Analysis
-
max time kernel
164s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 01:09
Behavioral task
behavioral1
Sample
NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe
-
Size
187KB
-
MD5
d9818859c365c2c0daa5b2290dc4cd60
-
SHA1
c5eff9713063f4b23d45fb3f3dda4e427fa98520
-
SHA256
826585772b842d796957fdab4f22100ffe2b275671fdb317ac17f5300caaf98e
-
SHA512
483d340e3f381d26cd50b4eaad213eeb1de088715f144e4c34c6c2f0a914d4f846d285971f1365177da9b1d1a20256b68138c87271fdd39860b6cecec3c999c0
-
SSDEEP
3072:IgMVpIC8wsHI17dmI80semZl2NkzwH5GJks8WYlOWe7VsayDZVZev1N:EILpEBmI8m49zwZ9s8SZq/svL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apddmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcmnkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknhjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojhphij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qciqga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbalaoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llgjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npbhqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmkcjjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Addhbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdnce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimhcbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiajeoip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbgmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadgadai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieqplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhaipei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbmffi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niadfpcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbcohl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbapdmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paaaeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjonobhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplmdnpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmhodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbdnhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mflbdibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okceko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jogqlpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibdiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnhadnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlcgam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfjjlgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhncnodp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcfejfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmpcmkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neafdjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ienlllni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhbcejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffcpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chkjpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngklppei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnmhpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alqjiohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfjeckpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hejono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjkigojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbnlkbje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addhbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imeeohoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlciobhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmimll32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4220-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0008000000022c94-6.dat family_berbew behavioral2/files/0x0008000000022c94-8.dat family_berbew behavioral2/memory/3928-7-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0009000000022c97-14.dat family_berbew behavioral2/files/0x0009000000022c97-16.dat family_berbew behavioral2/memory/4240-15-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022c9c-22.dat family_berbew behavioral2/memory/1788-23-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022c9c-24.dat family_berbew behavioral2/files/0x0008000000022c92-30.dat family_berbew behavioral2/files/0x0008000000022c92-32.dat family_berbew behavioral2/memory/1564-31-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0003000000022c9f-38.dat family_berbew behavioral2/files/0x0003000000022c9f-40.dat family_berbew behavioral2/memory/2352-39-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000b000000022c9a-46.dat family_berbew behavioral2/memory/4616-47-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000b000000022c9a-48.dat family_berbew behavioral2/memory/468-55-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022ca2-56.dat family_berbew behavioral2/files/0x0007000000022ca2-54.dat family_berbew behavioral2/files/0x0007000000022ca4-62.dat family_berbew behavioral2/memory/812-64-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022ca4-63.dat family_berbew behavioral2/files/0x0007000000022caa-70.dat family_berbew behavioral2/memory/2892-71-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022caa-72.dat family_berbew behavioral2/files/0x0006000000022cba-73.dat family_berbew behavioral2/files/0x0006000000022cba-78.dat family_berbew behavioral2/files/0x0006000000022cba-80.dat family_berbew behavioral2/memory/3324-79-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cbc-86.dat family_berbew behavioral2/memory/2128-87-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cbc-88.dat family_berbew behavioral2/files/0x0006000000022cbe-94.dat family_berbew behavioral2/memory/1324-95-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cbe-96.dat family_berbew behavioral2/files/0x0006000000022cc0-98.dat family_berbew behavioral2/files/0x0006000000022cc0-102.dat family_berbew behavioral2/memory/2336-103-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cc0-104.dat family_berbew behavioral2/files/0x0006000000022cc2-110.dat family_berbew behavioral2/memory/4728-111-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cc2-112.dat family_berbew behavioral2/files/0x0006000000022cc4-118.dat family_berbew behavioral2/files/0x0006000000022cc4-120.dat family_berbew behavioral2/memory/1076-119-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc5-126.dat family_berbew behavioral2/memory/1184-128-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc5-127.dat family_berbew behavioral2/files/0x0006000000022cc7-134.dat family_berbew behavioral2/memory/3812-135-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cc7-136.dat family_berbew behavioral2/files/0x0006000000022cc9-142.dat family_berbew behavioral2/memory/2704-143-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022cc9-144.dat family_berbew behavioral2/files/0x0006000000022ccb-150.dat family_berbew behavioral2/files/0x0006000000022ccb-152.dat family_berbew behavioral2/memory/1136-151-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022ccd-158.dat family_berbew behavioral2/files/0x0006000000022ccd-160.dat family_berbew behavioral2/memory/1360-159-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0006000000022ccf-168.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3928 Hegmlnbp.exe 4240 Jogqlpde.exe 1788 Kalcik32.exe 1564 Mlbpma32.exe 2352 Namegfql.exe 4616 Oomelheh.exe 468 Pbgqdb32.exe 812 Pcijce32.exe 2892 Acbmjcgd.exe 3324 Bbalaoda.exe 2128 Beaecjab.exe 1324 Cdebfago.exe 2336 Cbmlmmjd.exe 4728 Cfjeckpj.exe 1076 Dllffa32.exe 1184 Edlann32.exe 3812 Fcmnkh32.exe 2704 Fgncff32.exe 1136 Gfjfhbpb.exe 1360 Hjabdo32.exe 3816 Ienlbf32.exe 684 Jcjodbgl.exe 5044 Kjmjgk32.exe 2628 Lhjnfn32.exe 3376 Lennpb32.exe 3824 Oacdmo32.exe 4912 Oookgbpj.exe 3388 Pfkpiled.exe 2724 Pfmlok32.exe 1152 Pbfjjlgc.exe 1040 Pbifol32.exe 3972 Qhekaejj.exe 3264 Akhaipei.exe 3932 Biedhclh.exe 2536 Bnicai32.exe 3552 Cnlpgibd.exe 2092 Chkjpm32.exe 2300 Dehnpp32.exe 768 Eoconenj.exe 4952 Ebagdddp.exe 1200 Eimlgnij.exe 1312 Fibfbm32.exe 1672 Fofdkcmd.exe 4540 Gllajf32.exe 1560 Goadfa32.exe 1952 Hfbbdj32.exe 3820 Hgbonm32.exe 3596 Homcbo32.exe 2476 Igpkok32.exe 4572 Nmpkakak.exe 4684 Nandhi32.exe 4924 Ngklppei.exe 2656 Ndomiddc.exe 1988 Odhppclh.exe 3408 Opopdd32.exe 4736 Ancjef32.exe 940 Aglnnkid.exe 2752 Aqfolqna.exe 4472 Addhbo32.exe 4740 Anmmkd32.exe 4328 Bbmbgb32.exe 4884 Bbbkbbkg.exe 2444 Eangjkkd.exe 4920 Feofmf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbbkbbkg.exe Bbmbgb32.exe File opened for modification C:\Windows\SysWOW64\Ecccmo32.exe Enoddi32.exe File opened for modification C:\Windows\SysWOW64\Gdmmlf32.exe Gmcdolbn.exe File created C:\Windows\SysWOW64\Gcodgf32.dll Nidhffef.exe File created C:\Windows\SysWOW64\Gbhgpg32.dll Hejono32.exe File created C:\Windows\SysWOW64\Naeijp32.dll Aadgadai.exe File created C:\Windows\SysWOW64\Moalod32.dll Fjeikh32.exe File created C:\Windows\SysWOW64\Kallhjoc.exe Kjadlp32.exe File created C:\Windows\SysWOW64\Hjkigojc.exe Hmbpbk32.exe File created C:\Windows\SysWOW64\Idmjoidf.dll Pcfhlh32.exe File opened for modification C:\Windows\SysWOW64\Gjgmpkfl.exe Gcneca32.exe File created C:\Windows\SysWOW64\Hdpockcf.dll Deehbe32.exe File created C:\Windows\SysWOW64\Lechfeoi.exe Kbbodj32.exe File created C:\Windows\SysWOW64\Ojmmch32.dll Llpmhodc.exe File created C:\Windows\SysWOW64\Khfdedfp.exe Kallhjoc.exe File created C:\Windows\SysWOW64\Kcdoqgfq.dll Gjjjfkdj.exe File created C:\Windows\SysWOW64\Chkhbh32.exe Andghd32.exe File opened for modification C:\Windows\SysWOW64\Illfmi32.exe Hoaocf32.exe File opened for modification C:\Windows\SysWOW64\Bbjmdlcb.exe Aplahpdo.exe File created C:\Windows\SysWOW64\Ikcccg32.dll Manaegon.exe File created C:\Windows\SysWOW64\Cefked32.dll Pbifol32.exe File created C:\Windows\SysWOW64\Hlqmla32.exe Hgdedj32.exe File opened for modification C:\Windows\SysWOW64\Anmmkd32.exe Addhbo32.exe File created C:\Windows\SysWOW64\Pcfhlh32.exe Pignccea.exe File opened for modification C:\Windows\SysWOW64\Mpebjb32.exe Lepnli32.exe File created C:\Windows\SysWOW64\Ifefggbd.dll Cbcieqpd.exe File created C:\Windows\SysWOW64\Kbbodj32.exe Kehhjfif.exe File opened for modification C:\Windows\SysWOW64\Hmpjfdcb.exe Hgfaij32.exe File created C:\Windows\SysWOW64\Iagjaf32.dll Hqfqpo32.exe File created C:\Windows\SysWOW64\Coigokpl.dll Kepbhjmd.exe File opened for modification C:\Windows\SysWOW64\Lmbmmkdg.exe Khfdedfp.exe File opened for modification C:\Windows\SysWOW64\Nidhffef.exe Npldnp32.exe File created C:\Windows\SysWOW64\Hjqkel32.exe Haefqjeo.exe File created C:\Windows\SysWOW64\Lnmnpe32.dll Qoecol32.exe File created C:\Windows\SysWOW64\Oflbji32.dll Jffodc32.exe File created C:\Windows\SysWOW64\Aedfdjdl.exe Agqekeeb.exe File created C:\Windows\SysWOW64\Fjoheh32.dll Oeclockl.exe File created C:\Windows\SysWOW64\Qfepnmjn.exe Pplhab32.exe File created C:\Windows\SysWOW64\Qipqibmf.exe Pcfhlh32.exe File created C:\Windows\SysWOW64\Kmkekagc.dll Jcgbhh32.exe File created C:\Windows\SysWOW64\Eegoch32.dll Niadfpcn.exe File created C:\Windows\SysWOW64\Fbgjeohk.dll Ejiqom32.exe File created C:\Windows\SysWOW64\Gjjjfkdj.exe Gqaeme32.exe File created C:\Windows\SysWOW64\Ojljmn32.exe Ocbapdmb.exe File opened for modification C:\Windows\SysWOW64\Algbfo32.exe Aaanif32.exe File created C:\Windows\SysWOW64\Eodlad32.exe Eckogc32.exe File opened for modification C:\Windows\SysWOW64\Plpqba32.exe Pakleh32.exe File opened for modification C:\Windows\SysWOW64\Jcoapami.exe Illfmi32.exe File opened for modification C:\Windows\SysWOW64\Mdpaai32.exe Mocihb32.exe File created C:\Windows\SysWOW64\Gfcgpkhk.exe Gqfohdjd.exe File created C:\Windows\SysWOW64\Dkppik32.dll Hmbflc32.exe File created C:\Windows\SysWOW64\Ccmcaicm.exe Cckfkiep.exe File opened for modification C:\Windows\SysWOW64\Imdgeooj.exe Imakpp32.exe File created C:\Windows\SysWOW64\Keiholba.dll Imdgeooj.exe File created C:\Windows\SysWOW64\Mbhafgpp.exe Miomnaip.exe File created C:\Windows\SysWOW64\Njdnmp32.dll Nelfnd32.exe File created C:\Windows\SysWOW64\Jhklcldi.exe Jnpjegpk.exe File created C:\Windows\SysWOW64\Pfijhhpp.exe Okceko32.exe File created C:\Windows\SysWOW64\Jfnnap32.dll Ihpgda32.exe File opened for modification C:\Windows\SysWOW64\Nqaini32.exe Nmcphkik.exe File created C:\Windows\SysWOW64\Mdkhficp.exe Monpnbeh.exe File opened for modification C:\Windows\SysWOW64\Nfeqnf32.exe Nllleapo.exe File created C:\Windows\SysWOW64\Nlhkqngo.exe Nlfnkoia.exe File opened for modification C:\Windows\SysWOW64\Fbpcah32.exe Fmcjiagf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kelcga32.dll" Aihaifam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhckmmeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lennpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lechfeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcfhlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfemkdbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Goadfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmeobin.dll" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnnbo32.dll" Dlqpkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmbmmkdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmpcpjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaobiplh.dll" Foebmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjdnm32.dll" Mpebjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfoojfd.dll" Ogcnfheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhadqblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplcjb32.dll" Pbmffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellliaek.dll" Ehcndkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehcndkaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkgpleaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alimnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehhdf32.dll" Monpnbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Beaecjab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egikekfa.dll" Fjdajhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caqpdpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfbbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjahp32.dll" Pmdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbfmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodcnkh.dll" Pfijhhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecoahmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfoaf32.dll" Qaoofaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmimll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppdbfpaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aeodapcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inefnb32.dll" Lhpepoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amanfpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhjnfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlknbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbpihlbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acbmjcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehpjdepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famhnjcj.dll" Momqblgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mobbnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahonbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlabgq32.dll" Gfbpfedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnldlfhp.dll" Iempingp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojonjp32.dll" Fboellof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngjcgdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagklk32.dll" Bnkgomnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmnfglcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojcidelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faholm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fooecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaadfkaa.dll" Miomnaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Daqbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjcolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjdajhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addbln32.dll" Aficoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcflcnam.dll" Gmimll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekekcjih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekggijge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlddal32.dll" Jkbhok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4220 wrote to memory of 3928 4220 NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe 91 PID 4220 wrote to memory of 3928 4220 NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe 91 PID 4220 wrote to memory of 3928 4220 NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe 91 PID 3928 wrote to memory of 4240 3928 Hegmlnbp.exe 92 PID 3928 wrote to memory of 4240 3928 Hegmlnbp.exe 92 PID 3928 wrote to memory of 4240 3928 Hegmlnbp.exe 92 PID 4240 wrote to memory of 1788 4240 Jogqlpde.exe 93 PID 4240 wrote to memory of 1788 4240 Jogqlpde.exe 93 PID 4240 wrote to memory of 1788 4240 Jogqlpde.exe 93 PID 1788 wrote to memory of 1564 1788 Kalcik32.exe 94 PID 1788 wrote to memory of 1564 1788 Kalcik32.exe 94 PID 1788 wrote to memory of 1564 1788 Kalcik32.exe 94 PID 1564 wrote to memory of 2352 1564 Mlbpma32.exe 95 PID 1564 wrote to memory of 2352 1564 Mlbpma32.exe 95 PID 1564 wrote to memory of 2352 1564 Mlbpma32.exe 95 PID 2352 wrote to memory of 4616 2352 Namegfql.exe 96 PID 2352 wrote to memory of 4616 2352 Namegfql.exe 96 PID 2352 wrote to memory of 4616 2352 Namegfql.exe 96 PID 4616 wrote to memory of 468 4616 Oomelheh.exe 97 PID 4616 wrote to memory of 468 4616 Oomelheh.exe 97 PID 4616 wrote to memory of 468 4616 Oomelheh.exe 97 PID 468 wrote to memory of 812 468 Pbgqdb32.exe 98 PID 468 wrote to memory of 812 468 Pbgqdb32.exe 98 PID 468 wrote to memory of 812 468 Pbgqdb32.exe 98 PID 812 wrote to memory of 2892 812 Pcijce32.exe 99 PID 812 wrote to memory of 2892 812 Pcijce32.exe 99 PID 812 wrote to memory of 2892 812 Pcijce32.exe 99 PID 2892 wrote to memory of 3324 2892 Acbmjcgd.exe 100 PID 2892 wrote to memory of 3324 2892 Acbmjcgd.exe 100 PID 2892 wrote to memory of 3324 2892 Acbmjcgd.exe 100 PID 3324 wrote to memory of 2128 3324 Bbalaoda.exe 101 PID 3324 wrote to memory of 2128 3324 Bbalaoda.exe 101 PID 3324 wrote to memory of 2128 3324 Bbalaoda.exe 101 PID 2128 wrote to memory of 1324 2128 Beaecjab.exe 102 PID 2128 wrote to memory of 1324 2128 Beaecjab.exe 102 PID 2128 wrote to memory of 1324 2128 Beaecjab.exe 102 PID 1324 wrote to memory of 2336 1324 Cdebfago.exe 103 PID 1324 wrote to memory of 2336 1324 Cdebfago.exe 103 PID 1324 wrote to memory of 2336 1324 Cdebfago.exe 103 PID 2336 wrote to memory of 4728 2336 Cbmlmmjd.exe 104 PID 2336 wrote to memory of 4728 2336 Cbmlmmjd.exe 104 PID 2336 wrote to memory of 4728 2336 Cbmlmmjd.exe 104 PID 4728 wrote to memory of 1076 4728 Cfjeckpj.exe 105 PID 4728 wrote to memory of 1076 4728 Cfjeckpj.exe 105 PID 4728 wrote to memory of 1076 4728 Cfjeckpj.exe 105 PID 1076 wrote to memory of 1184 1076 Dllffa32.exe 106 PID 1076 wrote to memory of 1184 1076 Dllffa32.exe 106 PID 1076 wrote to memory of 1184 1076 Dllffa32.exe 106 PID 1184 wrote to memory of 3812 1184 Edlann32.exe 107 PID 1184 wrote to memory of 3812 1184 Edlann32.exe 107 PID 1184 wrote to memory of 3812 1184 Edlann32.exe 107 PID 3812 wrote to memory of 2704 3812 Fcmnkh32.exe 108 PID 3812 wrote to memory of 2704 3812 Fcmnkh32.exe 108 PID 3812 wrote to memory of 2704 3812 Fcmnkh32.exe 108 PID 2704 wrote to memory of 1136 2704 Fgncff32.exe 109 PID 2704 wrote to memory of 1136 2704 Fgncff32.exe 109 PID 2704 wrote to memory of 1136 2704 Fgncff32.exe 109 PID 1136 wrote to memory of 1360 1136 Gfjfhbpb.exe 110 PID 1136 wrote to memory of 1360 1136 Gfjfhbpb.exe 110 PID 1136 wrote to memory of 1360 1136 Gfjfhbpb.exe 110 PID 1360 wrote to memory of 3816 1360 Hjabdo32.exe 111 PID 1360 wrote to memory of 3816 1360 Hjabdo32.exe 111 PID 1360 wrote to memory of 3816 1360 Hjabdo32.exe 111 PID 3816 wrote to memory of 684 3816 Ienlbf32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d9818859c365c2c0daa5b2290dc4cd60_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Mlbpma32.exeC:\Windows\system32\Mlbpma32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Gfjfhbpb.exeC:\Windows\system32\Gfjfhbpb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe23⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe24⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe27⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe28⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe29⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe30⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe33⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe35⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe37⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe40⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe41⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe42⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe43⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe44⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe45⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Goadfa32.exeC:\Windows\system32\Goadfa32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Hfbbdj32.exeC:\Windows\system32\Hfbbdj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Hgbonm32.exeC:\Windows\system32\Hgbonm32.exe48⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe51⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe52⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe54⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe55⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe57⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe59⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Anmmkd32.exeC:\Windows\system32\Anmmkd32.exe61⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe63⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe64⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe65⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe66⤵PID:4056
-
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe67⤵PID:4020
-
C:\Windows\SysWOW64\Iheaqolo.exeC:\Windows\system32\Iheaqolo.exe68⤵PID:1800
-
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe69⤵PID:736
-
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe71⤵PID:4456
-
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe72⤵PID:3008
-
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4364 -
C:\Windows\SysWOW64\Jloibkhh.exeC:\Windows\system32\Jloibkhh.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Kjqfmn32.exeC:\Windows\system32\Kjqfmn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe76⤵PID:5004
-
C:\Windows\SysWOW64\Kmaooihb.exeC:\Windows\system32\Kmaooihb.exe77⤵PID:2152
-
C:\Windows\SysWOW64\Lmcldhfp.exeC:\Windows\system32\Lmcldhfp.exe78⤵PID:3872
-
C:\Windows\SysWOW64\Lbqdmodg.exeC:\Windows\system32\Lbqdmodg.exe79⤵PID:520
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe80⤵PID:4824
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3976 -
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe82⤵PID:2980
-
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe83⤵PID:3956
-
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe84⤵
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Npldnp32.exeC:\Windows\system32\Npldnp32.exe85⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Nidhffef.exeC:\Windows\system32\Nidhffef.exe86⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe87⤵PID:1636
-
C:\Windows\SysWOW64\Okodlgbl.exeC:\Windows\system32\Okodlgbl.exe88⤵PID:1788
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:216 -
C:\Windows\SysWOW64\Pbmffi32.exeC:\Windows\system32\Pbmffi32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe91⤵
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Pcfhlh32.exeC:\Windows\system32\Pcfhlh32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe93⤵PID:2624
-
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe94⤵PID:3296
-
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe95⤵PID:1244
-
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe96⤵PID:5160
-
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe97⤵PID:5204
-
C:\Windows\SysWOW64\Cgnmpbec.exeC:\Windows\system32\Cgnmpbec.exe98⤵PID:5248
-
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe99⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe100⤵PID:5336
-
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe101⤵PID:5372
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe102⤵PID:5420
-
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe103⤵PID:5460
-
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe104⤵PID:5512
-
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe105⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Ecccmo32.exeC:\Windows\system32\Ecccmo32.exe106⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Fegiba32.exeC:\Windows\system32\Fegiba32.exe107⤵PID:5644
-
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe108⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Fhhaclqc.exeC:\Windows\system32\Fhhaclqc.exe109⤵PID:5732
-
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe110⤵PID:5776
-
C:\Windows\SysWOW64\Gdkbdllj.exeC:\Windows\system32\Gdkbdllj.exe111⤵PID:5816
-
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Hecadm32.exeC:\Windows\system32\Hecadm32.exe114⤵PID:6028
-
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe116⤵PID:6112
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe117⤵PID:1852
-
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe118⤵PID:3384
-
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe119⤵PID:5244
-
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe120⤵PID:3324
-
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-