Analysis
-
max time kernel
163s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 01:05
Behavioral task
behavioral1
Sample
NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe
-
Size
404KB
-
MD5
f33cba47719d3b4fd2f5a443570a1a30
-
SHA1
f9677ef00afe7f47174027a6a59e120daf7d0e85
-
SHA256
14f0c4e49ef84716b9b6aa8119c406bf3e2938e8eaf88c7e8bea646dcdda4f8d
-
SHA512
7b7b53022d8d75046d6f4f6648d3891f73f5c42b757014a05ade0733adc8fa5afef0acbbd755bf833d3032fcf87743cd4293010772e62d95258c4c6af145db75
-
SSDEEP
6144:ZqtfkLOVENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:Zqtf4ZwcMpV6yYP4rbpV6yYPg058KS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmaaodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlnijmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oidhehcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbcmhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkbddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejojljqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npcokpln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcndlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkehdnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiaein32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcpjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibncmpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfdlnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bomppneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlqljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kibmqond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpppbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhlpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajaelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaldngqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcefgeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqfeag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcmhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnfgmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjfpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ookhfigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkcdfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgekol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiohnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iifmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbhool32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipilmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpagdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkieab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpejec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnjecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknlln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neeifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npabeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekoddodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmgmonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdefc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjfgef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkinmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anccjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqhcno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijjkbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaajkfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldgflba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnopjfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkchpoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbpmhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icdmqg32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0009000000022ca1-7.dat family_berbew behavioral2/files/0x0009000000022ca1-9.dat family_berbew behavioral2/files/0x0008000000022cb2-15.dat family_berbew behavioral2/files/0x0008000000022cb2-17.dat family_berbew behavioral2/files/0x0006000000022cc8-18.dat family_berbew behavioral2/files/0x0006000000022cc8-23.dat family_berbew behavioral2/files/0x0006000000022cc8-25.dat family_berbew behavioral2/files/0x0006000000022cca-31.dat family_berbew behavioral2/files/0x0006000000022cca-33.dat family_berbew behavioral2/files/0x0006000000022ccc-39.dat family_berbew behavioral2/files/0x0006000000022ccc-41.dat family_berbew behavioral2/files/0x0006000000022cce-42.dat family_berbew behavioral2/files/0x0006000000022cce-47.dat family_berbew behavioral2/files/0x0006000000022cce-48.dat family_berbew behavioral2/files/0x0006000000022cd0-55.dat family_berbew behavioral2/files/0x0006000000022cd0-57.dat family_berbew behavioral2/files/0x0006000000022cd2-63.dat family_berbew behavioral2/files/0x0006000000022cd2-65.dat family_berbew behavioral2/files/0x0006000000022cd4-71.dat family_berbew behavioral2/files/0x0006000000022cd4-73.dat family_berbew behavioral2/files/0x0006000000022cd4-67.dat family_berbew behavioral2/files/0x0006000000022cd6-79.dat family_berbew behavioral2/files/0x0006000000022cd6-81.dat family_berbew behavioral2/files/0x0006000000022cd8-87.dat family_berbew behavioral2/files/0x0006000000022cd8-90.dat family_berbew behavioral2/files/0x0006000000022cda-91.dat family_berbew behavioral2/files/0x0006000000022cda-98.dat family_berbew behavioral2/files/0x0006000000022cda-96.dat family_berbew behavioral2/files/0x0006000000022cdc-105.dat family_berbew behavioral2/files/0x0006000000022cdc-107.dat family_berbew behavioral2/files/0x0006000000022cde-109.dat family_berbew behavioral2/files/0x0006000000022cde-114.dat family_berbew behavioral2/files/0x0006000000022cde-116.dat family_berbew behavioral2/files/0x0006000000022ce0-123.dat family_berbew behavioral2/files/0x0006000000022ce0-126.dat family_berbew behavioral2/files/0x0006000000022ce2-127.dat family_berbew behavioral2/files/0x0006000000022ce2-134.dat family_berbew behavioral2/files/0x0006000000022ce2-132.dat family_berbew behavioral2/files/0x0006000000022ce4-140.dat family_berbew behavioral2/files/0x0006000000022ce4-143.dat family_berbew behavioral2/files/0x0006000000022ce6-150.dat family_berbew behavioral2/files/0x0006000000022ce6-153.dat family_berbew behavioral2/files/0x0006000000022ce8-154.dat family_berbew behavioral2/files/0x0006000000022ce8-159.dat family_berbew behavioral2/files/0x0006000000022ce8-161.dat family_berbew behavioral2/files/0x0006000000022cec-168.dat family_berbew behavioral2/files/0x0006000000022cec-171.dat family_berbew behavioral2/files/0x0006000000022cef-177.dat family_berbew behavioral2/files/0x0006000000022cef-179.dat family_berbew behavioral2/files/0x0006000000022cf1-186.dat family_berbew behavioral2/files/0x0006000000022cf1-188.dat family_berbew behavioral2/files/0x0007000000022cf4-195.dat family_berbew behavioral2/files/0x0007000000022cf4-196.dat family_berbew behavioral2/files/0x0006000000022cff-206.dat family_berbew behavioral2/files/0x0006000000022cff-204.dat family_berbew behavioral2/files/0x0006000000022d02-212.dat family_berbew behavioral2/files/0x0006000000022d02-215.dat family_berbew behavioral2/files/0x0007000000022cf9-220.dat family_berbew behavioral2/files/0x0007000000022cf9-223.dat family_berbew behavioral2/files/0x0007000000022cfb-230.dat family_berbew behavioral2/files/0x0007000000022cfb-232.dat family_berbew behavioral2/files/0x0006000000022d04-233.dat family_berbew behavioral2/files/0x0006000000022d04-241.dat family_berbew behavioral2/files/0x0006000000022d04-239.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2792 Jbccge32.exe 224 Lebijnak.exe 3832 Lakfeodm.exe 4188 Mcdeeq32.exe 3068 Nfqnbjfi.exe 1348 Ppdbgncl.exe 2884 Pbjddh32.exe 2492 Amikgpcc.exe 340 Acccdj32.exe 3060 Ajaelc32.exe 220 Bfmolc32.exe 780 Cdjblf32.exe 3556 Dahfkimd.exe 2164 Ejojljqa.exe 4852 Fggdpnkf.exe 1584 Fklcgk32.exe 4352 Gnfooe32.exe 4428 Hbiapb32.exe 3124 Igjbci32.exe 5108 Jaqcnl32.exe 1444 Khabke32.exe 4272 Kdhbpf32.exe 4928 Kejloi32.exe 4752 Lbhool32.exe 4688 Mcoepkdo.exe 3872 Mccokj32.exe 5032 Nooikj32.exe 2860 Ookhfigk.exe 4776 Qckfid32.exe 4200 Qcncodki.exe 2376 Abgjkpll.exe 2812 Bboplo32.exe 208 Cdebfago.exe 2656 Cehlcikj.exe 4720 Cemeoh32.exe 2740 Dinjjf32.exe 1084 Edakimoo.exe 5016 Fpoaom32.exe 3292 Fnglcqio.exe 2988 Gdfmkjlg.exe 2672 Gckjlf32.exe 4764 Hfnpca32.exe 3472 Khfdlnab.exe 3672 Kejeebpl.exe 3560 Kjfmminc.exe 1064 Kaqejcep.exe 1032 Lennpb32.exe 1232 Lmnlpcel.exe 2980 Lhdqml32.exe 3252 Mkicjgnn.exe 2524 Meoggpmd.exe 1036 Mklpof32.exe 4496 Oeopnmoa.exe 3700 Ohbfeh32.exe 2696 Pdgckg32.exe 2228 Qnbdjl32.exe 2892 Agjhbbob.exe 5020 Afkipi32.exe 3500 Adqeaf32.exe 2536 Anijjkbj.exe 1608 Agaoca32.exe 2876 Bomppneg.exe 2964 Bfghlhmd.exe 2248 Cpmifkgd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dnghhqdk.exe Dendok32.exe File opened for modification C:\Windows\SysWOW64\Hplimpdi.exe Hibape32.exe File created C:\Windows\SysWOW64\Cnjjednc.dll Ajlpepbi.exe File created C:\Windows\SysWOW64\Bbecnipp.exe Aaldngqg.exe File opened for modification C:\Windows\SysWOW64\Amhlpb32.exe Ahkdhk32.exe File created C:\Windows\SysWOW64\Cpmbkm32.dll Fkehdnee.exe File opened for modification C:\Windows\SysWOW64\Gahcgg32.exe Focakm32.exe File opened for modification C:\Windows\SysWOW64\Pcffoben.exe Ogklob32.exe File created C:\Windows\SysWOW64\Jcefgeif.exe Jecejm32.exe File opened for modification C:\Windows\SysWOW64\Gmqgjl32.exe Ghdoae32.exe File created C:\Windows\SysWOW64\Oeobfc32.dll Jkdcffci.exe File created C:\Windows\SysWOW64\Phmhgmpc.exe Odooqo32.exe File opened for modification C:\Windows\SysWOW64\Nbkoeb32.exe Mhqngm32.exe File created C:\Windows\SysWOW64\Fqgelfgf.dll Fefcgh32.exe File created C:\Windows\SysWOW64\Pknhff32.dll Hoakpi32.exe File opened for modification C:\Windows\SysWOW64\Eolhlh32.exe Cdoegcfl.exe File created C:\Windows\SysWOW64\Ekglfk32.dll Fpagdj32.exe File opened for modification C:\Windows\SysWOW64\Oloaamqf.exe Oeehdcij.exe File created C:\Windows\SysWOW64\Jllmml32.exe Iohlcg32.exe File created C:\Windows\SysWOW64\Diclff32.exe Dfbcek32.exe File created C:\Windows\SysWOW64\Cbhdcl32.dll Jhkbnbhd.exe File opened for modification C:\Windows\SysWOW64\Kaflio32.exe Kjlcmdbb.exe File opened for modification C:\Windows\SysWOW64\Pjoknhbe.exe Pacfjfej.exe File created C:\Windows\SysWOW64\Odkaac32.exe Onaieifh.exe File opened for modification C:\Windows\SysWOW64\Ojjfpjjj.exe Odnngclb.exe File opened for modification C:\Windows\SysWOW64\Jndmgn32.exe Jelioh32.exe File opened for modification C:\Windows\SysWOW64\Kjeiij32.exe Kpldpddh.exe File created C:\Windows\SysWOW64\Jldbiabp.exe Jejjlg32.exe File created C:\Windows\SysWOW64\Hpafpn32.dll Mckbhg32.exe File created C:\Windows\SysWOW64\Kfdqfbai.dll Eelpqi32.exe File created C:\Windows\SysWOW64\Hfkdkqeo.exe Galonj32.exe File opened for modification C:\Windows\SysWOW64\Bepeph32.exe Bglefdke.exe File created C:\Windows\SysWOW64\Bdkmeh32.dll Jnkchmdl.exe File opened for modification C:\Windows\SysWOW64\Jpenoe32.exe Jgmjfpco.exe File created C:\Windows\SysWOW64\Bnaffdfc.exe Bdiamnpc.exe File created C:\Windows\SysWOW64\Akpbae32.dll Kflink32.exe File opened for modification C:\Windows\SysWOW64\Kjccna32.exe Kqknekjf.exe File created C:\Windows\SysWOW64\Ekkkip32.exe Engjol32.exe File created C:\Windows\SysWOW64\Kpldpddh.exe Kfgpblda.exe File created C:\Windows\SysWOW64\Icfediio.exe Ijnqld32.exe File created C:\Windows\SysWOW64\Oegejc32.exe Oloaamqf.exe File opened for modification C:\Windows\SysWOW64\Adanbffk.exe Afmmibga.exe File opened for modification C:\Windows\SysWOW64\Bfghlhmd.exe Bomppneg.exe File created C:\Windows\SysWOW64\Opglcn32.dll Apcllk32.exe File opened for modification C:\Windows\SysWOW64\Khbpndnp.exe Kbigajfc.exe File opened for modification C:\Windows\SysWOW64\Ildkpiqo.exe Ifgbhbbh.exe File created C:\Windows\SysWOW64\Bglefdke.exe Amfqikko.exe File opened for modification C:\Windows\SysWOW64\Hbiapb32.exe Gnfooe32.exe File opened for modification C:\Windows\SysWOW64\Ghjhofjg.exe Ggilgn32.exe File created C:\Windows\SysWOW64\Lgccdbdj.dll Knbaoh32.exe File created C:\Windows\SysWOW64\Ngjdppnh.dll Addahh32.exe File created C:\Windows\SysWOW64\Linojbdc.exe Lnbdlkje.exe File created C:\Windows\SysWOW64\Ohnhfn32.dll Jecejm32.exe File opened for modification C:\Windows\SysWOW64\Kdhbpf32.exe Khabke32.exe File opened for modification C:\Windows\SysWOW64\Paioplob.exe Pjofcb32.exe File created C:\Windows\SysWOW64\Fhalcm32.exe Ejmkiiha.exe File opened for modification C:\Windows\SysWOW64\Ggldde32.exe Gablgk32.exe File opened for modification C:\Windows\SysWOW64\Meiabh32.exe Mlqljb32.exe File created C:\Windows\SysWOW64\Kodpln32.dll Mlbbel32.exe File created C:\Windows\SysWOW64\Bohbackj.exe Badaholq.exe File created C:\Windows\SysWOW64\Pikdooal.dll Bfghlhmd.exe File created C:\Windows\SysWOW64\Fdepaa32.exe Fbecgned.exe File created C:\Windows\SysWOW64\Afnhan32.dll Cbmdnmdf.exe File created C:\Windows\SysWOW64\Bjmpfdhb.exe Bqdlmo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enedio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojegojfc.dll" Icfediio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domabi32.dll" Cfdgcmqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpldpddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndolnm32.dll" Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncfdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpnbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlopmhl.dll" Kdipce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfjpppbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncdkbdj.dll" Qdldgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kibmqond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hibape32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhghjpod.dll" Opdiobod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpefa32.dll" Phmhgmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkgekock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fggdpnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlogfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocecgfb.dll" Njjdae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhqe32.dll" Gnhifonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfdocib.dll" Kjccna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffqhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiagido.dll" Obgofmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cknlln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfmolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alqjiohm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbmdnmdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhqngm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jginej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdqfbai.dll" Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amibqhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkgleegf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fligjnlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paioplob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll" Cemeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdiamnpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmeio32.dll" Hplimpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlfmg32.dll" Oabiak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edgkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddngdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikpjkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jejjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kamjmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eipilmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgqblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfoclflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oloaamqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhopg32.dll" Loigap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqoddlib.dll" Dinjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnpjk32.dll" Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elgohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qldccjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kllhjplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lakfodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Didjqoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjlcmdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcealh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejglcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoepmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkldlgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jijhom32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2792 1992 NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe 89 PID 1992 wrote to memory of 2792 1992 NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe 89 PID 1992 wrote to memory of 2792 1992 NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe 89 PID 2792 wrote to memory of 224 2792 Jbccge32.exe 90 PID 2792 wrote to memory of 224 2792 Jbccge32.exe 90 PID 2792 wrote to memory of 224 2792 Jbccge32.exe 90 PID 224 wrote to memory of 3832 224 Lebijnak.exe 91 PID 224 wrote to memory of 3832 224 Lebijnak.exe 91 PID 224 wrote to memory of 3832 224 Lebijnak.exe 91 PID 3832 wrote to memory of 4188 3832 Lakfeodm.exe 92 PID 3832 wrote to memory of 4188 3832 Lakfeodm.exe 92 PID 3832 wrote to memory of 4188 3832 Lakfeodm.exe 92 PID 4188 wrote to memory of 3068 4188 Mcdeeq32.exe 93 PID 4188 wrote to memory of 3068 4188 Mcdeeq32.exe 93 PID 4188 wrote to memory of 3068 4188 Mcdeeq32.exe 93 PID 3068 wrote to memory of 1348 3068 Nfqnbjfi.exe 94 PID 3068 wrote to memory of 1348 3068 Nfqnbjfi.exe 94 PID 3068 wrote to memory of 1348 3068 Nfqnbjfi.exe 94 PID 1348 wrote to memory of 2884 1348 Ppdbgncl.exe 95 PID 1348 wrote to memory of 2884 1348 Ppdbgncl.exe 95 PID 1348 wrote to memory of 2884 1348 Ppdbgncl.exe 95 PID 2884 wrote to memory of 2492 2884 Pbjddh32.exe 96 PID 2884 wrote to memory of 2492 2884 Pbjddh32.exe 96 PID 2884 wrote to memory of 2492 2884 Pbjddh32.exe 96 PID 2492 wrote to memory of 340 2492 Amikgpcc.exe 97 PID 2492 wrote to memory of 340 2492 Amikgpcc.exe 97 PID 2492 wrote to memory of 340 2492 Amikgpcc.exe 97 PID 340 wrote to memory of 3060 340 Acccdj32.exe 98 PID 340 wrote to memory of 3060 340 Acccdj32.exe 98 PID 340 wrote to memory of 3060 340 Acccdj32.exe 98 PID 3060 wrote to memory of 220 3060 Ajaelc32.exe 99 PID 3060 wrote to memory of 220 3060 Ajaelc32.exe 99 PID 3060 wrote to memory of 220 3060 Ajaelc32.exe 99 PID 220 wrote to memory of 780 220 Bfmolc32.exe 100 PID 220 wrote to memory of 780 220 Bfmolc32.exe 100 PID 220 wrote to memory of 780 220 Bfmolc32.exe 100 PID 780 wrote to memory of 3556 780 Cdjblf32.exe 101 PID 780 wrote to memory of 3556 780 Cdjblf32.exe 101 PID 780 wrote to memory of 3556 780 Cdjblf32.exe 101 PID 3556 wrote to memory of 2164 3556 Dahfkimd.exe 102 PID 3556 wrote to memory of 2164 3556 Dahfkimd.exe 102 PID 3556 wrote to memory of 2164 3556 Dahfkimd.exe 102 PID 2164 wrote to memory of 4852 2164 Ejojljqa.exe 103 PID 2164 wrote to memory of 4852 2164 Ejojljqa.exe 103 PID 2164 wrote to memory of 4852 2164 Ejojljqa.exe 103 PID 4852 wrote to memory of 1584 4852 Fggdpnkf.exe 104 PID 4852 wrote to memory of 1584 4852 Fggdpnkf.exe 104 PID 4852 wrote to memory of 1584 4852 Fggdpnkf.exe 104 PID 1584 wrote to memory of 4352 1584 Fklcgk32.exe 105 PID 1584 wrote to memory of 4352 1584 Fklcgk32.exe 105 PID 1584 wrote to memory of 4352 1584 Fklcgk32.exe 105 PID 4352 wrote to memory of 4428 4352 Gnfooe32.exe 106 PID 4352 wrote to memory of 4428 4352 Gnfooe32.exe 106 PID 4352 wrote to memory of 4428 4352 Gnfooe32.exe 106 PID 4428 wrote to memory of 3124 4428 Hbiapb32.exe 108 PID 4428 wrote to memory of 3124 4428 Hbiapb32.exe 108 PID 4428 wrote to memory of 3124 4428 Hbiapb32.exe 108 PID 3124 wrote to memory of 5108 3124 Igjbci32.exe 110 PID 3124 wrote to memory of 5108 3124 Igjbci32.exe 110 PID 3124 wrote to memory of 5108 3124 Igjbci32.exe 110 PID 5108 wrote to memory of 1444 5108 Jaqcnl32.exe 111 PID 5108 wrote to memory of 1444 5108 Jaqcnl32.exe 111 PID 5108 wrote to memory of 1444 5108 Jaqcnl32.exe 111 PID 1444 wrote to memory of 4272 1444 Khabke32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f33cba47719d3b4fd2f5a443570a1a30_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Hbiapb32.exeC:\Windows\system32\Hbiapb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe23⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe24⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe26⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe27⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe28⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe30⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe31⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe32⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe34⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe35⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe38⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe39⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe40⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe41⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe42⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe43⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe45⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe46⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe47⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe48⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe49⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe50⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe51⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe52⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe53⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe54⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe55⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe56⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Qnbdjl32.exeC:\Windows\system32\Qnbdjl32.exe57⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe58⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe59⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe60⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe62⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe65⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe66⤵PID:2124
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe67⤵PID:4284
-
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe68⤵PID:760
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe69⤵PID:2848
-
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe70⤵PID:4588
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe71⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe73⤵PID:5176
-
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Fbhnec32.exeC:\Windows\system32\Fbhnec32.exe75⤵PID:5260
-
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe76⤵PID:5308
-
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe77⤵PID:5372
-
C:\Windows\SysWOW64\Fgjpfqpi.exeC:\Windows\system32\Fgjpfqpi.exe78⤵PID:5436
-
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe79⤵PID:5468
-
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe80⤵PID:5560
-
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe81⤵PID:5608
-
C:\Windows\SysWOW64\Ggilgn32.exeC:\Windows\system32\Ggilgn32.exe82⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe83⤵PID:5696
-
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe84⤵PID:5772
-
C:\Windows\SysWOW64\Hpcmfchg.exeC:\Windows\system32\Hpcmfchg.exe85⤵PID:5808
-
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe86⤵PID:5864
-
C:\Windows\SysWOW64\Hohjgpmo.exeC:\Windows\system32\Hohjgpmo.exe87⤵PID:5928
-
C:\Windows\SysWOW64\Hlogfd32.exeC:\Windows\system32\Hlogfd32.exe88⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Jginej32.exeC:\Windows\system32\Jginej32.exe89⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe91⤵PID:5172
-
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe92⤵PID:5232
-
C:\Windows\SysWOW64\Kciaqi32.exeC:\Windows\system32\Kciaqi32.exe93⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe94⤵PID:5364
-
C:\Windows\SysWOW64\Limpiomm.exeC:\Windows\system32\Limpiomm.exe95⤵PID:5424
-
C:\Windows\SysWOW64\Lhopgg32.exeC:\Windows\system32\Lhopgg32.exe96⤵PID:5392
-
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe97⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Lcealh32.exeC:\Windows\system32\Lcealh32.exe98⤵
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe99⤵PID:5708
-
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe100⤵PID:4784
-
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5824 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe103⤵
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe104⤵PID:2000
-
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe106⤵PID:4712
-
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe107⤵PID:4368
-
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe108⤵PID:6064
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe109⤵PID:2680
-
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe110⤵PID:5052
-
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe111⤵PID:5212
-
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe112⤵PID:5348
-
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:4260 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe114⤵PID:5508
-
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe115⤵PID:3684
-
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe116⤵PID:5660
-
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe117⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe118⤵PID:1192
-
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe119⤵PID:5896
-
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe120⤵
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe121⤵PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-