Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 18:12
Behavioral task
behavioral1
Sample
NEAS.636c267de7dee43b292fd09512aaba70_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.636c267de7dee43b292fd09512aaba70_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.636c267de7dee43b292fd09512aaba70_JC.exe
-
Size
113KB
-
MD5
636c267de7dee43b292fd09512aaba70
-
SHA1
8ba7695d64f64b19098619dbd03e5bff30182d82
-
SHA256
6cbd07fedfce3acaa38a4ad8db0b51aee080a0b9e69af616fac98cf959fef51c
-
SHA512
a79eca78e3bcd50a444d7c6d5c624f7e061f5c7bdd7c881998f40597bfccd56981a026b5e94c1ea47835da4f2e2313baeef7e60984d9bf19dd9a62455d94701a
-
SSDEEP
3072:IKcwJqPNx6qn9xRjnsNorDJ7JugCe8uvQa7gRj9/S2Kn:zqPNx6W/RjnB1JISMRNF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgklkoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filapfbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmhdmea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlikkkhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpalgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okailj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clchbqoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejagaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phajna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnnfalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodogdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgdmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenicahg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnoncim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmhgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehkajig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baannc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcaod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affikdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbejloe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgdcipq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcedmkmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpepcfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiqjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpioin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgqopeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koonge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haidfpki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhloj32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022d4f-7.dat family_berbew behavioral2/files/0x0007000000022d4f-9.dat family_berbew behavioral2/files/0x0007000000022d5c-15.dat family_berbew behavioral2/files/0x0007000000022d5c-17.dat family_berbew behavioral2/files/0x0006000000022d6f-23.dat family_berbew behavioral2/files/0x0006000000022d6f-24.dat family_berbew behavioral2/files/0x0006000000022d73-39.dat family_berbew behavioral2/files/0x0006000000022d73-41.dat family_berbew behavioral2/files/0x0006000000022d75-47.dat family_berbew behavioral2/files/0x0006000000022d71-33.dat family_berbew behavioral2/files/0x0006000000022d71-31.dat family_berbew behavioral2/files/0x0006000000022d75-48.dat family_berbew behavioral2/files/0x0006000000022d77-55.dat family_berbew behavioral2/files/0x0006000000022d77-57.dat family_berbew behavioral2/files/0x0006000000022d79-63.dat family_berbew behavioral2/files/0x0006000000022d79-65.dat family_berbew behavioral2/files/0x0006000000022d7b-71.dat family_berbew behavioral2/files/0x0006000000022d7b-72.dat family_berbew behavioral2/files/0x0006000000022d7e-79.dat family_berbew behavioral2/files/0x0006000000022d7e-81.dat family_berbew behavioral2/files/0x0006000000022d80-87.dat family_berbew behavioral2/files/0x0006000000022d80-88.dat family_berbew behavioral2/files/0x0008000000022d4a-96.dat family_berbew behavioral2/files/0x0008000000022d4a-97.dat family_berbew behavioral2/files/0x0006000000022d83-105.dat family_berbew behavioral2/files/0x0006000000022d83-104.dat family_berbew behavioral2/files/0x0006000000022d85-112.dat family_berbew behavioral2/files/0x0006000000022d85-114.dat family_berbew behavioral2/files/0x0006000000022d87-120.dat family_berbew behavioral2/files/0x0006000000022d87-122.dat family_berbew behavioral2/files/0x0006000000022d89-128.dat family_berbew behavioral2/files/0x0006000000022d89-130.dat family_berbew behavioral2/files/0x0006000000022d8b-136.dat family_berbew behavioral2/files/0x0006000000022d8b-138.dat family_berbew behavioral2/files/0x0006000000022d8d-144.dat family_berbew behavioral2/files/0x0006000000022d8d-146.dat family_berbew behavioral2/files/0x0006000000022d8f-152.dat family_berbew behavioral2/files/0x0006000000022d8f-153.dat family_berbew behavioral2/files/0x0006000000022d91-160.dat family_berbew behavioral2/files/0x0006000000022d91-162.dat family_berbew behavioral2/files/0x0006000000022d93-168.dat family_berbew behavioral2/files/0x0006000000022d93-170.dat family_berbew behavioral2/files/0x0006000000022d95-177.dat family_berbew behavioral2/files/0x0006000000022d95-176.dat family_berbew behavioral2/files/0x0006000000022d97-184.dat family_berbew behavioral2/files/0x0006000000022d97-186.dat family_berbew behavioral2/files/0x0006000000022d99-192.dat family_berbew behavioral2/files/0x0006000000022d99-194.dat family_berbew behavioral2/files/0x0006000000022d9b-200.dat family_berbew behavioral2/files/0x0006000000022d9b-202.dat family_berbew behavioral2/files/0x0006000000022d9d-208.dat family_berbew behavioral2/files/0x0006000000022d9d-210.dat family_berbew behavioral2/files/0x0006000000022d9f-216.dat family_berbew behavioral2/files/0x0006000000022d9f-218.dat family_berbew behavioral2/files/0x0006000000022da1-226.dat family_berbew behavioral2/files/0x0006000000022da1-224.dat family_berbew behavioral2/files/0x0006000000022da3-233.dat family_berbew behavioral2/files/0x0006000000022da3-232.dat family_berbew behavioral2/files/0x0006000000022da5-240.dat family_berbew behavioral2/files/0x0006000000022da5-241.dat family_berbew behavioral2/files/0x0006000000022da7-248.dat family_berbew behavioral2/files/0x0006000000022da7-249.dat family_berbew behavioral2/files/0x0006000000022da9-257.dat family_berbew behavioral2/files/0x0006000000022da9-256.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5112 Qhlkilba.exe 2864 Qhngolpo.exe 2228 Qcclld32.exe 3540 Ajndioga.exe 4328 Aojlaeei.exe 2492 Ahcajk32.exe 560 Achegd32.exe 980 Akcjkfij.exe 1644 Ahgjejhd.exe 1812 Acmobchj.exe 3496 Ahjgjj32.exe 364 Aodogdmn.exe 2876 Boflmdkk.exe 4704 Bljlfh32.exe 608 Bmlilh32.exe 4632 Bbiado32.exe 4668 Bkafmd32.exe 648 Bmabggdm.exe 4220 Cjecpkcg.exe 1704 Ckfphc32.exe 1492 Cjgpfk32.exe 5044 Codhnb32.exe 2188 Cimmggfl.exe 3220 Ckmehb32.exe 3952 Cbgnemjj.exe 1396 Coknoaic.exe 3052 Dfefkkqp.exe 1016 Dfgcakon.exe 5056 Dckdjomg.exe 3456 Dpbdopck.exe 4568 Djhimica.exe 4572 Dbcmakpl.exe 2304 Dmhand32.exe 4388 Eiobceef.exe 4404 Ecefqnel.exe 4224 Eiaoid32.exe 4732 Efepbi32.exe 2176 Emphocjj.exe 3572 Eblpgjha.exe 956 Giinpa32.exe 4508 Gikkfqmf.exe 2248 Gbdoof32.exe 4940 Gphphj32.exe 856 Gipdap32.exe 4888 Hbhijepa.exe 1412 Hmnmgnoh.exe 4952 Hkbmqb32.exe 4172 Hcmbee32.exe 3968 Hgkkkcbc.exe 3544 Hmechmip.exe 4872 Hgmgqc32.exe 3320 Iljpij32.exe 4128 Igpdfb32.exe 1112 Idcepgmg.exe 3260 Ijqmhnko.exe 4772 Idfaefkd.exe 3352 Ikpjbq32.exe 2696 Icknfcol.exe 4996 Ilccoh32.exe 1916 Jkgpbp32.exe 5060 Jcbdgb32.exe 1936 Jlkipgpe.exe 1636 Jdaaaeqg.exe 4496 Jjoiil32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aojefobm.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Pbbmemif.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Gadiippo.dll Oabhfg32.exe File created C:\Windows\SysWOW64\Aagdnn32.exe Ajmladbl.exe File created C:\Windows\SysWOW64\Gpkpbaea.dll Mmkdcm32.exe File opened for modification C:\Windows\SysWOW64\Oanokhdb.exe Ojdgnn32.exe File opened for modification C:\Windows\SysWOW64\Dnmaea32.exe Dddllkbf.exe File opened for modification C:\Windows\SysWOW64\Idcepgmg.exe Igpdfb32.exe File created C:\Windows\SysWOW64\Qbonoghb.exe Pjcikejg.exe File opened for modification C:\Windows\SysWOW64\Cacmpj32.exe Cildom32.exe File created C:\Windows\SysWOW64\Efehkimj.dll Dnngpj32.exe File opened for modification C:\Windows\SysWOW64\Naecop32.exe Nnfgcd32.exe File opened for modification C:\Windows\SysWOW64\Llmhaold.exe Lfbped32.exe File created C:\Windows\SysWOW64\Mmhgmmbf.exe Mgloefco.exe File created C:\Windows\SysWOW64\Enmjlojd.exe Egcaod32.exe File created C:\Windows\SysWOW64\Odpldj32.dll Ocfdgg32.exe File opened for modification C:\Windows\SysWOW64\Mkmkkjko.exe Mebcop32.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Phcgcqab.exe File created C:\Windows\SysWOW64\Kmmcjnkq.dll Halhfe32.exe File opened for modification C:\Windows\SysWOW64\Kamjda32.exe Koonge32.exe File created C:\Windows\SysWOW64\Blghiiea.dll Edihdb32.exe File created C:\Windows\SysWOW64\Achegd32.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dkhnjk32.exe File created C:\Windows\SysWOW64\Gnepna32.exe Gihgfk32.exe File created C:\Windows\SysWOW64\Hockka32.dll Qhhpop32.exe File created C:\Windows\SysWOW64\Aaenbd32.exe Akkffkhk.exe File created C:\Windows\SysWOW64\Pidlqb32.exe Pbjddh32.exe File created C:\Windows\SysWOW64\Hkbmqb32.exe Hmnmgnoh.exe File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe Idfaefkd.exe File created C:\Windows\SysWOW64\Eoideh32.exe Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Iaedanal.exe Ijkled32.exe File created C:\Windows\SysWOW64\Fadggj32.dll Aojefobm.exe File created C:\Windows\SysWOW64\Kkconn32.exe Kclgmq32.exe File created C:\Windows\SysWOW64\Aijqqd32.dll Hbjoeojc.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Mlhqcgnk.exe Mfnhfm32.exe File created C:\Windows\SysWOW64\Chmbeqne.dll Mmkkmc32.exe File opened for modification C:\Windows\SysWOW64\Dbkqfe32.exe Dkahilkl.exe File opened for modification C:\Windows\SysWOW64\Laiipofp.exe Lpgmhg32.exe File opened for modification C:\Windows\SysWOW64\Llqjbhdc.exe Ljbnfleo.exe File opened for modification C:\Windows\SysWOW64\Padnaq32.exe Pimfpc32.exe File created C:\Windows\SysWOW64\Egkddo32.exe Dpalgenf.exe File created C:\Windows\SysWOW64\Mdpagc32.exe Mociol32.exe File opened for modification C:\Windows\SysWOW64\Qhngolpo.exe Qhlkilba.exe File created C:\Windows\SysWOW64\Naecop32.exe Nnfgcd32.exe File created C:\Windows\SysWOW64\Ojemig32.exe Oophlo32.exe File created C:\Windows\SysWOW64\Iahqoq32.dll Acmobchj.exe File created C:\Windows\SysWOW64\Ckkpjkai.dll Npgmpf32.exe File opened for modification C:\Windows\SysWOW64\Koonge32.exe Klpakj32.exe File created C:\Windows\SysWOW64\Mgfhfd32.dll Kcoccc32.exe File created C:\Windows\SysWOW64\Kqcgfpia.dll Mahklf32.exe File opened for modification C:\Windows\SysWOW64\Qelcamcj.exe Qmanljfo.exe File created C:\Windows\SysWOW64\Mepfiq32.exe Mkhapk32.exe File opened for modification C:\Windows\SysWOW64\Adndoe32.exe Aaohcj32.exe File created C:\Windows\SysWOW64\Fpimlfke.exe Fbelcblk.exe File created C:\Windows\SysWOW64\Ojqcnhkl.exe Objkmkjj.exe File created C:\Windows\SysWOW64\Bhalpn32.dll Mhiabbdi.exe File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dpbdopck.exe File opened for modification C:\Windows\SysWOW64\Pejkmk32.exe Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Cdecgbfa.exe File opened for modification C:\Windows\SysWOW64\Pfppoa32.exe Pbbgicnd.exe File created C:\Windows\SysWOW64\Pbimjb32.exe Piaiqlak.exe File opened for modification C:\Windows\SysWOW64\Ecefqnel.exe Eiobceef.exe File created C:\Windows\SysWOW64\Kikdcj32.dll Mjahlgpf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaiiq32.dll" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kamjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkpjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpalgenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panlem32.dll" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll" Jdjfohjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niojoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffheej.dll" Bllbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcgolla.dll" Gejopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iehmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll" Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppdbgncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omaeem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll" Kpccmhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmemlfol.dll" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehkga32.dll" Nmgjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbnaeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhoeef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijdf32.dll" Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeghb32.dll" Dkahilkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnngpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejioqkck.dll" Hbiapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeoe32.dll" Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll" Ndidna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnnfalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjkdlall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllokajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekjdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpccmhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Eoideh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiblk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll" Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll" Lojfin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjmdocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll" Dggbcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokfja32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 5112 4936 NEAS.636c267de7dee43b292fd09512aaba70_JC.exe 84 PID 4936 wrote to memory of 5112 4936 NEAS.636c267de7dee43b292fd09512aaba70_JC.exe 84 PID 4936 wrote to memory of 5112 4936 NEAS.636c267de7dee43b292fd09512aaba70_JC.exe 84 PID 5112 wrote to memory of 2864 5112 Qhlkilba.exe 85 PID 5112 wrote to memory of 2864 5112 Qhlkilba.exe 85 PID 5112 wrote to memory of 2864 5112 Qhlkilba.exe 85 PID 2864 wrote to memory of 2228 2864 Qhngolpo.exe 86 PID 2864 wrote to memory of 2228 2864 Qhngolpo.exe 86 PID 2864 wrote to memory of 2228 2864 Qhngolpo.exe 86 PID 2228 wrote to memory of 3540 2228 Qcclld32.exe 87 PID 2228 wrote to memory of 3540 2228 Qcclld32.exe 87 PID 2228 wrote to memory of 3540 2228 Qcclld32.exe 87 PID 3540 wrote to memory of 4328 3540 Ajndioga.exe 88 PID 3540 wrote to memory of 4328 3540 Ajndioga.exe 88 PID 3540 wrote to memory of 4328 3540 Ajndioga.exe 88 PID 4328 wrote to memory of 2492 4328 Aojlaeei.exe 89 PID 4328 wrote to memory of 2492 4328 Aojlaeei.exe 89 PID 4328 wrote to memory of 2492 4328 Aojlaeei.exe 89 PID 2492 wrote to memory of 560 2492 Ahcajk32.exe 90 PID 2492 wrote to memory of 560 2492 Ahcajk32.exe 90 PID 2492 wrote to memory of 560 2492 Ahcajk32.exe 90 PID 560 wrote to memory of 980 560 Achegd32.exe 91 PID 560 wrote to memory of 980 560 Achegd32.exe 91 PID 560 wrote to memory of 980 560 Achegd32.exe 91 PID 980 wrote to memory of 1644 980 Akcjkfij.exe 92 PID 980 wrote to memory of 1644 980 Akcjkfij.exe 92 PID 980 wrote to memory of 1644 980 Akcjkfij.exe 92 PID 1644 wrote to memory of 1812 1644 Ahgjejhd.exe 93 PID 1644 wrote to memory of 1812 1644 Ahgjejhd.exe 93 PID 1644 wrote to memory of 1812 1644 Ahgjejhd.exe 93 PID 1812 wrote to memory of 3496 1812 Acmobchj.exe 94 PID 1812 wrote to memory of 3496 1812 Acmobchj.exe 94 PID 1812 wrote to memory of 3496 1812 Acmobchj.exe 94 PID 3496 wrote to memory of 364 3496 Ahjgjj32.exe 95 PID 3496 wrote to memory of 364 3496 Ahjgjj32.exe 95 PID 3496 wrote to memory of 364 3496 Ahjgjj32.exe 95 PID 364 wrote to memory of 2876 364 Aodogdmn.exe 96 PID 364 wrote to memory of 2876 364 Aodogdmn.exe 96 PID 364 wrote to memory of 2876 364 Aodogdmn.exe 96 PID 2876 wrote to memory of 4704 2876 Boflmdkk.exe 97 PID 2876 wrote to memory of 4704 2876 Boflmdkk.exe 97 PID 2876 wrote to memory of 4704 2876 Boflmdkk.exe 97 PID 4704 wrote to memory of 608 4704 Bljlfh32.exe 98 PID 4704 wrote to memory of 608 4704 Bljlfh32.exe 98 PID 4704 wrote to memory of 608 4704 Bljlfh32.exe 98 PID 608 wrote to memory of 4632 608 Bmlilh32.exe 99 PID 608 wrote to memory of 4632 608 Bmlilh32.exe 99 PID 608 wrote to memory of 4632 608 Bmlilh32.exe 99 PID 4632 wrote to memory of 4668 4632 Bbiado32.exe 100 PID 4632 wrote to memory of 4668 4632 Bbiado32.exe 100 PID 4632 wrote to memory of 4668 4632 Bbiado32.exe 100 PID 4668 wrote to memory of 648 4668 Bkafmd32.exe 101 PID 4668 wrote to memory of 648 4668 Bkafmd32.exe 101 PID 4668 wrote to memory of 648 4668 Bkafmd32.exe 101 PID 648 wrote to memory of 4220 648 Bmabggdm.exe 102 PID 648 wrote to memory of 4220 648 Bmabggdm.exe 102 PID 648 wrote to memory of 4220 648 Bmabggdm.exe 102 PID 4220 wrote to memory of 1704 4220 Cjecpkcg.exe 103 PID 4220 wrote to memory of 1704 4220 Cjecpkcg.exe 103 PID 4220 wrote to memory of 1704 4220 Cjecpkcg.exe 103 PID 1704 wrote to memory of 1492 1704 Ckfphc32.exe 104 PID 1704 wrote to memory of 1492 1704 Ckfphc32.exe 104 PID 1704 wrote to memory of 1492 1704 Ckfphc32.exe 104 PID 1492 wrote to memory of 5044 1492 Cjgpfk32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.636c267de7dee43b292fd09512aaba70_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.636c267de7dee43b292fd09512aaba70_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe23⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe24⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe25⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe26⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe27⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe28⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe29⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe30⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3456 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe32⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe33⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe34⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe36⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe37⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe38⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe39⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe40⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe42⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe44⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe45⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe46⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe48⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe51⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe52⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe53⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe55⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe56⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe58⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe59⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe60⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe61⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe62⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe63⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe64⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe65⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe66⤵PID:3976
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe67⤵PID:3684
-
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe68⤵PID:1776
-
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe69⤵PID:3428
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe70⤵PID:1612
-
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe71⤵
- Drops file in System32 directory
PID:4144 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe72⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe73⤵PID:4480
-
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe74⤵PID:1948
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe76⤵PID:2316
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe77⤵PID:1696
-
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe78⤵PID:1284
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe79⤵PID:2232
-
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe80⤵PID:876
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe81⤵PID:2092
-
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe82⤵PID:4300
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe83⤵PID:3648
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe84⤵PID:3760
-
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe85⤵PID:224
-
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe86⤵PID:1488
-
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe87⤵PID:4620
-
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe88⤵PID:3836
-
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3308 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe90⤵PID:5128
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe92⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe93⤵PID:5256
-
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe95⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe96⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe97⤵PID:5432
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe98⤵PID:5476
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe99⤵PID:5520
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe100⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe101⤵PID:5604
-
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe103⤵PID:5684
-
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe104⤵PID:5728
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe105⤵PID:5772
-
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe106⤵PID:5820
-
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe107⤵PID:5868
-
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe108⤵PID:5908
-
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe109⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe110⤵PID:5996
-
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe111⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe112⤵PID:6084
-
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe113⤵PID:5136
-
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe114⤵PID:5204
-
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe115⤵PID:5396
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe116⤵PID:5484
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe117⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe118⤵PID:5636
-
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe119⤵PID:5716
-
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe120⤵PID:5760
-
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe121⤵PID:5860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-