhkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhhaclqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghadjkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpibmbek.dll" Lkjoqnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edldoc32.dll" Fqjolfda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcabgfeb.dll" Nenjng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdhkchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbjcd32.dll" Bqdechnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hppeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojeqbeo.dll" Bkdqdokk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgbhdkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dalkek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpnncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnmnpano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll" Hhfpbpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljdkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omnpee32.dll" Gmhfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkncp32.dll" Kinefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkopmg32.dll" Pnakaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" Kcbfcigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacdlf32.dll" Inflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Momqblgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbockiaj.dll" Ebplhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcgmiiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feggihah.dll" Dcqmpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceoillaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbaphl.dll" Ibijbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nconal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfibfmmi.dll" Ifdohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjicplp.dll" Pphckb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 3784 2772 NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe 88 PID 2772 wrote to memory of 3784 2772 NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe 88 PID 2772 wrote to memory of 3784 2772 NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe 88 PID 3784 wrote to memory of 1912 3784 Jcllonma.exe 89 PID 3784 wrote to memory of 1912 3784 Jcllonma.exe 89 PID 3784 wrote to memory of 1912 3784 Jcllonma.exe 89 PID 1912 wrote to memory of 2304 1912 Kdqejn32.exe 91 PID 1912 wrote to memory of 2304 1912 Kdqejn32.exe 91 PID 1912 wrote to memory of 2304 1912 Kdqejn32.exe 91 PID 2304 wrote to memory of 4636 2304 Fibojhim.exe 92 PID 2304 wrote to memory of 4636 2304 Fibojhim.exe 92 PID 2304 wrote to memory of 4636 2304 Fibojhim.exe 92 PID 4636 wrote to memory of 824 4636 Mjpbam32.exe 94 PID 4636 wrote to memory of 824 4636 Mjpbam32.exe 94 PID 4636 wrote to memory of 824 4636 Mjpbam32.exe 94 PID 824 wrote to memory of 3064 824 Cobkhb32.exe 95 PID 824 wrote to memory of 3064 824 Cobkhb32.exe 95 PID 824 wrote to memory of 3064 824 Cobkhb32.exe 95 PID 3064 wrote to memory of 2084 3064 Gmggfp32.exe 96 PID 3064 wrote to memory of 2084 3064 Gmggfp32.exe 96 PID 3064 wrote to memory of 2084 3064 Gmggfp32.exe 96 PID 2084 wrote to memory of 1092 2084 Gfokoelp.exe 98 PID 2084 wrote to memory of 1092 2084 Gfokoelp.exe 98 PID 2084 wrote to memory of 1092 2084 Gfokoelp.exe 98 PID 1092 wrote to memory of 1232 1092 Gdcliikj.exe 97 PID 1092 wrote to memory of 1232 1092 Gdcliikj.exe 97 PID 1092 wrote to memory of 1232 1092 Gdcliikj.exe 97 PID 1232 wrote to memory of 4052 1232 Gkmdecbg.exe 100 PID 1232 wrote to memory of 4052 1232 Gkmdecbg.exe 100 PID 1232 wrote to memory of 4052 1232 Gkmdecbg.exe 100 PID 4052 wrote to memory of 3212 4052 Hdehni32.exe 101 PID 4052 wrote to memory of 3212 4052 Hdehni32.exe 101 PID 4052 wrote to memory of 3212 4052 Hdehni32.exe 101 PID 3212 wrote to memory of 924 3212 Hmbfbn32.exe 102 PID 3212 wrote to memory of 924 3212 Hmbfbn32.exe 102 PID 3212 wrote to memory of 924 3212 Hmbfbn32.exe 102 PID 924 wrote to memory of 1968 924 Hiiggoaf.exe 103 PID 924 wrote to memory of 1968 924 Hiiggoaf.exe 103 PID 924 wrote to memory of 1968 924 Hiiggoaf.exe 103 PID 1968 wrote to memory of 2284 1968 Hdokdg32.exe 104 PID 1968 wrote to memory of 2284 1968 Hdokdg32.exe 104 PID 1968 wrote to memory of 2284 1968 Hdokdg32.exe 104 PID 2284 wrote to memory of 4828 2284 Ikkpgafg.exe 105 PID 2284 wrote to memory of 4828 2284 Ikkpgafg.exe 105 PID 2284 wrote to memory of 4828 2284 Ikkpgafg.exe 105 PID 4828 wrote to memory of 2232 4828 Iciaqc32.exe 106 PID 4828 wrote to memory of 2232 4828 Iciaqc32.exe 106 PID 4828 wrote to memory of 2232 4828 Iciaqc32.exe 106 PID 2232 wrote to memory of 2916 2232 Jdmgfedl.exe 107 PID 2232 wrote to memory of 2916 2232 Jdmgfedl.exe 107 PID 2232 wrote to memory of 2916 2232 Jdmgfedl.exe 107 PID 2916 wrote to memory of 1084 2916 Aolblopj.exe 108 PID 2916 wrote to memory of 1084 2916 Aolblopj.exe 108 PID 2916 wrote to memory of 1084 2916 Aolblopj.exe 108 PID 1084 wrote to memory of 4432 1084 Anaomkdb.exe 109 PID 1084 wrote to memory of 4432 1084 Anaomkdb.exe 109 PID 1084 wrote to memory of 4432 1084 Anaomkdb.exe 109 PID 4432 wrote to memory of 384 4432 Aoalgn32.exe 110 PID 4432 wrote to memory of 384 4432 Aoalgn32.exe 110 PID 4432 wrote to memory of 384 4432 Aoalgn32.exe 110 PID 384 wrote to memory of 4272 384 Bnfihkqm.exe 111 PID 384 wrote to memory of 4272 384 Bnfihkqm.exe 111 PID 384 wrote to memory of 4272 384 Bnfihkqm.exe 111 PID 4272 wrote to memory of 4100 4272 Bhbcfbjk.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f27fa0a6e3e6fc05f343a699a41868d4_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe14⤵
- Executes dropped EXE
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe15⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe16⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe17⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe18⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe20⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe22⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe23⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe24⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe25⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe26⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe27⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe28⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe29⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe31⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe33⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe34⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe35⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe37⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe40⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe41⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe42⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe43⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe44⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe45⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe47⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe48⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe50⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe51⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe52⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe53⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe54⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe55⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe57⤵PID:1696
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe58⤵PID:3104
-
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe59⤵PID:2692
-
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe60⤵PID:3520
-
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe61⤵PID:892
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe62⤵PID:4568
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:440 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe64⤵PID:4456
-
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe65⤵PID:4552
-
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe66⤵PID:5164
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe67⤵PID:5200
-
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe68⤵PID:5244
-
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe71⤵PID:5380
-
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe72⤵PID:5424
-
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe73⤵PID:5468
-
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe74⤵PID:5512
-
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe75⤵PID:5552
-
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe76⤵PID:5596
-
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe77⤵PID:5640
-
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe78⤵PID:5680
-
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe79⤵PID:5724
-
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe80⤵PID:5776
-
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe81⤵PID:5824
-
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe82⤵PID:5868
-
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe83⤵PID:5916
-
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe84⤵PID:5960
-
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe85⤵
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe86⤵PID:6044
-
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe87⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe88⤵
- Drops file in System32 directory
PID:6124 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe89⤵PID:3372
-
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe90⤵PID:5188
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe91⤵
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe92⤵PID:5316
-
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe94⤵PID:5416
-
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe95⤵PID:5488
-
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe96⤵PID:5560
-
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe97⤵PID:5576
-
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe98⤵PID:5628
-
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe99⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe100⤵PID:5760
-
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe101⤵PID:5860
-
C:\Windows\SysWOW64\Pfoann32.exeC:\Windows\system32\Pfoann32.exe102⤵PID:5924
-
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe103⤵PID:5992
-
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe104⤵PID:6080
-
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe105⤵PID:6136
-
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe106⤵PID:5144
-
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe107⤵PID:5308
-
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe108⤵PID:5348
-
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe110⤵PID:5548
-
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe111⤵PID:5632
-
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe112⤵PID:5720
-
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe114⤵PID:5944
-
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe115⤵PID:6040
-
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe116⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe117⤵PID:5232
-
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe118⤵PID:5372
-
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe119⤵PID:4440
-
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe120⤵PID:5688
-
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe121⤵PID:5912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-