Analysis
-
max time kernel
83s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 00:49
Behavioral task
behavioral1
Sample
NEAS.9d224c1e617d56d68abb4c5e0c343470.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9d224c1e617d56d68abb4c5e0c343470.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.9d224c1e617d56d68abb4c5e0c343470.exe
-
Size
155KB
-
MD5
9d224c1e617d56d68abb4c5e0c343470
-
SHA1
db1a013df30b88c6fc8bb4a51e0bf8dbe619c59f
-
SHA256
9ec6172aa680f4b2d2c44269b90e2f62bf2b3677dae8c01dc459ee1fb4e701ed
-
SHA512
02df21b9d9b0ddb3f714593b6911aad7104a7e7470bd3c99d3a9157bdd4ef59ee21ae4853e24f1721d35c92dd87c3143ed1d99f975dee80cb8f60a6508986e8c
-
SSDEEP
3072:q/UowP9cSJ1Hhwl5nOF7vFIaW5IDpY3rrEznYfzB9BSwWO:CUowlj1Hs5nOF7vFITn3rrYOzLcK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkdbgpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahlnefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmaoahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhjeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndnnianm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmphjfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gedfblql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iondqhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mojopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebcop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcjgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Logicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boaeioej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eonmkkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcblpdgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefnkkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlbpldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offeahhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chglab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llmbqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikcmmjkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akhcfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpbkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgfbbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojigdcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqbiacj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okneldkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqpapacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhcdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqbpahpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnopbdl.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1776-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd2-6.dat family_berbew behavioral2/files/0x0006000000022cd2-8.dat family_berbew behavioral2/memory/4908-7-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cce-15.dat family_berbew behavioral2/memory/4196-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cce-14.dat family_berbew behavioral2/files/0x0008000000022cd0-22.dat family_berbew behavioral2/memory/5032-23-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd0-24.dat family_berbew behavioral2/files/0x0009000000022cd4-30.dat family_berbew behavioral2/memory/224-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd4-32.dat family_berbew behavioral2/files/0x0006000000022cd6-38.dat family_berbew behavioral2/memory/3728-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd6-40.dat family_berbew behavioral2/files/0x0006000000022cd8-46.dat family_berbew behavioral2/memory/2216-47-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd8-48.dat family_berbew behavioral2/files/0x0006000000022cda-54.dat family_berbew behavioral2/memory/2696-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cda-56.dat family_berbew behavioral2/files/0x0009000000022bd6-62.dat family_berbew behavioral2/files/0x0009000000022bd6-64.dat family_berbew behavioral2/memory/3248-63-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdd-70.dat family_berbew behavioral2/files/0x0006000000022cdd-72.dat family_berbew behavioral2/memory/3952-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdf-78.dat family_berbew behavioral2/memory/3276-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdf-80.dat family_berbew behavioral2/files/0x0006000000022ce1-86.dat family_berbew behavioral2/files/0x0006000000022ce1-88.dat family_berbew behavioral2/memory/1788-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2840-95-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce3-96.dat family_berbew behavioral2/files/0x0006000000022ce3-94.dat family_berbew behavioral2/files/0x0006000000022ce5-102.dat family_berbew behavioral2/files/0x0006000000022ce5-103.dat family_berbew behavioral2/memory/4580-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce7-110.dat family_berbew behavioral2/memory/4940-111-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce7-112.dat family_berbew behavioral2/files/0x0006000000022cea-118.dat family_berbew behavioral2/memory/4220-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-119.dat family_berbew behavioral2/memory/460-128-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-127.dat family_berbew behavioral2/files/0x0006000000022cec-126.dat family_berbew behavioral2/files/0x0006000000022cee-134.dat family_berbew behavioral2/files/0x0006000000022cee-135.dat family_berbew behavioral2/memory/960-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-142.dat family_berbew behavioral2/memory/2420-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-143.dat family_berbew behavioral2/files/0x0006000000022cf2-151.dat family_berbew behavioral2/memory/4136-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-150.dat family_berbew behavioral2/files/0x0006000000022cf6-158.dat family_berbew behavioral2/memory/3844-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf6-159.dat family_berbew behavioral2/files/0x0006000000022cf9-166.dat family_berbew behavioral2/files/0x0006000000022cf9-167.dat family_berbew behavioral2/memory/4356-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4908 Hammhcij.exe 4196 Hkgnfhnh.exe 5032 Hjlkge32.exe 224 Ijogmdqm.exe 3728 Iahlcaol.exe 2216 Ijfnmc32.exe 2696 Indfca32.exe 3248 Jnfcia32.exe 3952 Jjmcnbdm.exe 3276 Jjopcb32.exe 1788 Jbiejoaj.exe 2840 Jgenbfoa.exe 4580 Kghjhemo.exe 4940 Kiggbhda.exe 4220 Kbbhqn32.exe 460 Kjmmepfj.exe 960 Kinmcg32.exe 2420 Lajagj32.exe 4136 Licfngjd.exe 3844 Lbkkgl32.exe 4356 Lnbklm32.exe 3904 Llflea32.exe 3464 Mhoipb32.exe 3192 Mlmbfqoj.exe 4708 Mjbogmdb.exe 2388 Mjellmbp.exe 944 Mldhfpib.exe 4144 Nbqmiinl.exe 3852 Nognnj32.exe 4376 Nhbolp32.exe 4864 Nhdlao32.exe 4972 Ohghgodi.exe 3236 Oekiqccc.exe 2908 Oldamm32.exe 5084 Olgncmim.exe 1928 Obafpg32.exe 4944 Oohgdhfn.exe 3456 Oimkbaed.exe 3696 Plndcl32.exe 740 Poomegpf.exe 3776 Pidabppl.exe 852 Pekbga32.exe 4928 Qofcff32.exe 4284 Qebhhp32.exe 5104 Aojlaeei.exe 3988 Aomifecf.exe 3768 Akcjkfij.exe 236 Acmobchj.exe 4932 Akhcfe32.exe 700 Boflmdkk.exe 4952 Bohibc32.exe 2208 Bmlilh32.exe 2300 Bkafmd32.exe 3948 Bkdcbd32.exe 1084 Cfigpm32.exe 1496 Cbphdn32.exe 1412 Codhnb32.exe 4612 Dfjpfj32.exe 4008 Dpbdopck.exe 5092 Dflmlj32.exe 4608 Dcpmen32.exe 760 Dmhand32.exe 3064 Ebejfk32.exe 2524 Epikpo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mjodla32.exe File created C:\Windows\SysWOW64\Indfca32.exe Ijfnmc32.exe File created C:\Windows\SysWOW64\Ohghgodi.exe Nhdlao32.exe File created C:\Windows\SysWOW64\Codhnb32.exe Cbphdn32.exe File created C:\Windows\SysWOW64\Fjadje32.exe Fjohde32.exe File created C:\Windows\SysWOW64\Phdpmbnc.dll Kmaopfjm.exe File created C:\Windows\SysWOW64\Ocknbglo.exe Odjmdocp.exe File opened for modification C:\Windows\SysWOW64\Dibdeegc.exe Dmkcpdao.exe File opened for modification C:\Windows\SysWOW64\Dnnoip32.exe Process not Found File created C:\Windows\SysWOW64\Jongga32.dll Gehbjm32.exe File created C:\Windows\SysWOW64\Lmaamn32.exe Lqkqhm32.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Oclkgccf.exe File opened for modification C:\Windows\SysWOW64\Eahobg32.exe Egbken32.exe File created C:\Windows\SysWOW64\Hegmlnbp.exe Hchqbkkm.exe File created C:\Windows\SysWOW64\Mmahff32.exe Mpnglbkf.exe File created C:\Windows\SysWOW64\Cfapoa32.dll Bohibc32.exe File created C:\Windows\SysWOW64\Ogeacidl.dll Filapfbo.exe File opened for modification C:\Windows\SysWOW64\Gqkhda32.exe Gkoplk32.exe File created C:\Windows\SysWOW64\Djbehfpe.dll Cpnpqakp.exe File opened for modification C:\Windows\SysWOW64\Jihngboe.exe Process not Found File created C:\Windows\SysWOW64\Kmbniiil.dll Mdaqhf32.exe File created C:\Windows\SysWOW64\Hfgohepp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jbiejoaj.exe Jjopcb32.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hlbcnd32.exe File created C:\Windows\SysWOW64\Aeodmbol.dll Pidlqb32.exe File created C:\Windows\SysWOW64\Ofjljj32.dll Egegjn32.exe File created C:\Windows\SysWOW64\Ndpjnq32.exe Nocbfjmc.exe File created C:\Windows\SysWOW64\Hhlnjpdi.exe Process not Found File created C:\Windows\SysWOW64\Dflmlj32.exe Dpbdopck.exe File opened for modification C:\Windows\SysWOW64\Ffmfchle.exe Efjimhnh.exe File created C:\Windows\SysWOW64\Ihjoke32.dll Iialhaad.exe File created C:\Windows\SysWOW64\Hchqbkkm.exe Hgapmj32.exe File created C:\Windows\SysWOW64\Pmhkflnj.exe Pbbgicnd.exe File created C:\Windows\SysWOW64\Nqdmimbf.dll Glipgf32.exe File created C:\Windows\SysWOW64\Hpchib32.exe Hblkjo32.exe File opened for modification C:\Windows\SysWOW64\Kmlgcf32.exe Lhjeoc32.exe File created C:\Windows\SysWOW64\Ngnppfgb.exe Nemchn32.exe File opened for modification C:\Windows\SysWOW64\Kicfijal.exe Kkofofbb.exe File created C:\Windows\SysWOW64\Ppdpcn32.dll Dnghhqdk.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Hlblcn32.exe File created C:\Windows\SysWOW64\Kmncif32.exe Lnfngj32.exe File created C:\Windows\SysWOW64\Popdldep.dll Process not Found File created C:\Windows\SysWOW64\Nmpkakak.exe Najjmjkg.exe File created C:\Windows\SysWOW64\Qolmplcl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Icdheded.exe Hcblpdgg.exe File opened for modification C:\Windows\SysWOW64\Mhoind32.exe Mmiealgc.exe File created C:\Windows\SysWOW64\Nnmile32.dll Process not Found File created C:\Windows\SysWOW64\Fikihlmj.exe Fpcdof32.exe File created C:\Windows\SysWOW64\Iameid32.exe Ikcmmjkb.exe File created C:\Windows\SysWOW64\Cipokd32.dll Kblkap32.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Oqoefand.exe File created C:\Windows\SysWOW64\Egbken32.exe Ekljpm32.exe File opened for modification C:\Windows\SysWOW64\Mhiabbdi.exe Moalil32.exe File created C:\Windows\SysWOW64\Ioaegj32.dll Mpchbhjl.exe File opened for modification C:\Windows\SysWOW64\Bclppboi.exe Cgecpa32.exe File opened for modification C:\Windows\SysWOW64\Gpodkdll.exe Geipnl32.exe File created C:\Windows\SysWOW64\Lpjelibg.exe Lipmoo32.exe File created C:\Windows\SysWOW64\Egjoqncg.dll Aomifecf.exe File created C:\Windows\SysWOW64\Edmpgp32.dll Dflmlj32.exe File created C:\Windows\SysWOW64\Lbflncid.dll Hdhedh32.exe File opened for modification C:\Windows\SysWOW64\Fjjjgh32.exe Fdmaoahm.exe File created C:\Windows\SysWOW64\Kblpcndd.exe Khfkfedn.exe File created C:\Windows\SysWOW64\Lmfhjhdm.exe Lcndab32.exe File created C:\Windows\SysWOW64\Eklgldgf.dll Kkofofbb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaff32.dll" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjpknni.dll" Gbabigfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmphjfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjafgpmo.dll" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafkmp32.dll" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhgglaj.dll" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll" Dgihop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jenmcggo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpfgmnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dolmodpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkehhpn.dll" Iejgelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll" Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emeffcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdpcn32.dll" Dnghhqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgnka32.dll" Ifnkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihejacdm.dll" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abemep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbqinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgolq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgdii32.dll" Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkfqkc.dll" Hifaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khabke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkhop32.dll" Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkpgkbd.dll" Nfiagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmbkipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Offeahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnblp32.dll" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofkjd32.dll" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjfh32.dll" Pphlpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popdldep.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cnindhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhmea32.dll" Ihheqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmbfiokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnglpdin.dll" Agiahlkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modffifb.dll" Ppccemjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanhkb32.dll" Aeopfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll" Eahobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifnkeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdibmjj.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 4908 1776 NEAS.9d224c1e617d56d68abb4c5e0c343470.exe 93 PID 1776 wrote to memory of 4908 1776 NEAS.9d224c1e617d56d68abb4c5e0c343470.exe 93 PID 1776 wrote to memory of 4908 1776 NEAS.9d224c1e617d56d68abb4c5e0c343470.exe 93 PID 4908 wrote to memory of 4196 4908 Hammhcij.exe 94 PID 4908 wrote to memory of 4196 4908 Hammhcij.exe 94 PID 4908 wrote to memory of 4196 4908 Hammhcij.exe 94 PID 4196 wrote to memory of 5032 4196 Hkgnfhnh.exe 95 PID 4196 wrote to memory of 5032 4196 Hkgnfhnh.exe 95 PID 4196 wrote to memory of 5032 4196 Hkgnfhnh.exe 95 PID 5032 wrote to memory of 224 5032 Hjlkge32.exe 96 PID 5032 wrote to memory of 224 5032 Hjlkge32.exe 96 PID 5032 wrote to memory of 224 5032 Hjlkge32.exe 96 PID 224 wrote to memory of 3728 224 Ijogmdqm.exe 97 PID 224 wrote to memory of 3728 224 Ijogmdqm.exe 97 PID 224 wrote to memory of 3728 224 Ijogmdqm.exe 97 PID 3728 wrote to memory of 2216 3728 Iahlcaol.exe 98 PID 3728 wrote to memory of 2216 3728 Iahlcaol.exe 98 PID 3728 wrote to memory of 2216 3728 Iahlcaol.exe 98 PID 2216 wrote to memory of 2696 2216 Ijfnmc32.exe 99 PID 2216 wrote to memory of 2696 2216 Ijfnmc32.exe 99 PID 2216 wrote to memory of 2696 2216 Ijfnmc32.exe 99 PID 2696 wrote to memory of 3248 2696 Indfca32.exe 100 PID 2696 wrote to memory of 3248 2696 Indfca32.exe 100 PID 2696 wrote to memory of 3248 2696 Indfca32.exe 100 PID 3248 wrote to memory of 3952 3248 Jnfcia32.exe 101 PID 3248 wrote to memory of 3952 3248 Jnfcia32.exe 101 PID 3248 wrote to memory of 3952 3248 Jnfcia32.exe 101 PID 3952 wrote to memory of 3276 3952 Jjmcnbdm.exe 102 PID 3952 wrote to memory of 3276 3952 Jjmcnbdm.exe 102 PID 3952 wrote to memory of 3276 3952 Jjmcnbdm.exe 102 PID 3276 wrote to memory of 1788 3276 Jjopcb32.exe 103 PID 3276 wrote to memory of 1788 3276 Jjopcb32.exe 103 PID 3276 wrote to memory of 1788 3276 Jjopcb32.exe 103 PID 1788 wrote to memory of 2840 1788 Jbiejoaj.exe 104 PID 1788 wrote to memory of 2840 1788 Jbiejoaj.exe 104 PID 1788 wrote to memory of 2840 1788 Jbiejoaj.exe 104 PID 2840 wrote to memory of 4580 2840 Jgenbfoa.exe 105 PID 2840 wrote to memory of 4580 2840 Jgenbfoa.exe 105 PID 2840 wrote to memory of 4580 2840 Jgenbfoa.exe 105 PID 4580 wrote to memory of 4940 4580 Kghjhemo.exe 106 PID 4580 wrote to memory of 4940 4580 Kghjhemo.exe 106 PID 4580 wrote to memory of 4940 4580 Kghjhemo.exe 106 PID 4940 wrote to memory of 4220 4940 Kiggbhda.exe 107 PID 4940 wrote to memory of 4220 4940 Kiggbhda.exe 107 PID 4940 wrote to memory of 4220 4940 Kiggbhda.exe 107 PID 4220 wrote to memory of 460 4220 Kbbhqn32.exe 108 PID 4220 wrote to memory of 460 4220 Kbbhqn32.exe 108 PID 4220 wrote to memory of 460 4220 Kbbhqn32.exe 108 PID 460 wrote to memory of 960 460 Kjmmepfj.exe 109 PID 460 wrote to memory of 960 460 Kjmmepfj.exe 109 PID 460 wrote to memory of 960 460 Kjmmepfj.exe 109 PID 960 wrote to memory of 2420 960 Kinmcg32.exe 110 PID 960 wrote to memory of 2420 960 Kinmcg32.exe 110 PID 960 wrote to memory of 2420 960 Kinmcg32.exe 110 PID 2420 wrote to memory of 4136 2420 Lajagj32.exe 111 PID 2420 wrote to memory of 4136 2420 Lajagj32.exe 111 PID 2420 wrote to memory of 4136 2420 Lajagj32.exe 111 PID 4136 wrote to memory of 3844 4136 Licfngjd.exe 112 PID 4136 wrote to memory of 3844 4136 Licfngjd.exe 112 PID 4136 wrote to memory of 3844 4136 Licfngjd.exe 112 PID 3844 wrote to memory of 4356 3844 Lbkkgl32.exe 113 PID 3844 wrote to memory of 4356 3844 Lbkkgl32.exe 113 PID 3844 wrote to memory of 4356 3844 Lbkkgl32.exe 113 PID 4356 wrote to memory of 3904 4356 Lnbklm32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9d224c1e617d56d68abb4c5e0c343470.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9d224c1e617d56d68abb4c5e0c343470.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe23⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe25⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe26⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe27⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe28⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe29⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe30⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe31⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe33⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe34⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe35⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe36⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe37⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe38⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe39⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe40⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe41⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe42⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe44⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe45⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe46⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe48⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe49⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe51⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe53⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe54⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe55⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe56⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe58⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe59⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe62⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe63⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe64⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe65⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe67⤵PID:3132
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe68⤵PID:4820
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe69⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe70⤵
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe71⤵PID:4692
-
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe72⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe73⤵PID:5176
-
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe74⤵PID:5224
-
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe75⤵PID:5272
-
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe76⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe77⤵PID:5368
-
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe78⤵PID:5408
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe79⤵PID:5452
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe80⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe81⤵PID:5536
-
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe82⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe83⤵PID:5632
-
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe84⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe85⤵PID:5720
-
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe86⤵PID:5764
-
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe87⤵PID:5808
-
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe88⤵PID:5852
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe89⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe90⤵PID:5936
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe91⤵PID:5980
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe92⤵PID:6024
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe93⤵PID:6072
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe95⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe96⤵PID:5208
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe97⤵PID:5296
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe98⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe100⤵PID:5528
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe101⤵PID:5612
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe102⤵PID:5672
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe103⤵PID:5756
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe104⤵PID:5820
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe105⤵PID:5896
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe106⤵PID:5960
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe108⤵PID:6128
-
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe109⤵PID:5240
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe110⤵PID:2732
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe111⤵PID:5472
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe112⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe113⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe114⤵PID:5848
-
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe115⤵PID:5968
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe116⤵PID:6044
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe118⤵PID:5460
-
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe119⤵PID:5688
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe120⤵PID:5816
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-