Analysis
-
max time kernel
167s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2023 19:08
Behavioral task
behavioral1
Sample
NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe
-
Size
80KB
-
MD5
c1bf0940a65d44e3b5d44fdd7c3349a0
-
SHA1
d13f26e56315e3b5b9036b02e639c84dcdc9b406
-
SHA256
89a5e27b3d0ddb6b8e923cb3b441fd9cd310cd74b86fcc67b6596a8f7eb8d259
-
SHA512
c7c24dedeba8776ec20fde689f458070ede77a3fe237cbe40a5e8ce7f4294c6331a597d5471f9dc134bacfefd74e9a2e7884a2cfcff97da19f74dc399cc97a89
-
SSDEEP
1536:7B7ZdQRA10BcWqQU3DOlw8tpqAJ2Ltfwfi+TjRC/6i:t7Zj1IZqQw8Dqv1wf1TjYL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihaghob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciadnggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilbjpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcqojqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcfoebo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aooolbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnaoec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhpqdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncokfha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkakagqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defadfql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhnkiegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgmldnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meqmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebagniin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcohijoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkoiqjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paihffkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijlqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahffqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmhai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalnpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqjbfokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplkig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbmbljj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiemj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckqojfma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgihkcof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbinefpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoehojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akccje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icljgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhbfkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfgaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmahgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lecgdgmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjmjegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcgnkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdbkcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcbldne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paainl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npedfjfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkppgld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkaojhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjgcjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmecdlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqchnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keaibpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgamjgna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqdh32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1240-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1240-1-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce7-7.dat family_berbew behavioral2/memory/3960-9-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce7-8.dat family_berbew behavioral2/files/0x0009000000022ceb-10.dat family_berbew behavioral2/memory/2636-16-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0009000000022ceb-15.dat family_berbew behavioral2/files/0x0009000000022ceb-17.dat family_berbew behavioral2/files/0x0006000000022cee-23.dat family_berbew behavioral2/memory/1844-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-25.dat family_berbew behavioral2/files/0x0006000000022cf9-26.dat family_berbew behavioral2/files/0x0006000000022cf9-31.dat family_berbew behavioral2/files/0x0006000000022cf9-33.dat family_berbew behavioral2/memory/4652-32-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf3-35.dat family_berbew behavioral2/files/0x0007000000022cf3-39.dat family_berbew behavioral2/files/0x0007000000022cf3-41.dat family_berbew behavioral2/memory/1048-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf5-47.dat family_berbew behavioral2/files/0x0007000000022cf5-49.dat family_berbew behavioral2/memory/2024-48-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfa-55.dat family_berbew behavioral2/files/0x0006000000022cfa-57.dat family_berbew behavioral2/memory/1364-56-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-58.dat family_berbew behavioral2/files/0x0006000000022cfc-63.dat family_berbew behavioral2/memory/1088-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-65.dat family_berbew behavioral2/files/0x0006000000022cfe-71.dat family_berbew behavioral2/memory/2128-72-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-73.dat family_berbew behavioral2/files/0x0006000000022d00-79.dat family_berbew behavioral2/files/0x0006000000022d00-81.dat family_berbew behavioral2/memory/3204-82-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1240-80-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d02-88.dat family_berbew behavioral2/memory/396-89-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d02-90.dat family_berbew behavioral2/files/0x0006000000022d04-96.dat family_berbew behavioral2/files/0x0006000000022d04-97.dat family_berbew behavioral2/memory/3884-98-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d06-104.dat family_berbew behavioral2/memory/3000-105-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d06-106.dat family_berbew behavioral2/files/0x0006000000022d08-112.dat family_berbew behavioral2/files/0x0006000000022d08-113.dat family_berbew behavioral2/memory/2904-114-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-119.dat family_berbew behavioral2/memory/3756-121-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-122.dat family_berbew behavioral2/files/0x0006000000022d0c-128.dat family_berbew behavioral2/memory/3828-129-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-130.dat family_berbew behavioral2/files/0x0006000000022d0e-131.dat family_berbew behavioral2/files/0x0006000000022d0e-136.dat family_berbew behavioral2/files/0x0006000000022d0e-138.dat family_berbew behavioral2/memory/4348-137-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d10-140.dat family_berbew behavioral2/files/0x0006000000022d10-144.dat family_berbew behavioral2/files/0x0006000000022d10-146.dat family_berbew behavioral2/memory/1544-145-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d12-152.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3960 Geqlhp32.exe 2636 Ieoapl32.exe 1844 Khlinedh.exe 4652 Lfimmhkg.exe 1048 Lfbpcgbl.exe 2024 Mmodfqhf.exe 1364 Mmaakpfd.exe 1088 Nfchjddj.exe 2128 Ofjokc32.exe 3204 Onjmjegg.exe 396 Ppnbpg32.exe 3884 Aooolbep.exe 3000 Bgfpdmho.exe 2904 Bpaacblm.exe 3756 Cfpfqiha.exe 3828 Cllkcbnl.exe 4348 Dfqogfjo.exe 1544 Fclohg32.exe 876 Gjagapbn.exe 3276 Hanlcjgh.exe 3052 Impldi32.exe 4380 Jhmfba32.exe 3840 Jdfcla32.exe 980 Kobnji32.exe 3028 Kklkej32.exe 4224 Khplnn32.exe 4892 Laofhbmp.exe 4860 Mnojcb32.exe 1296 Mnaghb32.exe 2972 Nocphd32.exe 3620 Nbkojo32.exe 2820 Obbekn32.exe 1812 Qbekgknb.exe 1548 Bpggbm32.exe 2536 Befmpdmq.exe 2276 Blbabnbk.exe 3460 Chebcmna.exe 2532 Coojpg32.exe 488 Dhjknljl.exe 4868 Djnaco32.exe 4816 Fcdbmb32.exe 2600 Ijolhg32.exe 4852 Jmihpa32.exe 1784 Kinefp32.exe 4700 Lkgdfb32.exe 4864 Mahbck32.exe 3360 Mallojmd.exe 2180 Mkepgp32.exe 4820 Ndmepe32.exe 4824 Nbfoeiei.exe 1012 Nkncno32.exe 1780 Nnolojhk.exe 2344 Onceji32.exe 2056 Pnoefg32.exe 2956 Pkcepl32.exe 3856 Qaegcb32.exe 5092 Ahffqk32.exe 2896 Ahhbfkbf.exe 2132 Abpcicpi.exe 2732 Blhhaigj.exe 1560 Bbbpnc32.exe 1756 Bniacddk.exe 1800 Bjdkcd32.exe 436 Cliahf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ifjoma32.exe Ibgmldnd.exe File opened for modification C:\Windows\SysWOW64\Bgpceogl.exe Baanhi32.exe File opened for modification C:\Windows\SysWOW64\Gjcfmfpk.exe Fdhaca32.exe File created C:\Windows\SysWOW64\Kagbmkch.exe Kfanpb32.exe File opened for modification C:\Windows\SysWOW64\Pncqgn32.exe Pgihkcof.exe File opened for modification C:\Windows\SysWOW64\Paainl32.exe Pkgaabem.exe File opened for modification C:\Windows\SysWOW64\Fdbked32.exe Ddpeigle.exe File opened for modification C:\Windows\SysWOW64\Lkqggdoa.exe Lahboo32.exe File created C:\Windows\SysWOW64\Pbahle32.dll Logbbmhd.exe File opened for modification C:\Windows\SysWOW64\Fpgdmm32.exe Eimlpc32.exe File created C:\Windows\SysWOW64\Kcgnkgkl.exe Jqhaolli.exe File created C:\Windows\SysWOW64\Lggjpmqa.exe Lambcc32.exe File created C:\Windows\SysWOW64\Kabmlibp.dll Ndejmkbk.exe File created C:\Windows\SysWOW64\Oiifig32.dll Kbinefpl.exe File opened for modification C:\Windows\SysWOW64\Meqmmm32.exe Mngepb32.exe File created C:\Windows\SysWOW64\Jgcanm32.dll Gibhihko.exe File created C:\Windows\SysWOW64\Qkobck32.dll Kcfgaq32.exe File opened for modification C:\Windows\SysWOW64\Jonlbcpd.exe Jjqdjlbm.exe File created C:\Windows\SysWOW64\Jbfhih32.exe Jljpaa32.exe File created C:\Windows\SysWOW64\Cdphhoqn.dll Jmihpa32.exe File created C:\Windows\SysWOW64\Cmlckhig.exe Chhdbb32.exe File created C:\Windows\SysWOW64\Ckpfpj32.dll Nabdep32.exe File created C:\Windows\SysWOW64\Bjcbgnnm.dll Kcohijoj.exe File created C:\Windows\SysWOW64\Cfpdnd32.dll Dnhnmpdj.exe File created C:\Windows\SysWOW64\Ejooaa32.exe Dcegegba.exe File created C:\Windows\SysWOW64\Qfhgieaf.dll Edhjji32.exe File created C:\Windows\SysWOW64\Flinddpj.exe Fikbhiaf.exe File created C:\Windows\SysWOW64\Plpjhk32.exe Pdhbgn32.exe File created C:\Windows\SysWOW64\Klkaojhl.exe Keaibpap.exe File opened for modification C:\Windows\SysWOW64\Aioelpki.exe Abemof32.exe File created C:\Windows\SysWOW64\Ghaneo32.dll Aepekk32.exe File created C:\Windows\SysWOW64\Biadoeib.exe Aqoijcbo.exe File created C:\Windows\SysWOW64\Biahfifk.dll Icljgp32.exe File created C:\Windows\SysWOW64\Fdlamj32.dll Mocihb32.exe File opened for modification C:\Windows\SysWOW64\Iqmpfhfj.exe Ijbhin32.exe File created C:\Windows\SysWOW64\Qjgdgdma.dll Bjpjoa32.exe File created C:\Windows\SysWOW64\Efkbmp32.dll Kcgnkgkl.exe File created C:\Windows\SysWOW64\Dccioa32.dll Abpcicpi.exe File opened for modification C:\Windows\SysWOW64\Nfenpafc.exe Mbgejcpm.exe File created C:\Windows\SysWOW64\Mingbhon.exe Llbphdfl.exe File created C:\Windows\SysWOW64\Hpomme32.exe Hkbddo32.exe File opened for modification C:\Windows\SysWOW64\Hpiemj32.exe Gihgoq32.exe File created C:\Windows\SysWOW64\Pligiaol.dll Mhialhjf.exe File opened for modification C:\Windows\SysWOW64\Nameql32.exe Nooidp32.exe File created C:\Windows\SysWOW64\Amhdfo32.exe Afnljenh.exe File created C:\Windows\SysWOW64\Ofjokc32.exe Nfchjddj.exe File opened for modification C:\Windows\SysWOW64\Inecac32.exe Hmnmqdee.exe File created C:\Windows\SysWOW64\Mhknaghc.exe Mocihb32.exe File created C:\Windows\SysWOW64\Ecoacpol.exe Bcnlog32.exe File created C:\Windows\SysWOW64\Aadmpj32.dll Omdnlioh.exe File created C:\Windows\SysWOW64\Pnpdkg32.dll Bpggbm32.exe File created C:\Windows\SysWOW64\Eipmlo32.dll Nbfoeiei.exe File created C:\Windows\SysWOW64\Kemndfob.dll Gbfkmk32.exe File opened for modification C:\Windows\SysWOW64\Dimciemj.exe Dogolmmd.exe File opened for modification C:\Windows\SysWOW64\Jqhaolli.exe Jjoibadl.exe File created C:\Windows\SysWOW64\Akioep32.dll Onmfcb32.exe File opened for modification C:\Windows\SysWOW64\Nmlapa32.exe Nfaicg32.exe File created C:\Windows\SysWOW64\Ajbqdi32.dll Ihbddd32.exe File created C:\Windows\SysWOW64\Kdhgbfld.dll Kmjihoch.exe File created C:\Windows\SysWOW64\Dapkho32.exe Dfjgjf32.exe File created C:\Windows\SysWOW64\Okgofl32.dll Aikbkgcj.exe File created C:\Windows\SysWOW64\Bdkcae32.dll Egpnidgk.exe File created C:\Windows\SysWOW64\Icpeok32.dll Ecdkno32.exe File opened for modification C:\Windows\SysWOW64\Ophjmjna.exe Oinbqpfe.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbepklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibocnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdahgq32.dll" Laofhbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejfgmel.dll" Qaegcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmqdh32.dll" Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olphlcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehmjf32.dll" Dfljgjpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijolhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akamab32.dll" Mmaakpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfljqia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipfgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcihf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihijec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjmjegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcedino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkaojhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilcmd32.dll" Fegqejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Logbbmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdnpon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkoooa32.dll" Qmccecfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jafjfmak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmebjhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaoaq32.dll" Ilpmkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkombnfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bniacddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgcnh32.dll" Cliahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaqgf32.dll" Lclpmdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgadcqe.dll" Bbgehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcpcmcg.dll" Omniiclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccflge32.dll" Ijjedc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkgbmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcckal32.dll" Faakickc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggnhlml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibhihko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aikbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbmbljj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlinedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjiqlpeo.dll" Ahhbfkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcae32.dll" Egpnidgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfqogfjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldpijknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaakfokk.dll" Meedjgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afplqeoe.dll" Mmebjhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilbjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjebg32.dll" Nbkojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqgenqi.dll" Jfbkijdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeeigakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcglnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikbhiaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfad32.dll" Idfaolpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hklncopp.dll" Dimciemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknaodia.dll" Nhlmbjni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqahgnef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdgjlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfcagkh.dll" Pbaphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgoobkl.dll" Bnaoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckddagkd.dll" Djhiabpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aooolbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahffqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpiffmb.dll" Hkhblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmpfhfj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 3960 1240 NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe 94 PID 1240 wrote to memory of 3960 1240 NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe 94 PID 1240 wrote to memory of 3960 1240 NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe 94 PID 3960 wrote to memory of 2636 3960 Geqlhp32.exe 95 PID 3960 wrote to memory of 2636 3960 Geqlhp32.exe 95 PID 3960 wrote to memory of 2636 3960 Geqlhp32.exe 95 PID 2636 wrote to memory of 1844 2636 Ieoapl32.exe 96 PID 2636 wrote to memory of 1844 2636 Ieoapl32.exe 96 PID 2636 wrote to memory of 1844 2636 Ieoapl32.exe 96 PID 1844 wrote to memory of 4652 1844 Khlinedh.exe 97 PID 1844 wrote to memory of 4652 1844 Khlinedh.exe 97 PID 1844 wrote to memory of 4652 1844 Khlinedh.exe 97 PID 4652 wrote to memory of 1048 4652 Lfimmhkg.exe 98 PID 4652 wrote to memory of 1048 4652 Lfimmhkg.exe 98 PID 4652 wrote to memory of 1048 4652 Lfimmhkg.exe 98 PID 1048 wrote to memory of 2024 1048 Lfbpcgbl.exe 99 PID 1048 wrote to memory of 2024 1048 Lfbpcgbl.exe 99 PID 1048 wrote to memory of 2024 1048 Lfbpcgbl.exe 99 PID 2024 wrote to memory of 1364 2024 Mmodfqhf.exe 100 PID 2024 wrote to memory of 1364 2024 Mmodfqhf.exe 100 PID 2024 wrote to memory of 1364 2024 Mmodfqhf.exe 100 PID 1364 wrote to memory of 1088 1364 Mmaakpfd.exe 101 PID 1364 wrote to memory of 1088 1364 Mmaakpfd.exe 101 PID 1364 wrote to memory of 1088 1364 Mmaakpfd.exe 101 PID 1088 wrote to memory of 2128 1088 Nfchjddj.exe 102 PID 1088 wrote to memory of 2128 1088 Nfchjddj.exe 102 PID 1088 wrote to memory of 2128 1088 Nfchjddj.exe 102 PID 2128 wrote to memory of 3204 2128 Ofjokc32.exe 103 PID 2128 wrote to memory of 3204 2128 Ofjokc32.exe 103 PID 2128 wrote to memory of 3204 2128 Ofjokc32.exe 103 PID 3204 wrote to memory of 396 3204 Onjmjegg.exe 104 PID 3204 wrote to memory of 396 3204 Onjmjegg.exe 104 PID 3204 wrote to memory of 396 3204 Onjmjegg.exe 104 PID 396 wrote to memory of 3884 396 Ppnbpg32.exe 105 PID 396 wrote to memory of 3884 396 Ppnbpg32.exe 105 PID 396 wrote to memory of 3884 396 Ppnbpg32.exe 105 PID 3884 wrote to memory of 3000 3884 Aooolbep.exe 106 PID 3884 wrote to memory of 3000 3884 Aooolbep.exe 106 PID 3884 wrote to memory of 3000 3884 Aooolbep.exe 106 PID 3000 wrote to memory of 2904 3000 Bgfpdmho.exe 107 PID 3000 wrote to memory of 2904 3000 Bgfpdmho.exe 107 PID 3000 wrote to memory of 2904 3000 Bgfpdmho.exe 107 PID 2904 wrote to memory of 3756 2904 Bpaacblm.exe 108 PID 2904 wrote to memory of 3756 2904 Bpaacblm.exe 108 PID 2904 wrote to memory of 3756 2904 Bpaacblm.exe 108 PID 3756 wrote to memory of 3828 3756 Cfpfqiha.exe 109 PID 3756 wrote to memory of 3828 3756 Cfpfqiha.exe 109 PID 3756 wrote to memory of 3828 3756 Cfpfqiha.exe 109 PID 3828 wrote to memory of 4348 3828 Cllkcbnl.exe 110 PID 3828 wrote to memory of 4348 3828 Cllkcbnl.exe 110 PID 3828 wrote to memory of 4348 3828 Cllkcbnl.exe 110 PID 4348 wrote to memory of 1544 4348 Dfqogfjo.exe 111 PID 4348 wrote to memory of 1544 4348 Dfqogfjo.exe 111 PID 4348 wrote to memory of 1544 4348 Dfqogfjo.exe 111 PID 1544 wrote to memory of 876 1544 Fclohg32.exe 112 PID 1544 wrote to memory of 876 1544 Fclohg32.exe 112 PID 1544 wrote to memory of 876 1544 Fclohg32.exe 112 PID 876 wrote to memory of 3276 876 Gjagapbn.exe 113 PID 876 wrote to memory of 3276 876 Gjagapbn.exe 113 PID 876 wrote to memory of 3276 876 Gjagapbn.exe 113 PID 3276 wrote to memory of 3052 3276 Hanlcjgh.exe 114 PID 3276 wrote to memory of 3052 3276 Hanlcjgh.exe 114 PID 3276 wrote to memory of 3052 3276 Hanlcjgh.exe 114 PID 3052 wrote to memory of 4380 3052 Impldi32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c1bf0940a65d44e3b5d44fdd7c3349a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Ieoapl32.exeC:\Windows\system32\Ieoapl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Lfimmhkg.exeC:\Windows\system32\Lfimmhkg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Mmaakpfd.exeC:\Windows\system32\Mmaakpfd.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Nfchjddj.exeC:\Windows\system32\Nfchjddj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Ofjokc32.exeC:\Windows\system32\Ofjokc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Ppnbpg32.exeC:\Windows\system32\Ppnbpg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Aooolbep.exeC:\Windows\system32\Aooolbep.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Bpaacblm.exeC:\Windows\system32\Bpaacblm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Cfpfqiha.exeC:\Windows\system32\Cfpfqiha.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Cllkcbnl.exeC:\Windows\system32\Cllkcbnl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Dfqogfjo.exeC:\Windows\system32\Dfqogfjo.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Impldi32.exeC:\Windows\system32\Impldi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Jhmfba32.exeC:\Windows\system32\Jhmfba32.exe23⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Jdfcla32.exeC:\Windows\system32\Jdfcla32.exe24⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe25⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Kklkej32.exeC:\Windows\system32\Kklkej32.exe26⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe27⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Laofhbmp.exeC:\Windows\system32\Laofhbmp.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\Mnojcb32.exeC:\Windows\system32\Mnojcb32.exe29⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Mnaghb32.exeC:\Windows\system32\Mnaghb32.exe30⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Nocphd32.exeC:\Windows\system32\Nocphd32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Nbkojo32.exeC:\Windows\system32\Nbkojo32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Obbekn32.exeC:\Windows\system32\Obbekn32.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Qbekgknb.exeC:\Windows\system32\Qbekgknb.exe34⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Befmpdmq.exeC:\Windows\system32\Befmpdmq.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Blbabnbk.exeC:\Windows\system32\Blbabnbk.exe37⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Chebcmna.exeC:\Windows\system32\Chebcmna.exe38⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Coojpg32.exeC:\Windows\system32\Coojpg32.exe39⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Dhjknljl.exeC:\Windows\system32\Dhjknljl.exe40⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Djnaco32.exeC:\Windows\system32\Djnaco32.exe41⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fcdbmb32.exeC:\Windows\system32\Fcdbmb32.exe42⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Ijolhg32.exeC:\Windows\system32\Ijolhg32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Jmihpa32.exeC:\Windows\system32\Jmihpa32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Kinefp32.exeC:\Windows\system32\Kinefp32.exe45⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lkgdfb32.exeC:\Windows\system32\Lkgdfb32.exe46⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Mahbck32.exeC:\Windows\system32\Mahbck32.exe47⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Mallojmd.exeC:\Windows\system32\Mallojmd.exe48⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Mkepgp32.exeC:\Windows\system32\Mkepgp32.exe49⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe50⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Nbfoeiei.exeC:\Windows\system32\Nbfoeiei.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\Nkncno32.exeC:\Windows\system32\Nkncno32.exe52⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Nnolojhk.exeC:\Windows\system32\Nnolojhk.exe53⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Onceji32.exeC:\Windows\system32\Onceji32.exe54⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Pnoefg32.exeC:\Windows\system32\Pnoefg32.exe55⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pkcepl32.exeC:\Windows\system32\Pkcepl32.exe56⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Qaegcb32.exeC:\Windows\system32\Qaegcb32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Ahffqk32.exeC:\Windows\system32\Ahffqk32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Ahhbfkbf.exeC:\Windows\system32\Ahhbfkbf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Abpcicpi.exeC:\Windows\system32\Abpcicpi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Blhhaigj.exeC:\Windows\system32\Blhhaigj.exe61⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Bbbpnc32.exeC:\Windows\system32\Bbbpnc32.exe62⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Bniacddk.exeC:\Windows\system32\Bniacddk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Bjdkcd32.exeC:\Windows\system32\Bjdkcd32.exe64⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Cliahf32.exeC:\Windows\system32\Cliahf32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Cbgbpp32.exeC:\Windows\system32\Cbgbpp32.exe66⤵PID:4524
-
C:\Windows\SysWOW64\Cdiohhbm.exeC:\Windows\system32\Cdiohhbm.exe67⤵PID:1888
-
C:\Windows\SysWOW64\Ddpeigle.exeC:\Windows\system32\Ddpeigle.exe68⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Fdbked32.exeC:\Windows\system32\Fdbked32.exe69⤵PID:3992
-
C:\Windows\SysWOW64\Gdlnkc32.exeC:\Windows\system32\Gdlnkc32.exe70⤵PID:4848
-
C:\Windows\SysWOW64\Gfkjef32.exeC:\Windows\system32\Gfkjef32.exe71⤵PID:4392
-
C:\Windows\SysWOW64\Gdcdlb32.exeC:\Windows\system32\Gdcdlb32.exe72⤵PID:3556
-
C:\Windows\SysWOW64\Gmlhbo32.exeC:\Windows\system32\Gmlhbo32.exe73⤵PID:448
-
C:\Windows\SysWOW64\Hmoehojj.exeC:\Windows\system32\Hmoehojj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Hbknqeha.exeC:\Windows\system32\Hbknqeha.exe75⤵PID:2216
-
C:\Windows\SysWOW64\Iioicn32.exeC:\Windows\system32\Iioicn32.exe76⤵PID:1988
-
C:\Windows\SysWOW64\Ibgmldnd.exeC:\Windows\system32\Ibgmldnd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Ifjoma32.exeC:\Windows\system32\Ifjoma32.exe78⤵PID:4712
-
C:\Windows\SysWOW64\Imdgjlgb.exeC:\Windows\system32\Imdgjlgb.exe79⤵
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Jimeelkc.exeC:\Windows\system32\Jimeelkc.exe80⤵PID:5136
-
C:\Windows\SysWOW64\Kppphe32.exeC:\Windows\system32\Kppphe32.exe81⤵PID:5180
-
C:\Windows\SysWOW64\Ldgkdbia.exeC:\Windows\system32\Ldgkdbia.exe82⤵PID:5216
-
C:\Windows\SysWOW64\Llbphdfl.exeC:\Windows\system32\Llbphdfl.exe83⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Mingbhon.exeC:\Windows\system32\Mingbhon.exe84⤵PID:5312
-
C:\Windows\SysWOW64\Mibpng32.exeC:\Windows\system32\Mibpng32.exe85⤵PID:5360
-
C:\Windows\SysWOW64\Ofgmdf32.exeC:\Windows\system32\Ofgmdf32.exe86⤵PID:5412
-
C:\Windows\SysWOW64\Pcijoh32.exeC:\Windows\system32\Pcijoh32.exe87⤵PID:5448
-
C:\Windows\SysWOW64\Pnonla32.exeC:\Windows\system32\Pnonla32.exe88⤵PID:5504
-
C:\Windows\SysWOW64\Aclpkffa.exeC:\Windows\system32\Aclpkffa.exe89⤵PID:5548
-
C:\Windows\SysWOW64\Babmjj32.exeC:\Windows\system32\Babmjj32.exe90⤵PID:5736
-
C:\Windows\SysWOW64\Canlfh32.exeC:\Windows\system32\Canlfh32.exe91⤵PID:5776
-
C:\Windows\SysWOW64\Chhdbb32.exeC:\Windows\system32\Chhdbb32.exe92⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Cmlckhig.exeC:\Windows\system32\Cmlckhig.exe93⤵PID:5936
-
C:\Windows\SysWOW64\Dobffj32.exeC:\Windows\system32\Dobffj32.exe94⤵PID:5976
-
C:\Windows\SysWOW64\Dkifkkpf.exeC:\Windows\system32\Dkifkkpf.exe95⤵PID:6020
-
C:\Windows\SysWOW64\Dhmgdo32.exeC:\Windows\system32\Dhmgdo32.exe96⤵PID:6068
-
C:\Windows\SysWOW64\Eogoaifl.exeC:\Windows\system32\Eogoaifl.exe97⤵PID:6112
-
C:\Windows\SysWOW64\Ehocjo32.exeC:\Windows\system32\Ehocjo32.exe98⤵PID:5156
-
C:\Windows\SysWOW64\Emaemefo.exeC:\Windows\system32\Emaemefo.exe99⤵PID:260
-
C:\Windows\SysWOW64\Eejjdb32.exeC:\Windows\system32\Eejjdb32.exe100⤵PID:3088
-
C:\Windows\SysWOW64\Fobomglo.exeC:\Windows\system32\Fobomglo.exe101⤵PID:3452
-
C:\Windows\SysWOW64\Faakickc.exeC:\Windows\system32\Faakickc.exe102⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Fecmjq32.exeC:\Windows\system32\Fecmjq32.exe103⤵PID:3872
-
C:\Windows\SysWOW64\Fkqebg32.exeC:\Windows\system32\Fkqebg32.exe104⤵PID:4980
-
C:\Windows\SysWOW64\Gdncfl32.exeC:\Windows\system32\Gdncfl32.exe105⤵PID:1088
-
C:\Windows\SysWOW64\Gkglcfec.exeC:\Windows\system32\Gkglcfec.exe106⤵PID:4740
-
C:\Windows\SysWOW64\Hkobdeok.exeC:\Windows\system32\Hkobdeok.exe107⤵PID:5544
-
C:\Windows\SysWOW64\Hdicbkci.exeC:\Windows\system32\Hdicbkci.exe108⤵PID:1936
-
C:\Windows\SysWOW64\Hkckoe32.exeC:\Windows\system32\Hkckoe32.exe109⤵PID:4568
-
C:\Windows\SysWOW64\Ibdiln32.exeC:\Windows\system32\Ibdiln32.exe110⤵PID:3700
-
C:\Windows\SysWOW64\Jfbkijdo.exeC:\Windows\system32\Jfbkijdo.exe111⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Jnnpnl32.exeC:\Windows\system32\Jnnpnl32.exe112⤵PID:4708
-
C:\Windows\SysWOW64\Kfehoj32.exeC:\Windows\system32\Kfehoj32.exe113⤵PID:5832
-
C:\Windows\SysWOW64\Kfnkeh32.exeC:\Windows\system32\Kfnkeh32.exe114⤵PID:3000
-
C:\Windows\SysWOW64\Lefdld32.exeC:\Windows\system32\Lefdld32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Mlipomli.exeC:\Windows\system32\Mlipomli.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Mlkldmjf.exeC:\Windows\system32\Mlkldmjf.exe117⤵PID:1760
-
C:\Windows\SysWOW64\Mbjnlfnn.exeC:\Windows\system32\Mbjnlfnn.exe118⤵PID:5204
-
C:\Windows\SysWOW64\Npedfjfo.exeC:\Windows\system32\Npedfjfo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Ooaghe32.exeC:\Windows\system32\Ooaghe32.exe120⤵PID:5392
-
C:\Windows\SysWOW64\Oekpdoll.exeC:\Windows\system32\Oekpdoll.exe121⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-