Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2023, 22:59
Behavioral task
behavioral1
Sample
NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe
-
Size
363KB
-
MD5
4c4317d19b4f465ca998d1e5b10bc3c0
-
SHA1
f85a33d19ecda6ac7c6fd4943b8fcc9b570229b2
-
SHA256
ace8dd98f2446f48f9372d8e3c2451545be7f792506c732eee1f322322359a85
-
SHA512
eb23290ff2060d898f3cf3ee484a0a9542695222618cbeac7b3927848ce3131989be1650415d9f325ab72df7469b8a851b772ecafc41aa600f2886695c04068c
-
SSDEEP
6144:aLxqs5xSKmWNPOvkym/89b7yS49pkuk4Nx73U2S4D23DgDJsAE1m7uLcp37pBykV:pUY6f9S49yuFL73tS4D2FR1maLcJ/Umn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmncgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inpclnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhnqoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Didjkbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbflc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphamg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmhfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkcnklf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnqoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nandhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnagkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackbfioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdcpib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajkjkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmijkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kahinkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdgjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdnjabab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjindm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgliie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbmigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loecgfjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnhfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbefkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inombh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjidpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfljfjpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkedjbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgflmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainnhdbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkehdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdolcbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhqmdoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikmnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdocin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkhlhlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbhlikpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmnomi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafogggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qciqga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjielh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeofoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglcmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nconfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kojkeogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdmhbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekdolcbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajcnkdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbjmdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagngjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfqikko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkaoiemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpmcfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjikoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hclaeocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcffb32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022bf2-6.dat family_berbew behavioral2/files/0x0008000000022bf2-7.dat family_berbew behavioral2/files/0x0009000000022bf7-14.dat family_berbew behavioral2/files/0x0009000000022bf7-16.dat family_berbew behavioral2/files/0x0007000000022cf2-22.dat family_berbew behavioral2/files/0x0007000000022cf2-24.dat family_berbew behavioral2/files/0x0006000000022cfb-25.dat family_berbew behavioral2/files/0x0006000000022cfb-30.dat family_berbew behavioral2/files/0x0006000000022cfb-32.dat family_berbew behavioral2/files/0x0006000000022d01-38.dat family_berbew behavioral2/files/0x0006000000022d01-40.dat family_berbew behavioral2/files/0x0006000000022d03-46.dat family_berbew behavioral2/files/0x0006000000022d03-48.dat family_berbew behavioral2/files/0x0006000000022d05-54.dat family_berbew behavioral2/files/0x0006000000022d05-56.dat family_berbew behavioral2/files/0x0006000000022d07-62.dat family_berbew behavioral2/files/0x0006000000022d07-64.dat family_berbew behavioral2/files/0x0006000000022d0a-70.dat family_berbew behavioral2/files/0x0006000000022d0a-72.dat family_berbew behavioral2/files/0x0006000000022d0c-78.dat family_berbew behavioral2/files/0x0006000000022d0c-80.dat family_berbew behavioral2/files/0x0007000000022cf4-86.dat family_berbew behavioral2/files/0x0007000000022cf4-88.dat family_berbew behavioral2/files/0x0006000000022d10-93.dat family_berbew behavioral2/files/0x0006000000022d10-96.dat family_berbew behavioral2/files/0x0003000000022307-102.dat family_berbew behavioral2/files/0x0003000000022307-104.dat family_berbew behavioral2/files/0x0006000000022d12-106.dat family_berbew behavioral2/files/0x0006000000022d12-110.dat family_berbew behavioral2/files/0x0006000000022d12-112.dat family_berbew behavioral2/files/0x0007000000022cfa-118.dat family_berbew behavioral2/files/0x0007000000022cfa-120.dat family_berbew behavioral2/files/0x0007000000022cfe-126.dat family_berbew behavioral2/files/0x0007000000022cfe-128.dat family_berbew behavioral2/files/0x0008000000022d00-134.dat family_berbew behavioral2/files/0x0008000000022d00-136.dat family_berbew behavioral2/files/0x0008000000022d16-142.dat family_berbew behavioral2/files/0x0008000000022d16-144.dat family_berbew behavioral2/files/0x0006000000022d18-145.dat family_berbew behavioral2/files/0x0006000000022d18-150.dat family_berbew behavioral2/files/0x0006000000022d18-152.dat family_berbew behavioral2/files/0x0006000000022d1a-158.dat family_berbew behavioral2/files/0x0006000000022d1a-159.dat family_berbew behavioral2/files/0x0006000000022d1e-166.dat family_berbew behavioral2/files/0x0006000000022d1e-168.dat family_berbew behavioral2/files/0x0006000000022d21-176.dat family_berbew behavioral2/files/0x0006000000022d21-174.dat family_berbew behavioral2/files/0x0006000000022d23-182.dat family_berbew behavioral2/files/0x0006000000022d23-184.dat family_berbew behavioral2/files/0x0006000000022d25-190.dat family_berbew behavioral2/files/0x0006000000022d25-192.dat family_berbew behavioral2/files/0x0007000000022d27-193.dat family_berbew behavioral2/files/0x0007000000022d27-198.dat family_berbew behavioral2/files/0x0007000000022d27-200.dat family_berbew behavioral2/files/0x0006000000022d2a-206.dat family_berbew behavioral2/files/0x0006000000022d2a-207.dat family_berbew behavioral2/files/0x0006000000022d2c-215.dat family_berbew behavioral2/files/0x0006000000022d2c-214.dat family_berbew behavioral2/files/0x0006000000022d2f-222.dat family_berbew behavioral2/files/0x0006000000022d2f-223.dat family_berbew behavioral2/files/0x0006000000022d31-230.dat family_berbew behavioral2/files/0x0006000000022d31-232.dat family_berbew behavioral2/files/0x0006000000022d38-238.dat family_berbew behavioral2/files/0x0006000000022d38-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1988 Ekimjn32.exe 2344 Ibbcfa32.exe 4480 Jeolckne.exe 552 Kahinkaf.exe 2488 Logicn32.exe 228 Loopdmpk.exe 2248 Mkepineo.exe 4692 Mlemcq32.exe 1244 Nlqloo32.exe 3892 Nconfh32.exe 4776 Obkahddl.exe 1512 Qmanljfo.exe 5068 Alpnde32.exe 3208 Bikeni32.exe 2696 Cbmlmmjd.exe 4428 Dbhlikpf.exe 4812 Edoncm32.exe 4900 Epjhcnbp.exe 4580 Fcpkph32.exe 4196 Gnlenp32.exe 2500 Hgbfhc32.exe 2532 Imnjbhaa.exe 3356 Jegohe32.exe 4844 Jndmlj32.exe 1344 Kjfmminc.exe 1616 Lhmjlm32.exe 3692 Ldhdlnli.exe 2060 Mhkgnkoj.exe 1396 Mhppik32.exe 3088 Nkbfpeec.exe 1968 Nejgbn32.exe 116 Ohnljine.exe 2712 Oeffnl32.exe 4800 Pnknim32.exe 3980 Phbolflm.exe 3772 Qffoejkg.exe 1304 Ainnhdbp.exe 2632 Abgcqjhp.exe 3092 Bkhjpn32.exe 2380 Cfgace32.exe 3748 Cfljnejl.exe 2168 Dngobghg.exe 4392 Eimlgnij.exe 1120 Fhgccijm.exe 3916 Fghcqq32.exe 4568 Ggafgo32.exe 2820 Hjpkjh32.exe 4680 Mmdlflki.exe 3140 Mphamg32.exe 2068 Nagngjmj.exe 1568 Nplkhf32.exe 4880 Npognfpo.exe 3496 Nandhi32.exe 3656 Oiqomj32.exe 3908 Odfcjc32.exe 216 Ahgamo32.exe 4588 Aglnnkid.exe 4744 Aklciimh.exe 4804 Cbfema32.exe 3004 Cnmebblf.exe 2256 Cicjokll.exe 4244 Canocm32.exe 1752 Dlmegd32.exe 4116 Ebnddn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Epjhcnbp.exe Edoncm32.exe File created C:\Windows\SysWOW64\Pdbdkbjp.dll Pcepdl32.exe File created C:\Windows\SysWOW64\Bgicdc32.exe Bgggockk.exe File created C:\Windows\SysWOW64\Jlcdjfpl.dll Jahgpf32.exe File created C:\Windows\SysWOW64\Olphlcdb.exe Oajcnkdl.exe File opened for modification C:\Windows\SysWOW64\Qmanljfo.exe Obkahddl.exe File opened for modification C:\Windows\SysWOW64\Acfoep32.exe Ajnkmjqj.exe File opened for modification C:\Windows\SysWOW64\Mgbnfb32.exe Lngmhm32.exe File created C:\Windows\SysWOW64\Mnlfclip.exe Mgbnfb32.exe File created C:\Windows\SysWOW64\Kpnden32.dll Hpkkhc32.exe File opened for modification C:\Windows\SysWOW64\Kimlnemd.exe Kbccak32.exe File created C:\Windows\SysWOW64\Fdobnfoh.dll Iafgob32.exe File created C:\Windows\SysWOW64\Ogcgnl32.dll Bjpjoa32.exe File created C:\Windows\SysWOW64\Kleajegi.exe Kgiibnib.exe File opened for modification C:\Windows\SysWOW64\Fofiff32.exe Egcaij32.exe File created C:\Windows\SysWOW64\Iplkje32.exe Hphbpehj.exe File opened for modification C:\Windows\SysWOW64\Gpaqkgba.exe Gkdhcqcj.exe File created C:\Windows\SysWOW64\Caojigoh.exe Cnaachha.exe File created C:\Windows\SysWOW64\Bhnidi32.exe Qkgcog32.exe File created C:\Windows\SysWOW64\Pnknim32.exe Oeffnl32.exe File created C:\Windows\SysWOW64\Gffkpa32.exe Gnkflo32.exe File created C:\Windows\SysWOW64\Qfpcgaqk.dll Molefh32.exe File opened for modification C:\Windows\SysWOW64\Oblmnmjl.exe Olbdacbp.exe File opened for modification C:\Windows\SysWOW64\Pdkcnklf.exe Pnonla32.exe File created C:\Windows\SysWOW64\Gpaqkgba.exe Gkdhcqcj.exe File created C:\Windows\SysWOW64\Aohpek32.exe Ajkgmd32.exe File opened for modification C:\Windows\SysWOW64\Kbccak32.exe Jlikdq32.exe File created C:\Windows\SysWOW64\Modffifb.dll Ppccemjk.exe File opened for modification C:\Windows\SysWOW64\Kleiid32.exe Jlblcdpf.exe File opened for modification C:\Windows\SysWOW64\Jjmhie32.exe Jaddpppa.exe File created C:\Windows\SysWOW64\Ogpooc32.dll Qnfkgfdp.exe File opened for modification C:\Windows\SysWOW64\Jnklnfpq.exe Jdbheajp.exe File opened for modification C:\Windows\SysWOW64\Hpnohinj.exe Hehkjpod.exe File created C:\Windows\SysWOW64\Cpdmgl32.dll Dinanb32.exe File opened for modification C:\Windows\SysWOW64\Qciebg32.exe Qipqibmf.exe File created C:\Windows\SysWOW64\Iadhpj32.dll Hdaajd32.exe File created C:\Windows\SysWOW64\Jahgpf32.exe Jphkfc32.exe File created C:\Windows\SysWOW64\Pafmke32.dll Appaangd.exe File opened for modification C:\Windows\SysWOW64\Ipcakd32.exe Iobecl32.exe File opened for modification C:\Windows\SysWOW64\Hbbmgn32.exe Hgliie32.exe File created C:\Windows\SysWOW64\Gbmpcffh.dll Cpglgmfa.exe File opened for modification C:\Windows\SysWOW64\Bgggockk.exe Bpmobi32.exe File created C:\Windows\SysWOW64\Nlmdml32.exe Neclpamg.exe File opened for modification C:\Windows\SysWOW64\Blmamh32.exe Bhohfj32.exe File created C:\Windows\SysWOW64\Ajanmqbc.exe Afcffb32.exe File created C:\Windows\SysWOW64\Bidqddgp.exe Bcghlnih.exe File created C:\Windows\SysWOW64\Hingefqa.exe Gljgkb32.exe File created C:\Windows\SysWOW64\Efcpkeke.dll Aklciimh.exe File created C:\Windows\SysWOW64\Molefh32.exe Mojhphij.exe File opened for modification C:\Windows\SysWOW64\Imbpam32.exe Hpnohinj.exe File created C:\Windows\SysWOW64\Eohmdhki.exe Eoepohml.exe File created C:\Windows\SysWOW64\Nbggme32.dll Egcaij32.exe File opened for modification C:\Windows\SysWOW64\Gnhifonl.exe Gmimll32.exe File opened for modification C:\Windows\SysWOW64\Mnlfclip.exe Mgbnfb32.exe File created C:\Windows\SysWOW64\Gglpbh32.exe Fhkcfmbp.exe File opened for modification C:\Windows\SysWOW64\Lcfphn32.exe Kleajegi.exe File created C:\Windows\SysWOW64\Gpaaneok.dll Hgbfhc32.exe File created C:\Windows\SysWOW64\Jeanfkob.exe Jklihbol.exe File created C:\Windows\SysWOW64\Ongpeejj.exe Nicalpak.exe File created C:\Windows\SysWOW64\Bqkcgq32.dll Mgibil32.exe File created C:\Windows\SysWOW64\Logicn32.exe Kahinkaf.exe File created C:\Windows\SysWOW64\Lhiapi32.dll Bmlofhca.exe File created C:\Windows\SysWOW64\Aimpafok.dll Loecgfjf.exe File created C:\Windows\SysWOW64\Cbnepf32.dll Inombh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkbcbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cninnnfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egcaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjmgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anjikoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egidim32.dll" Jjmhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbool32.dll" Hehkjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedodcbl.dll" Kblpnall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hingefqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqjqab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amdbffme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohebek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajpqhdkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdehep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjkjjmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgbfbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqclmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdgcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hggqniih.dll" Fgbfbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kleiid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnfkgfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmmppc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgocji32.dll" Ippecbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhablf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kojdflkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iplkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjmhie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfchcijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpglgmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgahf32.dll" Kglcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iimcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kahinkaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbjciano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ledeicdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nagngjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajfhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgjggkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjopil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmncgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajnkmjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgcaf32.dll" Imbpam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nckkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lngmhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgjbd32.dll" Inpclnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpkkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objhpiqa.dll" Jklihbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoenbkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpkcafjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmepf32.dll" Gkcdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmlng32.dll" Jbdbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golncp32.dll" Locbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmnmagm.dll" Phpkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbqago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemfih32.dll" Qclmmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akggfhhj.dll" Dgdnmfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqfpoope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkbgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nddkaddm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afcffb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgmfh32.dll" Bcfabgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fimhcbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkbj32.dll" Ggafgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgmnqmam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4956 wrote to memory of 1988 4956 NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe 90 PID 4956 wrote to memory of 1988 4956 NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe 90 PID 4956 wrote to memory of 1988 4956 NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe 90 PID 1988 wrote to memory of 2344 1988 Ekimjn32.exe 91 PID 1988 wrote to memory of 2344 1988 Ekimjn32.exe 91 PID 1988 wrote to memory of 2344 1988 Ekimjn32.exe 91 PID 2344 wrote to memory of 4480 2344 Ibbcfa32.exe 92 PID 2344 wrote to memory of 4480 2344 Ibbcfa32.exe 92 PID 2344 wrote to memory of 4480 2344 Ibbcfa32.exe 92 PID 4480 wrote to memory of 552 4480 Jeolckne.exe 94 PID 4480 wrote to memory of 552 4480 Jeolckne.exe 94 PID 4480 wrote to memory of 552 4480 Jeolckne.exe 94 PID 552 wrote to memory of 2488 552 Kahinkaf.exe 95 PID 552 wrote to memory of 2488 552 Kahinkaf.exe 95 PID 552 wrote to memory of 2488 552 Kahinkaf.exe 95 PID 2488 wrote to memory of 228 2488 Logicn32.exe 96 PID 2488 wrote to memory of 228 2488 Logicn32.exe 96 PID 2488 wrote to memory of 228 2488 Logicn32.exe 96 PID 228 wrote to memory of 2248 228 Loopdmpk.exe 97 PID 228 wrote to memory of 2248 228 Loopdmpk.exe 97 PID 228 wrote to memory of 2248 228 Loopdmpk.exe 97 PID 2248 wrote to memory of 4692 2248 Mkepineo.exe 98 PID 2248 wrote to memory of 4692 2248 Mkepineo.exe 98 PID 2248 wrote to memory of 4692 2248 Mkepineo.exe 98 PID 4692 wrote to memory of 1244 4692 Mlemcq32.exe 99 PID 4692 wrote to memory of 1244 4692 Mlemcq32.exe 99 PID 4692 wrote to memory of 1244 4692 Mlemcq32.exe 99 PID 1244 wrote to memory of 3892 1244 Nlqloo32.exe 100 PID 1244 wrote to memory of 3892 1244 Nlqloo32.exe 100 PID 1244 wrote to memory of 3892 1244 Nlqloo32.exe 100 PID 3892 wrote to memory of 4776 3892 Nconfh32.exe 101 PID 3892 wrote to memory of 4776 3892 Nconfh32.exe 101 PID 3892 wrote to memory of 4776 3892 Nconfh32.exe 101 PID 4776 wrote to memory of 1512 4776 Obkahddl.exe 102 PID 4776 wrote to memory of 1512 4776 Obkahddl.exe 102 PID 4776 wrote to memory of 1512 4776 Obkahddl.exe 102 PID 1512 wrote to memory of 5068 1512 Qmanljfo.exe 103 PID 1512 wrote to memory of 5068 1512 Qmanljfo.exe 103 PID 1512 wrote to memory of 5068 1512 Qmanljfo.exe 103 PID 5068 wrote to memory of 3208 5068 Alpnde32.exe 104 PID 5068 wrote to memory of 3208 5068 Alpnde32.exe 104 PID 5068 wrote to memory of 3208 5068 Alpnde32.exe 104 PID 3208 wrote to memory of 2696 3208 Bikeni32.exe 105 PID 3208 wrote to memory of 2696 3208 Bikeni32.exe 105 PID 3208 wrote to memory of 2696 3208 Bikeni32.exe 105 PID 2696 wrote to memory of 4428 2696 Cbmlmmjd.exe 106 PID 2696 wrote to memory of 4428 2696 Cbmlmmjd.exe 106 PID 2696 wrote to memory of 4428 2696 Cbmlmmjd.exe 106 PID 4428 wrote to memory of 4812 4428 Dbhlikpf.exe 107 PID 4428 wrote to memory of 4812 4428 Dbhlikpf.exe 107 PID 4428 wrote to memory of 4812 4428 Dbhlikpf.exe 107 PID 4812 wrote to memory of 4900 4812 Edoncm32.exe 108 PID 4812 wrote to memory of 4900 4812 Edoncm32.exe 108 PID 4812 wrote to memory of 4900 4812 Edoncm32.exe 108 PID 4900 wrote to memory of 4580 4900 Epjhcnbp.exe 109 PID 4900 wrote to memory of 4580 4900 Epjhcnbp.exe 109 PID 4900 wrote to memory of 4580 4900 Epjhcnbp.exe 109 PID 4580 wrote to memory of 4196 4580 Fcpkph32.exe 110 PID 4580 wrote to memory of 4196 4580 Fcpkph32.exe 110 PID 4580 wrote to memory of 4196 4580 Fcpkph32.exe 110 PID 4196 wrote to memory of 2500 4196 Gnlenp32.exe 113 PID 4196 wrote to memory of 2500 4196 Gnlenp32.exe 113 PID 4196 wrote to memory of 2500 4196 Gnlenp32.exe 113 PID 2500 wrote to memory of 2532 2500 Hgbfhc32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4c4317d19b4f465ca998d1e5b10bc3c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Epjhcnbp.exeC:\Windows\system32\Epjhcnbp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe23⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe24⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe25⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe26⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe27⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe28⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe29⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe30⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe31⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe32⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe33⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe35⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe36⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe37⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe39⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe40⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe41⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe42⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe43⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe44⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe45⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe46⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe48⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe49⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe52⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Npognfpo.exeC:\Windows\system32\Npognfpo.exe53⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe55⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe56⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe57⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe58⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe60⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe61⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe62⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe63⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe64⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ebnddn32.exeC:\Windows\system32\Ebnddn32.exe65⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe66⤵PID:1948
-
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe67⤵PID:1720
-
C:\Windows\SysWOW64\Eecfah32.exeC:\Windows\system32\Eecfah32.exe68⤵PID:5032
-
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe69⤵PID:3972
-
C:\Windows\SysWOW64\Femigg32.exeC:\Windows\system32\Femigg32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe71⤵PID:3328
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe72⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe73⤵PID:3052
-
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe74⤵PID:2548
-
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe75⤵PID:1676
-
C:\Windows\SysWOW64\Lpinac32.exeC:\Windows\system32\Lpinac32.exe76⤵PID:640
-
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe77⤵PID:4324
-
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe78⤵PID:1916
-
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe79⤵PID:4544
-
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe80⤵PID:3444
-
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe81⤵PID:4432
-
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe82⤵PID:1188
-
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe83⤵PID:3928
-
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe84⤵PID:448
-
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe85⤵PID:3712
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe86⤵PID:4008
-
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe87⤵PID:1336
-
C:\Windows\SysWOW64\Obhlkjaj.exeC:\Windows\system32\Obhlkjaj.exe88⤵PID:3492
-
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe89⤵PID:3084
-
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe90⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe91⤵PID:4120
-
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe92⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe93⤵PID:3244
-
C:\Windows\SysWOW64\Acmomgoa.exeC:\Windows\system32\Acmomgoa.exe94⤵PID:4352
-
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe95⤵PID:3576
-
C:\Windows\SysWOW64\Apfhajjf.exeC:\Windows\system32\Apfhajjf.exe96⤵PID:3136
-
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe98⤵PID:2800
-
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe99⤵
- Drops file in System32 directory
PID:4656 -
C:\Windows\SysWOW64\Bgggockk.exeC:\Windows\system32\Bgggockk.exe100⤵
- Drops file in System32 directory
PID:4608 -
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe101⤵PID:4440
-
C:\Windows\SysWOW64\Hecadm32.exeC:\Windows\system32\Hecadm32.exe102⤵PID:2520
-
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe103⤵PID:3008
-
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe104⤵PID:5048
-
C:\Windows\SysWOW64\Imabnofj.exeC:\Windows\system32\Imabnofj.exe105⤵PID:384
-
C:\Windows\SysWOW64\Ihfglhfp.exeC:\Windows\system32\Ihfglhfp.exe106⤵PID:972
-
C:\Windows\SysWOW64\Ihicah32.exeC:\Windows\system32\Ihicah32.exe107⤵PID:756
-
C:\Windows\SysWOW64\Iaahjmkn.exeC:\Windows\system32\Iaahjmkn.exe108⤵PID:4592
-
C:\Windows\SysWOW64\Jklihbol.exeC:\Windows\system32\Jklihbol.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe110⤵PID:1508
-
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe111⤵PID:2192
-
C:\Windows\SysWOW64\Jdgjgh32.exeC:\Windows\system32\Jdgjgh32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4200 -
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe113⤵PID:2812
-
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe114⤵
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Kleiid32.exeC:\Windows\system32\Kleiid32.exe115⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Knfepldb.exeC:\Windows\system32\Knfepldb.exe116⤵PID:4476
-
C:\Windows\SysWOW64\Kklbop32.exeC:\Windows\system32\Kklbop32.exe117⤵PID:60
-
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe118⤵PID:2676
-
C:\Windows\SysWOW64\Khpcid32.exeC:\Windows\system32\Khpcid32.exe119⤵PID:5160
-
C:\Windows\SysWOW64\Kojkeogp.exeC:\Windows\system32\Kojkeogp.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5204 -
C:\Windows\SysWOW64\Kdgcne32.exeC:\Windows\system32\Kdgcne32.exe121⤵
- Modifies registry class
PID:5392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-