Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2023 08:19
Behavioral task
behavioral1
Sample
NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe
-
Size
445KB
-
MD5
c0d60c31b9bf349f1d2f0c21f3ac2d80
-
SHA1
de26b91cc33c1befa0d9922aa1e0e1f3a8d68399
-
SHA256
49a89455012257ed27b18fda356c85bf9bef3d494f055c3ddd8e259f256af741
-
SHA512
819a610381d22bf25b40492cbebfc82033276f870b340da292cd950be5a7b927dcbcd02e3698a50cc182ca9948da80877a4c09d6915b57542dbf9af4867a83d6
-
SSDEEP
12288:XOtXpV6yYPMLnfBJKFbhDwBpV6yYP0riuoCgNbbko8JfSIuMUb1V4D0:X+WMLnfBJKhVwBW0riuoCgNbbj8JfS1t
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhjhmhhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgklkoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afockelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jblflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmlghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icachjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lehhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdqcenmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihpkkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiplmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfodgeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amjbbfgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndidna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ponfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffclcgfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfkpjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hannao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpfmlghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epffbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iojkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cienon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcbnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhblllfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcidopb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmedjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhkigcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcbnpnme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfdjc32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022cca-5.dat family_berbew behavioral2/files/0x0006000000022cca-8.dat family_berbew behavioral2/files/0x0006000000022cce-14.dat family_berbew behavioral2/files/0x0006000000022cce-16.dat family_berbew behavioral2/files/0x0006000000022cd0-22.dat family_berbew behavioral2/files/0x0006000000022cd0-24.dat family_berbew behavioral2/files/0x0006000000022cd3-30.dat family_berbew behavioral2/files/0x0006000000022cd3-32.dat family_berbew behavioral2/files/0x0006000000022cd5-33.dat family_berbew behavioral2/files/0x0006000000022cd5-38.dat family_berbew behavioral2/files/0x0006000000022cd5-40.dat family_berbew behavioral2/files/0x0006000000022cd7-46.dat family_berbew behavioral2/files/0x0006000000022cd7-48.dat family_berbew behavioral2/files/0x0006000000022cd9-54.dat family_berbew behavioral2/files/0x0006000000022cd9-56.dat family_berbew behavioral2/files/0x0006000000022cdd-62.dat family_berbew behavioral2/files/0x0006000000022cdd-64.dat family_berbew behavioral2/files/0x0006000000022ce2-70.dat family_berbew behavioral2/files/0x0006000000022ce2-71.dat family_berbew behavioral2/files/0x0006000000022ce4-78.dat family_berbew behavioral2/files/0x0006000000022ce4-80.dat family_berbew behavioral2/files/0x0006000000022ce6-86.dat family_berbew behavioral2/files/0x0006000000022ce6-88.dat family_berbew behavioral2/files/0x0006000000022ce8-94.dat family_berbew behavioral2/files/0x0006000000022ce8-96.dat family_berbew behavioral2/files/0x0006000000022cee-97.dat family_berbew behavioral2/files/0x0006000000022cee-102.dat family_berbew behavioral2/files/0x0006000000022cee-104.dat family_berbew behavioral2/files/0x0007000000022cda-110.dat family_berbew behavioral2/files/0x0007000000022cda-112.dat family_berbew behavioral2/files/0x0008000000022ce1-113.dat family_berbew behavioral2/files/0x0008000000022ce1-118.dat family_berbew behavioral2/files/0x0008000000022ce1-120.dat family_berbew behavioral2/files/0x0009000000022cf1-126.dat family_berbew behavioral2/files/0x0009000000022cf1-128.dat family_berbew behavioral2/files/0x0006000000022cf3-133.dat family_berbew behavioral2/files/0x0006000000022cf3-136.dat family_berbew behavioral2/files/0x0006000000022cf5-142.dat family_berbew behavioral2/files/0x0006000000022cf5-144.dat family_berbew behavioral2/files/0x0006000000022cf7-150.dat family_berbew behavioral2/files/0x0006000000022cf7-152.dat family_berbew behavioral2/files/0x0006000000022cf9-158.dat family_berbew behavioral2/files/0x0006000000022cf9-160.dat family_berbew behavioral2/files/0x0008000000022cec-166.dat family_berbew behavioral2/files/0x0008000000022cec-168.dat family_berbew behavioral2/files/0x0007000000022cfb-174.dat family_berbew behavioral2/files/0x0007000000022cfb-176.dat family_berbew behavioral2/files/0x0006000000022cfd-182.dat family_berbew behavioral2/files/0x0006000000022cfd-184.dat family_berbew behavioral2/files/0x0006000000022cff-189.dat family_berbew behavioral2/files/0x0006000000022cff-192.dat family_berbew behavioral2/files/0x0006000000022d01-198.dat family_berbew behavioral2/files/0x0006000000022d01-200.dat family_berbew behavioral2/files/0x0006000000022d03-206.dat family_berbew behavioral2/files/0x0006000000022d03-208.dat family_berbew behavioral2/files/0x0006000000022d05-214.dat family_berbew behavioral2/files/0x0006000000022d05-216.dat family_berbew behavioral2/files/0x0006000000022d07-222.dat family_berbew behavioral2/files/0x0006000000022d07-224.dat family_berbew behavioral2/files/0x0006000000022d0a-230.dat family_berbew behavioral2/files/0x0006000000022d0a-232.dat family_berbew behavioral2/files/0x0006000000022d0c-233.dat family_berbew behavioral2/files/0x0006000000022d0c-238.dat family_berbew behavioral2/files/0x0006000000022d0c-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3740 Gklnjj32.exe 4424 Hkbdki32.exe 2644 Hkeaqi32.exe 3816 Hkgnfhnh.exe 5092 Iklgah32.exe 3628 Ijfnmc32.exe 1448 Jnfcia32.exe 1532 Jgadgf32.exe 544 Jnmijq32.exe 1348 Jjdjoane.exe 2116 Kgjgne32.exe 3276 Kijchhbo.exe 1312 Mecjif32.exe 4588 Nlfelogp.exe 4468 Niakfbpa.exe 3792 Okgaijaj.exe 2784 Pojcjh32.exe 1016 Pkenjh32.exe 1124 Pemomqcn.exe 2960 Ahcajk32.exe 4444 Aanbhp32.exe 1452 Bkmmaeap.exe 1236 Cjecpkcg.exe 4204 Dbqqkkbo.exe 2752 Ebhglj32.exe 3096 Ebjcajjd.exe 3372 Fipkjb32.exe 1896 Ffclcgfn.exe 3084 Gfheof32.exe 5068 Glgjlm32.exe 4564 Gdaociml.exe 224 Gipdap32.exe 3832 Hgfapd32.exe 1404 Hkdjfb32.exe 4772 Hildmn32.exe 2212 Igpdfb32.exe 4660 Igbalblk.exe 3820 Ikpjbq32.exe 2924 Idhnkf32.exe 4292 Ipoopgnf.exe 4236 Jncoikmp.exe 4276 Jgkdbacp.exe 4472 Jlkipgpe.exe 3508 Jgpmmp32.exe 3584 Jjafok32.exe 5064 Jqknkedi.exe 4224 Knooej32.exe 4284 Kjepjkhf.exe 3592 Kgipcogp.exe 5088 Kglmio32.exe 5100 Kkjeomld.exe 4684 Lklbdm32.exe 3636 Lddgmbpb.exe 2564 Ldgccb32.exe 1796 Lkalplel.exe 3868 Lnadagbm.exe 1032 Mminhceb.exe 1028 Mmkkmc32.exe 3216 Mnkggfkb.exe 220 Mkadfj32.exe 444 Njfagf32.exe 4256 Ngjbaj32.exe 1376 Nlhkgi32.exe 844 Nccokk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmjpbc32.dll Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Gfhndpol.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Ondljl32.exe Omdppiif.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Aonhghjl.exe File created C:\Windows\SysWOW64\Jjfaml32.dll Moalil32.exe File created C:\Windows\SysWOW64\Poidhg32.exe Pbddobla.exe File created C:\Windows\SysWOW64\Pkenjh32.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Gfheof32.exe File created C:\Windows\SysWOW64\Kngekilj.dll Ieagmcmq.exe File created C:\Windows\SysWOW64\Gjficg32.exe Gclafmej.exe File opened for modification C:\Windows\SysWOW64\Mcelpggq.exe Mnhdgpii.exe File created C:\Windows\SysWOW64\Eqncnj32.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Qpbnhl32.exe Qiiflaoo.exe File created C:\Windows\SysWOW64\Eqfnqg32.dll Kocphojh.exe File created C:\Windows\SysWOW64\Aahbbkaq.exe Addaif32.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe Dkfadkgf.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dijbno32.exe File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Ieagmcmq.exe File opened for modification C:\Windows\SysWOW64\Gnmlhf32.exe Fgqgfl32.exe File created C:\Windows\SysWOW64\Jdjfohjg.exe Ijbbfc32.exe File created C:\Windows\SysWOW64\Ncmaai32.exe Nlcidopb.exe File created C:\Windows\SysWOW64\Empmffib.dll Idhnkf32.exe File opened for modification C:\Windows\SysWOW64\Ocdnln32.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Cboleq32.dll Kbjbnnfg.exe File created C:\Windows\SysWOW64\Nkjckkcg.exe Nfnjbdep.exe File created C:\Windows\SysWOW64\Ebjkfjbc.dll Ohfami32.exe File created C:\Windows\SysWOW64\Fflohaij.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Bcghdkpf.dll Ieidhh32.exe File created C:\Windows\SysWOW64\Kgiiiidd.exe Knqepc32.exe File opened for modification C:\Windows\SysWOW64\Lkalplel.exe Ldgccb32.exe File opened for modification C:\Windows\SysWOW64\Qemhbj32.exe Pejkmk32.exe File opened for modification C:\Windows\SysWOW64\Hemdlj32.exe Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Knnhjcog.exe Jedccfqg.exe File created C:\Windows\SysWOW64\Ockdmmoj.exe Ocdnln32.exe File created C:\Windows\SysWOW64\Pfepdg32.exe Pmmlla32.exe File opened for modification C:\Windows\SysWOW64\Fcneeo32.exe Fqphic32.exe File opened for modification C:\Windows\SysWOW64\Oljoen32.exe Nfpghccm.exe File created C:\Windows\SysWOW64\Pbddobla.exe Pdqcenmg.exe File created C:\Windows\SysWOW64\Mkadfj32.exe Mnkggfkb.exe File created C:\Windows\SysWOW64\Ggpdhj32.dll Gpelhd32.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Bhblllfo.exe File opened for modification C:\Windows\SysWOW64\Okfbgiij.exe Obnnnc32.exe File created C:\Windows\SysWOW64\Ehkljb32.dll Lddgmbpb.exe File opened for modification C:\Windows\SysWOW64\Iedjmioj.exe Imiehfao.exe File created C:\Windows\SysWOW64\Hkaeih32.exe Hbiapb32.exe File created C:\Windows\SysWOW64\Jblflp32.exe Jdjfohjg.exe File created C:\Windows\SysWOW64\Knqepc32.exe Knnhjcog.exe File opened for modification C:\Windows\SysWOW64\Enjfli32.exe Ekljpm32.exe File created C:\Windows\SysWOW64\Iaghgm32.dll Ldgccb32.exe File opened for modification C:\Windows\SysWOW64\Ngjbaj32.exe Njfagf32.exe File opened for modification C:\Windows\SysWOW64\Mogcihaj.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Ddgplado.exe Cdecgbfa.exe File opened for modification C:\Windows\SysWOW64\Jldbpl32.exe Jekjcaef.exe File created C:\Windows\SysWOW64\Ecfjqmbc.dll Mqjbddpl.exe File opened for modification C:\Windows\SysWOW64\Pmmlla32.exe Pcegclgp.exe File created C:\Windows\SysWOW64\Ehilac32.dll Kblpcndd.exe File created C:\Windows\SysWOW64\Nfoceoni.dll Mcfkpjng.exe File created C:\Windows\SysWOW64\Ollljmhg.exe Oljoen32.exe File created C:\Windows\SysWOW64\Ebdcld32.exe Deqcbpld.exe File created C:\Windows\SysWOW64\Hpiecd32.exe Hedafk32.exe File created C:\Windows\SysWOW64\Nqmojd32.exe Nfgklkoc.exe File created C:\Windows\SysWOW64\Epffbd32.exe Ejlnfjbd.exe File created C:\Windows\SysWOW64\Anqlll32.dll Oanfen32.exe File created C:\Windows\SysWOW64\Hiebgmkm.dll Qdoacabq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll" Knnhjcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdhkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbbhnma.dll" Jncoikmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joqafgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll" Podkmgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgaaeham.dll" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnmijq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmipdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkhpfbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkhpfbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlndcmq.dll" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgbdja32.dll" Ikpjbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll" Jhhodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjlcjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcbnpnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbbmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll" Qobhkjdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mohidbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Haaaaeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbddobla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Igbalblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqdkkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moalil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Addaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll" Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhkbjdi.dll" Gbpnjdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hannao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogigdpmb.dll" Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmfjll.dll" Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbfdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpmd32.dll" Jnfcia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmkkmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cndeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbaokim.dll" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll" Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enjfli32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3740 4900 NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe 90 PID 4900 wrote to memory of 3740 4900 NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe 90 PID 4900 wrote to memory of 3740 4900 NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe 90 PID 3740 wrote to memory of 4424 3740 Gklnjj32.exe 91 PID 3740 wrote to memory of 4424 3740 Gklnjj32.exe 91 PID 3740 wrote to memory of 4424 3740 Gklnjj32.exe 91 PID 4424 wrote to memory of 2644 4424 Hkbdki32.exe 92 PID 4424 wrote to memory of 2644 4424 Hkbdki32.exe 92 PID 4424 wrote to memory of 2644 4424 Hkbdki32.exe 92 PID 2644 wrote to memory of 3816 2644 Hkeaqi32.exe 93 PID 2644 wrote to memory of 3816 2644 Hkeaqi32.exe 93 PID 2644 wrote to memory of 3816 2644 Hkeaqi32.exe 93 PID 3816 wrote to memory of 5092 3816 Hkgnfhnh.exe 94 PID 3816 wrote to memory of 5092 3816 Hkgnfhnh.exe 94 PID 3816 wrote to memory of 5092 3816 Hkgnfhnh.exe 94 PID 5092 wrote to memory of 3628 5092 Iklgah32.exe 95 PID 5092 wrote to memory of 3628 5092 Iklgah32.exe 95 PID 5092 wrote to memory of 3628 5092 Iklgah32.exe 95 PID 3628 wrote to memory of 1448 3628 Ijfnmc32.exe 96 PID 3628 wrote to memory of 1448 3628 Ijfnmc32.exe 96 PID 3628 wrote to memory of 1448 3628 Ijfnmc32.exe 96 PID 1448 wrote to memory of 1532 1448 Jnfcia32.exe 97 PID 1448 wrote to memory of 1532 1448 Jnfcia32.exe 97 PID 1448 wrote to memory of 1532 1448 Jnfcia32.exe 97 PID 1532 wrote to memory of 544 1532 Jgadgf32.exe 99 PID 1532 wrote to memory of 544 1532 Jgadgf32.exe 99 PID 1532 wrote to memory of 544 1532 Jgadgf32.exe 99 PID 544 wrote to memory of 1348 544 Jnmijq32.exe 100 PID 544 wrote to memory of 1348 544 Jnmijq32.exe 100 PID 544 wrote to memory of 1348 544 Jnmijq32.exe 100 PID 1348 wrote to memory of 2116 1348 Jjdjoane.exe 101 PID 1348 wrote to memory of 2116 1348 Jjdjoane.exe 101 PID 1348 wrote to memory of 2116 1348 Jjdjoane.exe 101 PID 2116 wrote to memory of 3276 2116 Kgjgne32.exe 102 PID 2116 wrote to memory of 3276 2116 Kgjgne32.exe 102 PID 2116 wrote to memory of 3276 2116 Kgjgne32.exe 102 PID 3276 wrote to memory of 1312 3276 Kijchhbo.exe 103 PID 3276 wrote to memory of 1312 3276 Kijchhbo.exe 103 PID 3276 wrote to memory of 1312 3276 Kijchhbo.exe 103 PID 1312 wrote to memory of 4588 1312 Mecjif32.exe 104 PID 1312 wrote to memory of 4588 1312 Mecjif32.exe 104 PID 1312 wrote to memory of 4588 1312 Mecjif32.exe 104 PID 4588 wrote to memory of 4468 4588 Nlfelogp.exe 105 PID 4588 wrote to memory of 4468 4588 Nlfelogp.exe 105 PID 4588 wrote to memory of 4468 4588 Nlfelogp.exe 105 PID 4468 wrote to memory of 3792 4468 Niakfbpa.exe 106 PID 4468 wrote to memory of 3792 4468 Niakfbpa.exe 106 PID 4468 wrote to memory of 3792 4468 Niakfbpa.exe 106 PID 3792 wrote to memory of 2784 3792 Okgaijaj.exe 107 PID 3792 wrote to memory of 2784 3792 Okgaijaj.exe 107 PID 3792 wrote to memory of 2784 3792 Okgaijaj.exe 107 PID 2784 wrote to memory of 1016 2784 Pojcjh32.exe 108 PID 2784 wrote to memory of 1016 2784 Pojcjh32.exe 108 PID 2784 wrote to memory of 1016 2784 Pojcjh32.exe 108 PID 1016 wrote to memory of 1124 1016 Pkenjh32.exe 109 PID 1016 wrote to memory of 1124 1016 Pkenjh32.exe 109 PID 1016 wrote to memory of 1124 1016 Pkenjh32.exe 109 PID 1124 wrote to memory of 2960 1124 Pemomqcn.exe 110 PID 1124 wrote to memory of 2960 1124 Pemomqcn.exe 110 PID 1124 wrote to memory of 2960 1124 Pemomqcn.exe 110 PID 2960 wrote to memory of 4444 2960 Ahcajk32.exe 111 PID 2960 wrote to memory of 4444 2960 Ahcajk32.exe 111 PID 2960 wrote to memory of 4444 2960 Ahcajk32.exe 111 PID 4444 wrote to memory of 1452 4444 Aanbhp32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c0d60c31b9bf349f1d2f0c21f3ac2d80.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe23⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe26⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe28⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe31⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe32⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe33⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe34⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe36⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe37⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4660 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe41⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe44⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe45⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe46⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe47⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe48⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe50⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe51⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe52⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe56⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe57⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe58⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe61⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe63⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe65⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe66⤵PID:3932
-
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe67⤵PID:2672
-
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe68⤵PID:4544
-
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe69⤵PID:2196
-
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe70⤵
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe71⤵
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe72⤵PID:3324
-
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe73⤵PID:2800
-
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe74⤵PID:768
-
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe75⤵PID:4344
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe76⤵PID:3616
-
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe77⤵PID:740
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4156 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe79⤵PID:3552
-
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe80⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe81⤵PID:3052
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe82⤵PID:4336
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe84⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe87⤵PID:3248
-
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe88⤵
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe89⤵PID:1440
-
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe90⤵PID:3128
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe91⤵PID:1484
-
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe92⤵
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe93⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe95⤵PID:5180
-
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe97⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe98⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe99⤵PID:5356
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe100⤵PID:5400
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe101⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe102⤵PID:5512
-
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe103⤵PID:5556
-
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe104⤵PID:5612
-
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe105⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe106⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5796 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe109⤵PID:5832
-
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe110⤵
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe111⤵PID:5968
-
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe113⤵PID:6064
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe115⤵PID:5164
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe117⤵PID:5320
-
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe120⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe121⤵PID:5696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-