Analysis
-
max time kernel
158s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 13:54
Behavioral task
behavioral1
Sample
NEAS.c7459ed66441d9238f2b427f6004da87.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c7459ed66441d9238f2b427f6004da87.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c7459ed66441d9238f2b427f6004da87.exe
-
Size
519KB
-
MD5
c7459ed66441d9238f2b427f6004da87
-
SHA1
39303dc23a070836ca17353c95f84b8f55f2fed9
-
SHA256
26c334b40950ed5f9ddda1a5312552406e54fa8884217f733f1b4c6d1cd5235c
-
SHA512
f3421eb646096919188b4111b0d4e4d1b5e4af842699df2d5fde476ed3bd909e2dc6cb69d4736a1c26345580e44ad1876612d57a90e03d9c600a13d0f1ef19ba
-
SSDEEP
12288:gc91XgjMmmpNs/VXMmmg8MmmpNs/VXMmmzv6:51X1EdAgxEdAzv6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfndlphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deoabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcigneeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfhibdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhagaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeihiac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcmpdjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cekhihig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcdepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlpabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkffhmka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfllca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjgbhlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlipal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkjef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmooak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngjmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnebp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglpgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hagodlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjoedfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdnmfai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhammfci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnjndpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlphjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlcbjfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmhdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihonhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locgagli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nejpckgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpnjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbdmfnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glajeiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdppllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldiiio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfphh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccfleqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmapcqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhqmdoef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdlbea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geenclkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glmhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhohfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiabh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keinepch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olphlcdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phodlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmkjeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfnhf32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4400-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4400-1-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3340-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-9.dat family_berbew behavioral2/files/0x0006000000022ce9-7.dat family_berbew behavioral2/files/0x0006000000022ceb-15.dat family_berbew behavioral2/memory/2512-16-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ceb-17.dat family_berbew behavioral2/files/0x0006000000022ced-23.dat family_berbew behavioral2/memory/2784-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-24.dat family_berbew behavioral2/files/0x0006000000022cef-33.dat family_berbew behavioral2/memory/1752-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cef-31.dat family_berbew behavioral2/memory/1644-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000b000000022bf8-40.dat family_berbew behavioral2/files/0x000b000000022bf8-39.dat family_berbew behavioral2/files/0x0008000000022cf2-47.dat family_berbew behavioral2/files/0x0008000000022cf2-49.dat family_berbew behavioral2/memory/4400-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/768-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf4-56.dat family_berbew behavioral2/memory/3828-58-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf4-57.dat family_berbew behavioral2/files/0x000a000000022bf4-65.dat family_berbew behavioral2/files/0x000a000000022bf4-64.dat family_berbew behavioral2/memory/892-66-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022bef-72.dat family_berbew behavioral2/memory/2332-74-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022bef-73.dat family_berbew behavioral2/files/0x0006000000022cfc-80.dat family_berbew behavioral2/files/0x0006000000022cfc-81.dat family_berbew behavioral2/memory/2572-82-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-88.dat family_berbew behavioral2/memory/3340-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4072-90-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-91.dat family_berbew behavioral2/files/0x0006000000022d02-92.dat family_berbew behavioral2/memory/2512-96-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2784-99-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4336-101-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d02-100.dat family_berbew behavioral2/files/0x0006000000022d02-97.dat family_berbew behavioral2/files/0x0006000000022d08-107.dat family_berbew behavioral2/files/0x0006000000022d08-109.dat family_berbew behavioral2/memory/1372-110-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1752-108-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-116.dat family_berbew behavioral2/memory/1644-117-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3948-119-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-118.dat family_berbew behavioral2/files/0x0006000000022d0c-125.dat family_berbew behavioral2/memory/4000-126-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-127.dat family_berbew behavioral2/files/0x0007000000022cf9-134.dat family_berbew behavioral2/memory/3828-135-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf9-133.dat family_berbew behavioral2/memory/4652-140-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022d05-142.dat family_berbew behavioral2/files/0x0007000000022d05-144.dat family_berbew behavioral2/memory/892-143-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1832-149-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022cfa-151.dat family_berbew behavioral2/memory/2332-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3340 Klbnajqc.exe 2512 Lljdai32.exe 2784 Mhanngbl.exe 1752 Nciopppp.exe 1644 Nfnamjhk.exe 768 Ookoaokf.exe 3828 Omfekbdh.exe 892 Paihlpfi.exe 2332 Amkhmoap.exe 2572 Aidehpea.exe 4072 Bbdpad32.exe 4336 Cpljehpo.exe 1372 Egnajocq.exe 3948 Fjhmbihg.exe 4000 Hkjohi32.exe 4652 Hgeihiac.exe 1832 Ieqpbm32.exe 3108 Jbijgp32.exe 1620 Jacpcl32.exe 3368 Kbeibo32.exe 4288 Khdoqefq.exe 4944 Mhiabbdi.exe 4880 Mojopk32.exe 4808 Ndidna32.exe 2464 Nhlfoodc.exe 500 Oljoen32.exe 4940 Obkahddl.exe 1632 Abpcja32.exe 380 Aeffgkkp.exe 404 Beoimjce.exe 780 Bpemkcck.exe 1396 Cekhihig.exe 4332 Dmifkecb.exe 560 Dlcmgqdd.exe 3076 Eegqldqg.exe 1180 Fcmnkh32.exe 4376 Fgkfqgce.exe 4480 Flhoinbl.exe 1836 Glmhdm32.exe 2204 Gglpgd32.exe 2052 Iggocbke.exe 3264 Inagpm32.exe 4532 Igqbiacj.exe 4892 Jmbdmg32.exe 3048 Jjfdfl32.exe 3928 Jfoaam32.exe 3684 Jaefne32.exe 2448 Kmncif32.exe 1352 Knbinhfl.exe 4180 Ljkghi32.exe 1600 Lkppchfi.exe 4340 Mdmngm32.exe 4088 Mmjlkb32.exe 4080 Ndkjik32.exe 436 Noqofdlj.exe 3580 Ndmgnkja.exe 3024 Naaghoik.exe 2244 Noehac32.exe 2520 Ohnljine.exe 3300 Ogjpld32.exe 3968 Pbapom32.exe 1116 Pdbiphhi.exe 1040 Pbfjjlgc.exe 4700 Andqol32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eqiilp32.exe Ekladi32.exe File created C:\Windows\SysWOW64\Doqpkq32.exe Dehkbkip.exe File created C:\Windows\SysWOW64\Idfilp32.dll Ikmepj32.exe File created C:\Windows\SysWOW64\Jnelha32.exe Jgkdkg32.exe File opened for modification C:\Windows\SysWOW64\Oldjlm32.exe Oopjchnh.exe File created C:\Windows\SysWOW64\Qejkfp32.exe Qkegiggl.exe File opened for modification C:\Windows\SysWOW64\Ahdpdd32.exe Akiijq32.exe File created C:\Windows\SysWOW64\Opnpdlep.dll Mmlhpaji.exe File created C:\Windows\SysWOW64\Aeofoe32.exe Aoenbkll.exe File created C:\Windows\SysWOW64\Bglefdke.exe Babmjj32.exe File opened for modification C:\Windows\SysWOW64\Gglpbh32.exe Gnckjbfj.exe File opened for modification C:\Windows\SysWOW64\Cnlhme32.exe Bpaacblm.exe File created C:\Windows\SysWOW64\Ppaoikim.dll Llbinnbq.exe File created C:\Windows\SysWOW64\Oeicopoo.exe Oplkgi32.exe File created C:\Windows\SysWOW64\Agfnhf32.exe Qibmoa32.exe File created C:\Windows\SysWOW64\Ggliem32.dll Hlmiagbo.exe File opened for modification C:\Windows\SysWOW64\Jbeinb32.exe Jmhaek32.exe File opened for modification C:\Windows\SysWOW64\Neafdjak.exe Nklbfaae.exe File created C:\Windows\SysWOW64\Geenclkn.exe Fbbhla32.exe File opened for modification C:\Windows\SysWOW64\Ijdnka32.exe Iheaqolo.exe File created C:\Windows\SysWOW64\Gakgdedc.dll Kkaljpmd.exe File created C:\Windows\SysWOW64\Oqpeaeel.exe Ojfmdk32.exe File opened for modification C:\Windows\SysWOW64\Oqpeaeel.exe Ojfmdk32.exe File opened for modification C:\Windows\SysWOW64\Ikokkc32.exe Ifbbbl32.exe File created C:\Windows\SysWOW64\Ceanplbl.dll Obikgppg.exe File created C:\Windows\SysWOW64\Dpcppm32.exe Ckfggf32.exe File opened for modification C:\Windows\SysWOW64\Jacpcl32.exe Jbijgp32.exe File created C:\Windows\SysWOW64\Egeemiml.exe Eqkmpo32.exe File created C:\Windows\SysWOW64\Gedaobdo.dll Ohnelj32.exe File created C:\Windows\SysWOW64\Maealn32.exe Mjkipdpg.exe File created C:\Windows\SysWOW64\Elefkp32.dll Olmdln32.exe File created C:\Windows\SysWOW64\Fgldoi32.exe Fkfcjh32.exe File opened for modification C:\Windows\SysWOW64\Nldhpeop.exe Nejpckgc.exe File created C:\Windows\SysWOW64\Gmelek32.dll Kimnlj32.exe File created C:\Windows\SysWOW64\Acgfpf32.exe Pncggqbg.exe File opened for modification C:\Windows\SysWOW64\Kkhpmigp.exe Kndodehf.exe File created C:\Windows\SysWOW64\Pbfglg32.exe Obdkfg32.exe File created C:\Windows\SysWOW64\Kfmejopp.exe Klgqmfpj.exe File created C:\Windows\SysWOW64\Ekqgenqi.dll Jngjmm32.exe File created C:\Windows\SysWOW64\Opjnai32.exe Ngaihcli.exe File created C:\Windows\SysWOW64\Egnqbobf.dll Ejjelnfl.exe File created C:\Windows\SysWOW64\Icgbmjqh.dll Dccbln32.exe File created C:\Windows\SysWOW64\Jmhihbcg.dll Fooecl32.exe File opened for modification C:\Windows\SysWOW64\Kmfhelke.exe Kmdlolmg.exe File created C:\Windows\SysWOW64\Aclmbhio.dll Phmhgmpc.exe File opened for modification C:\Windows\SysWOW64\Hcflch32.exe Haafnf32.exe File opened for modification C:\Windows\SysWOW64\Encgdbqd.exe Enajobbf.exe File created C:\Windows\SysWOW64\Pbjdnn32.exe Piapehkd.exe File created C:\Windows\SysWOW64\Ldbhbp32.dll Lnanadfi.exe File opened for modification C:\Windows\SysWOW64\Hidpbf32.exe Gmmome32.exe File opened for modification C:\Windows\SysWOW64\Idbfhiko.exe Iofmpb32.exe File created C:\Windows\SysWOW64\Mhgfdmle.exe Mplapkoj.exe File created C:\Windows\SysWOW64\Lgnihd32.exe Knfeoobh.exe File created C:\Windows\SysWOW64\Paioplob.exe Oaifin32.exe File created C:\Windows\SysWOW64\Gjjile32.dll Hgebif32.exe File created C:\Windows\SysWOW64\Cfopki32.dll Olehai32.exe File created C:\Windows\SysWOW64\Emoanbll.exe Eiokbd32.exe File opened for modification C:\Windows\SysWOW64\Pebfen32.exe Ohnelj32.exe File created C:\Windows\SysWOW64\Bibjekoh.dll Oofepe32.exe File created C:\Windows\SysWOW64\Ljnjmcie.dll Hidpbf32.exe File opened for modification C:\Windows\SysWOW64\Kkfkod32.exe Kdlcbjfj.exe File created C:\Windows\SysWOW64\Dejhgkgm.exe Doqpkq32.exe File created C:\Windows\SysWOW64\Gkffhmka.exe Gfimpfmj.exe File created C:\Windows\SysWOW64\Ikmepj32.exe Ifplgc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oflfoepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqmincia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbcka32.dll" Pmpoemef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbpcgbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncdkbdj.dll" Qjfmda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpljonfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lppbdmig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbpcgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcckal32.dll" Fknimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogklob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqblcae.dll" Gnfhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcalb32.dll" Neoink32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chagfjcp.dll" Fkfcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmbaadg.dll" Mdkhkflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikomogf.dll" Ikcdfbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbobi32.dll" Aokceaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcigneeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plifea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqbagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgi32.dll" Aaflag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaicpdqi.dll" Ohebek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljobiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnamm32.dll" Aeodapcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhhgmlli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfimpfmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knmaomdp.dll" Podcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclokbca.dll" Bpcnceab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbkqgep.dll" Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdijg32.dll" Fecmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmlhcfo.dll" Mmkdlbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfokepc.dll" Eoccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgldoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dccbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpiceon.dll" Apcemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofnqfah.dll" Egnhnkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfkjef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkggplm.dll" Ncpelbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geleenbj.dll" Aefjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkaljpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ophjdehd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgnekcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdmqpah.dll" Kekljlkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll" Oljoen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfhag32.dll" Fnmqegle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfhbifgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinfobi.dll" Ojfmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papnhbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfilp32.dll" Ikmepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjile32.dll" Hgebif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogpi32.dll" Mfoclflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll" Jbijgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeccijoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqikfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqcopdaa.dll" Odjeepna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfcdnqn.dll" Ahakhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andghd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caapfnkd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 3340 4400 NEAS.c7459ed66441d9238f2b427f6004da87.exe 89 PID 4400 wrote to memory of 3340 4400 NEAS.c7459ed66441d9238f2b427f6004da87.exe 89 PID 4400 wrote to memory of 3340 4400 NEAS.c7459ed66441d9238f2b427f6004da87.exe 89 PID 3340 wrote to memory of 2512 3340 Klbnajqc.exe 90 PID 3340 wrote to memory of 2512 3340 Klbnajqc.exe 90 PID 3340 wrote to memory of 2512 3340 Klbnajqc.exe 90 PID 2512 wrote to memory of 2784 2512 Lljdai32.exe 91 PID 2512 wrote to memory of 2784 2512 Lljdai32.exe 91 PID 2512 wrote to memory of 2784 2512 Lljdai32.exe 91 PID 2784 wrote to memory of 1752 2784 Mhanngbl.exe 93 PID 2784 wrote to memory of 1752 2784 Mhanngbl.exe 93 PID 2784 wrote to memory of 1752 2784 Mhanngbl.exe 93 PID 1752 wrote to memory of 1644 1752 Nciopppp.exe 94 PID 1752 wrote to memory of 1644 1752 Nciopppp.exe 94 PID 1752 wrote to memory of 1644 1752 Nciopppp.exe 94 PID 1644 wrote to memory of 768 1644 Nfnamjhk.exe 95 PID 1644 wrote to memory of 768 1644 Nfnamjhk.exe 95 PID 1644 wrote to memory of 768 1644 Nfnamjhk.exe 95 PID 768 wrote to memory of 3828 768 Ookoaokf.exe 96 PID 768 wrote to memory of 3828 768 Ookoaokf.exe 96 PID 768 wrote to memory of 3828 768 Ookoaokf.exe 96 PID 3828 wrote to memory of 892 3828 Omfekbdh.exe 97 PID 3828 wrote to memory of 892 3828 Omfekbdh.exe 97 PID 3828 wrote to memory of 892 3828 Omfekbdh.exe 97 PID 892 wrote to memory of 2332 892 Paihlpfi.exe 98 PID 892 wrote to memory of 2332 892 Paihlpfi.exe 98 PID 892 wrote to memory of 2332 892 Paihlpfi.exe 98 PID 2332 wrote to memory of 2572 2332 Amkhmoap.exe 99 PID 2332 wrote to memory of 2572 2332 Amkhmoap.exe 99 PID 2332 wrote to memory of 2572 2332 Amkhmoap.exe 99 PID 2572 wrote to memory of 4072 2572 Aidehpea.exe 100 PID 2572 wrote to memory of 4072 2572 Aidehpea.exe 100 PID 2572 wrote to memory of 4072 2572 Aidehpea.exe 100 PID 4072 wrote to memory of 4336 4072 Bbdpad32.exe 101 PID 4072 wrote to memory of 4336 4072 Bbdpad32.exe 101 PID 4072 wrote to memory of 4336 4072 Bbdpad32.exe 101 PID 4336 wrote to memory of 1372 4336 Cpljehpo.exe 102 PID 4336 wrote to memory of 1372 4336 Cpljehpo.exe 102 PID 4336 wrote to memory of 1372 4336 Cpljehpo.exe 102 PID 1372 wrote to memory of 3948 1372 Egnajocq.exe 103 PID 1372 wrote to memory of 3948 1372 Egnajocq.exe 103 PID 1372 wrote to memory of 3948 1372 Egnajocq.exe 103 PID 3948 wrote to memory of 4000 3948 Fjhmbihg.exe 104 PID 3948 wrote to memory of 4000 3948 Fjhmbihg.exe 104 PID 3948 wrote to memory of 4000 3948 Fjhmbihg.exe 104 PID 4000 wrote to memory of 4652 4000 Hkjohi32.exe 105 PID 4000 wrote to memory of 4652 4000 Hkjohi32.exe 105 PID 4000 wrote to memory of 4652 4000 Hkjohi32.exe 105 PID 4652 wrote to memory of 1832 4652 Hgeihiac.exe 106 PID 4652 wrote to memory of 1832 4652 Hgeihiac.exe 106 PID 4652 wrote to memory of 1832 4652 Hgeihiac.exe 106 PID 1832 wrote to memory of 3108 1832 Ieqpbm32.exe 107 PID 1832 wrote to memory of 3108 1832 Ieqpbm32.exe 107 PID 1832 wrote to memory of 3108 1832 Ieqpbm32.exe 107 PID 3108 wrote to memory of 1620 3108 Jbijgp32.exe 108 PID 3108 wrote to memory of 1620 3108 Jbijgp32.exe 108 PID 3108 wrote to memory of 1620 3108 Jbijgp32.exe 108 PID 1620 wrote to memory of 3368 1620 Jacpcl32.exe 109 PID 1620 wrote to memory of 3368 1620 Jacpcl32.exe 109 PID 1620 wrote to memory of 3368 1620 Jacpcl32.exe 109 PID 3368 wrote to memory of 4288 3368 Kbeibo32.exe 110 PID 3368 wrote to memory of 4288 3368 Kbeibo32.exe 110 PID 3368 wrote to memory of 4288 3368 Kbeibo32.exe 110 PID 4288 wrote to memory of 4944 4288 Khdoqefq.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c7459ed66441d9238f2b427f6004da87.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c7459ed66441d9238f2b427f6004da87.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe23⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe24⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe25⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe26⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:500 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe28⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe29⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe31⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe32⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe34⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe35⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe36⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe37⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe38⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe39⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe42⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe43⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe44⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe45⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe46⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe47⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe48⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe49⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe50⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe51⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Lkppchfi.exeC:\Windows\system32\Lkppchfi.exe52⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe53⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe54⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe55⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe56⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe57⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe58⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe59⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe60⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe61⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe62⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe63⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe64⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe65⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe66⤵PID:2900
-
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe67⤵PID:4564
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe68⤵PID:496
-
C:\Windows\SysWOW64\Goadfa32.exeC:\Windows\system32\Goadfa32.exe69⤵PID:4456
-
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe70⤵PID:3732
-
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe71⤵PID:2028
-
C:\Windows\SysWOW64\Jmdjha32.exeC:\Windows\system32\Jmdjha32.exe72⤵PID:492
-
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe73⤵PID:988
-
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe74⤵PID:3364
-
C:\Windows\SysWOW64\Kaihonhl.exeC:\Windows\system32\Kaihonhl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe76⤵PID:5040
-
C:\Windows\SysWOW64\Kmbfiokn.exeC:\Windows\system32\Kmbfiokn.exe77⤵PID:4800
-
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe78⤵PID:2648
-
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe79⤵PID:4520
-
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe81⤵PID:1696
-
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe82⤵PID:2548
-
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe83⤵PID:3316
-
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe84⤵PID:2868
-
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe85⤵PID:1908
-
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe87⤵PID:368
-
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe88⤵
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe89⤵PID:2348
-
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe90⤵PID:2284
-
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe91⤵PID:456
-
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe92⤵PID:5152
-
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe93⤵PID:5196
-
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe94⤵PID:5252
-
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe95⤵PID:5296
-
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe96⤵PID:5344
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe97⤵PID:5384
-
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe98⤵PID:5424
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe99⤵PID:5472
-
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe100⤵PID:5508
-
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe101⤵PID:5556
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe102⤵
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe103⤵PID:5640
-
C:\Windows\SysWOW64\Iheaqolo.exeC:\Windows\system32\Iheaqolo.exe104⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe105⤵PID:5724
-
C:\Windows\SysWOW64\Ihlgan32.exeC:\Windows\system32\Ihlgan32.exe106⤵PID:5768
-
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe107⤵PID:5812
-
C:\Windows\SysWOW64\Jhhgmlli.exeC:\Windows\system32\Jhhgmlli.exe108⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Jcmkjeko.exeC:\Windows\system32\Jcmkjeko.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe110⤵PID:5940
-
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe112⤵PID:6024
-
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe113⤵PID:6060
-
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe114⤵PID:6112
-
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe115⤵PID:444
-
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe116⤵PID:5164
-
C:\Windows\SysWOW64\Lopkkdgf.exeC:\Windows\system32\Lopkkdgf.exe117⤵PID:5212
-
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe118⤵PID:4816
-
C:\Windows\SysWOW64\Ljjicl32.exeC:\Windows\system32\Ljjicl32.exe119⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe120⤵PID:864
-
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe121⤵PID:5324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-