Analysis
-
max time kernel
166s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 04:48
Behavioral task
behavioral1
Sample
NEAS.b8e7256d7526d056c5bc33e244517540.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b8e7256d7526d056c5bc33e244517540.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b8e7256d7526d056c5bc33e244517540.exe
-
Size
164KB
-
MD5
b8e7256d7526d056c5bc33e244517540
-
SHA1
518560897287b5134b8416c753b09cd080a368c3
-
SHA256
2cb8d1e2aab56458c6b3eb80985deef18783e9b707c85e829f301b330f53c03e
-
SHA512
57551290ec95305c5a606b5628b482bdbd9c0fb86794af9c10605aac6129ca9f59dac17dfd906bc496c58b9f8fdd965c466c75fc5b6e391aa0af855927b72b44
-
SSDEEP
3072:xKjCgcnrLZNcUUckQ08uFafmHURHAVgnvedh6DRyU:5nrlWDQ08uF8YU8gnve7GR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pijiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjiaak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggkifmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjjemp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnpcjplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkkjfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfiqcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnlcpcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoboofnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klceeejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogccnfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbldkllm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnihlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gochceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naaqhlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhnqoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdhcqcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiamd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbjkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgahnjpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodnfqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baojkdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeemop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjiaak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaifk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pabknbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inlibb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamkgpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odjmneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpnmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnfnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boknic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkjclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacmnlkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphihnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aejmdegn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmagenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdcmfkde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ababkdij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jggmnmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdlil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfhco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfglhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmaihekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioopfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egqeckkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmljjhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodlof32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2824-0-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd4-6.dat family_berbew behavioral2/memory/4032-8-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd4-7.dat family_berbew behavioral2/files/0x0007000000022cd6-14.dat family_berbew behavioral2/files/0x0007000000022cd6-16.dat family_berbew behavioral2/memory/1208-15-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd8-17.dat family_berbew behavioral2/files/0x0007000000022cd8-22.dat family_berbew behavioral2/files/0x0007000000022cd8-24.dat family_berbew behavioral2/memory/2004-23-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdc-30.dat family_berbew behavioral2/files/0x0008000000022cdc-32.dat family_berbew behavioral2/memory/2132-31-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdf-38.dat family_berbew behavioral2/files/0x0008000000022cdf-40.dat family_berbew behavioral2/memory/892-39-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce2-41.dat family_berbew behavioral2/files/0x0008000000022ce2-46.dat family_berbew behavioral2/memory/3932-47-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce2-48.dat family_berbew behavioral2/files/0x0006000000022ce4-54.dat family_berbew behavioral2/memory/3844-56-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce4-55.dat family_berbew behavioral2/files/0x0006000000022ce6-62.dat family_berbew behavioral2/memory/3876-63-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce6-64.dat family_berbew behavioral2/files/0x0006000000022ce8-65.dat family_berbew behavioral2/files/0x0006000000022ce8-70.dat family_berbew behavioral2/memory/2016-71-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-72.dat family_berbew behavioral2/files/0x0006000000022cea-78.dat family_berbew behavioral2/memory/1352-79-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-80.dat family_berbew behavioral2/files/0x0006000000022cec-86.dat family_berbew behavioral2/memory/1160-87-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-88.dat family_berbew behavioral2/files/0x0006000000022cee-94.dat family_berbew behavioral2/memory/1292-96-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-95.dat family_berbew behavioral2/files/0x0006000000022cf0-102.dat family_berbew behavioral2/memory/5032-104-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-103.dat family_berbew behavioral2/files/0x0006000000022cf2-110.dat family_berbew behavioral2/files/0x0006000000022cf2-111.dat family_berbew behavioral2/memory/2308-112-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-118.dat family_berbew behavioral2/memory/4364-119-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-120.dat family_berbew behavioral2/files/0x0006000000022cf6-126.dat family_berbew behavioral2/memory/3516-128-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf6-127.dat family_berbew behavioral2/files/0x0006000000022cf8-129.dat family_berbew behavioral2/files/0x0006000000022cf8-134.dat family_berbew behavioral2/files/0x0006000000022cf8-135.dat family_berbew behavioral2/memory/324-139-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfa-142.dat family_berbew behavioral2/memory/4232-143-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfa-144.dat family_berbew behavioral2/files/0x0006000000022cfc-150.dat family_berbew behavioral2/memory/4680-151-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-152.dat family_berbew behavioral2/files/0x0006000000022cfe-158.dat family_berbew behavioral2/files/0x0006000000022cfe-160.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4032 Lipmoo32.exe 1208 Nhcbidcd.exe 2004 Opjgidfa.exe 2132 Pnjgog32.exe 892 Ababkdij.exe 3932 Bkamdi32.exe 3844 Bndblcdq.exe 3876 Bnfoac32.exe 2016 Ckafkfkp.exe 1352 Dbgndoho.exe 1160 Eaenkj32.exe 1292 Ficlmf32.exe 5032 Hkgnalep.exe 2308 Hojpbigq.exe 4364 Ihgnfnjl.exe 3516 Jllmml32.exe 324 Jkfcigkm.exe 4232 Jodlof32.exe 4680 Lfjchn32.exe 3020 Mldhacpj.exe 3888 Mbamcm32.exe 4064 Olgnnqpe.exe 3032 Offeahhp.exe 1324 Pkigbfja.exe 2796 Qciebg32.exe 4328 Ajjcoqdl.exe 2160 Agndidce.exe 768 Agpqnd32.exe 2900 Acgacegg.exe 4564 Bjqjpp32.exe 4336 Bcinie32.exe 3096 Gechnpid.exe 1556 Hoiihcde.exe 2376 Iolfmcbb.exe 1644 Ihfglhfp.exe 776 Ildpbfmf.exe 1288 Iemdkl32.exe 2480 Jedjkkmo.exe 392 Koceep32.exe 4208 Kdeghfhj.exe 2216 Nnlqig32.exe 4700 Oianmm32.exe 820 Affgno32.exe 3468 Bedgejbo.exe 4516 Ccfcpm32.exe 2596 Dqajjp32.exe 2800 Dgnolj32.exe 4044 Dqfceoje.exe 2612 Dgbhgi32.exe 3236 Eqpfknbj.exe 3256 Ejhkdc32.exe 2492 Efolidno.exe 1128 Egnhcgeb.exe 3052 Fnjmea32.exe 1492 Fakfglhm.exe 1264 Fmbflm32.exe 956 Fggkifmg.exe 4688 Gpelchhp.exe 4668 Gnfmapqo.exe 4240 Ghcjedcj.exe 3452 Hjdcfp32.exe 3244 Hmdlhk32.exe 732 Ijpcbn32.exe 4720 Iajkohmj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Chdikajj.exe Bdagidhi.exe File opened for modification C:\Windows\SysWOW64\Ofgdmo32.exe Nfldap32.exe File created C:\Windows\SysWOW64\Abqldike.dll Iekpfmpl.exe File opened for modification C:\Windows\SysWOW64\Olgnnqpe.exe Mbamcm32.exe File opened for modification C:\Windows\SysWOW64\Bedgejbo.exe Affgno32.exe File created C:\Windows\SysWOW64\Kglcmk32.exe Kghjakbl.exe File created C:\Windows\SysWOW64\Dkfanqmd.exe Dbnmek32.exe File opened for modification C:\Windows\SysWOW64\Jllmml32.exe Ihgnfnjl.exe File created C:\Windows\SysWOW64\Acgacegg.exe Agpqnd32.exe File opened for modification C:\Windows\SysWOW64\Iejlih32.exe Hfioln32.exe File created C:\Windows\SysWOW64\Jmmjkngo.exe Jcefbhpo.exe File opened for modification C:\Windows\SysWOW64\Baadbo32.exe Aamkgpbi.exe File created C:\Windows\SysWOW64\Elphbe32.dll Gganjh32.exe File created C:\Windows\SysWOW64\Apkkie32.dll Gljlhc32.exe File opened for modification C:\Windows\SysWOW64\Iemdkl32.exe Ildpbfmf.exe File opened for modification C:\Windows\SysWOW64\Qepccqlm.exe Pjkofh32.exe File opened for modification C:\Windows\SysWOW64\Jiokpfee.exe Jbdbcl32.exe File created C:\Windows\SysWOW64\Deaced32.dll Phdngljk.exe File created C:\Windows\SysWOW64\Fplmlp32.dll Knkcfobb.exe File created C:\Windows\SysWOW64\Nnlqig32.exe Kdeghfhj.exe File opened for modification C:\Windows\SysWOW64\Hmbflc32.exe Hdhemn32.exe File created C:\Windows\SysWOW64\Ehfido32.dll Jgoflpal.exe File created C:\Windows\SysWOW64\Iekpfmpl.exe Hqagdpcc.exe File created C:\Windows\SysWOW64\Pqdqopcm.dll Aichng32.exe File opened for modification C:\Windows\SysWOW64\Dbnmek32.exe Dfglpjqo.exe File created C:\Windows\SysWOW64\Fggkifmg.exe Fmbflm32.exe File created C:\Windows\SysWOW64\Eodlad32.exe Baojkdqb.exe File created C:\Windows\SysWOW64\Ipljkjck.dll Deanhj32.exe File opened for modification C:\Windows\SysWOW64\Edgkif32.exe Eojcao32.exe File created C:\Windows\SysWOW64\Dedpelma.dll Abnnnjfh.exe File created C:\Windows\SysWOW64\Ifmcmg32.exe Ifhibhfc.exe File created C:\Windows\SysWOW64\Dfiaomkb.exe Liimgh32.exe File created C:\Windows\SysWOW64\Fpejec32.exe Fpbmpc32.exe File created C:\Windows\SysWOW64\Inlibb32.exe Iphihnjk.exe File opened for modification C:\Windows\SysWOW64\Fnbjkj32.exe Fejebdig.exe File opened for modification C:\Windows\SysWOW64\Ficlmf32.exe Eaenkj32.exe File created C:\Windows\SysWOW64\Gpelchhp.exe Fggkifmg.exe File opened for modification C:\Windows\SysWOW64\Iaiddajo.exe Ifcpgiji.exe File opened for modification C:\Windows\SysWOW64\Bmliem32.exe Bcddlhgo.exe File opened for modification C:\Windows\SysWOW64\Acilkp32.exe Aichng32.exe File opened for modification C:\Windows\SysWOW64\Qifiph32.exe Pbjdnn32.exe File created C:\Windows\SysWOW64\Naeijp32.dll Abonimmp.exe File created C:\Windows\SysWOW64\Ghcjedcj.exe Gnfmapqo.exe File created C:\Windows\SysWOW64\Pnigcj32.dll Gnfmapqo.exe File created C:\Windows\SysWOW64\Pglcqmml.dll Jalakeme.exe File created C:\Windows\SysWOW64\Bggqfk32.dll Ncfmhecp.exe File created C:\Windows\SysWOW64\Paqebike.exe Piepnfnj.exe File created C:\Windows\SysWOW64\Jnqbmadp.exe Jcknpi32.exe File created C:\Windows\SysWOW64\Jgoflpal.exe Jljbogaf.exe File created C:\Windows\SysWOW64\Ekkkip32.exe Efnbqi32.exe File created C:\Windows\SysWOW64\Jccodkca.dll Ppdbfpaa.exe File created C:\Windows\SysWOW64\Kdgapp32.exe Jgcafl32.exe File created C:\Windows\SysWOW64\Efoiko32.exe Dlfhhgpp.exe File opened for modification C:\Windows\SysWOW64\Ilafcomm.exe Igdnkhoe.exe File opened for modification C:\Windows\SysWOW64\Qkegiggl.exe Phdngljk.exe File opened for modification C:\Windows\SysWOW64\Mkcjlf32.exe Mhbakk32.exe File created C:\Windows\SysWOW64\Klmane32.dll Jkjclk32.exe File created C:\Windows\SysWOW64\Emknmi32.exe Ecbjdcml.exe File created C:\Windows\SysWOW64\Bhpbaf32.dll Hlldaape.exe File created C:\Windows\SysWOW64\Cbaqmd32.dll Hecjej32.exe File opened for modification C:\Windows\SysWOW64\Dpefkf32.exe Blbkck32.exe File opened for modification C:\Windows\SysWOW64\Pkigbfja.exe Offeahhp.exe File created C:\Windows\SysWOW64\Inkgnbhm.dll Gdppllld.exe File created C:\Windows\SysWOW64\Qkegiggl.exe Phdngljk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipljkjck.dll" Deanhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacflg32.dll" Ajcdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckghp32.dll" Colklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajmljjhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhihkjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjkofh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhdbaihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnklnfpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbbaaapj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpfbmcaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjmneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqagdpcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihfglhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbqiljf.dll" Maanjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlfmg32.dll" Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiokpfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfoaf32.dll" Qdmkbmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akccje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeocem32.dll" Fnjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqmgaad.dll" Bnfoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkigbfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgkfil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pijiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icknblga.dll" Dfiaomkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnagdmdh.dll" Bbpoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecbjdcml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmjnelk.dll" Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnjjg32.dll" Fnbjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmaihekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifhibhfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbiak32.dll" Dibmfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpqjaanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baadbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnmobopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enmjedpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onkbenbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlpom32.dll" Mdkhficp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfimheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldgnp32.dll" Bdcmfkde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aflabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmefkgep.dll" Inlibb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} NEAS.b8e7256d7526d056c5bc33e244517540.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blpnmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdhemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opdiobod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolcfbhh.dll" Bciebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blbkck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpnmb32.dll" Hmdlhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhgkfkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbhmnhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcanmlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlalhlfd.dll" Efkfkilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqpfknbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojfbfmbf.dll" Efoiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfkkjbnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgmhmggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcbfjqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nieggill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcanmlea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfmejopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqblcae.dll" Gochceml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbaocfmo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 4032 2824 NEAS.b8e7256d7526d056c5bc33e244517540.exe 94 PID 2824 wrote to memory of 4032 2824 NEAS.b8e7256d7526d056c5bc33e244517540.exe 94 PID 2824 wrote to memory of 4032 2824 NEAS.b8e7256d7526d056c5bc33e244517540.exe 94 PID 4032 wrote to memory of 1208 4032 Lipmoo32.exe 95 PID 4032 wrote to memory of 1208 4032 Lipmoo32.exe 95 PID 4032 wrote to memory of 1208 4032 Lipmoo32.exe 95 PID 1208 wrote to memory of 2004 1208 Nhcbidcd.exe 96 PID 1208 wrote to memory of 2004 1208 Nhcbidcd.exe 96 PID 1208 wrote to memory of 2004 1208 Nhcbidcd.exe 96 PID 2004 wrote to memory of 2132 2004 Opjgidfa.exe 97 PID 2004 wrote to memory of 2132 2004 Opjgidfa.exe 97 PID 2004 wrote to memory of 2132 2004 Opjgidfa.exe 97 PID 2132 wrote to memory of 892 2132 Pnjgog32.exe 98 PID 2132 wrote to memory of 892 2132 Pnjgog32.exe 98 PID 2132 wrote to memory of 892 2132 Pnjgog32.exe 98 PID 892 wrote to memory of 3932 892 Ababkdij.exe 99 PID 892 wrote to memory of 3932 892 Ababkdij.exe 99 PID 892 wrote to memory of 3932 892 Ababkdij.exe 99 PID 3932 wrote to memory of 3844 3932 Bkamdi32.exe 100 PID 3932 wrote to memory of 3844 3932 Bkamdi32.exe 100 PID 3932 wrote to memory of 3844 3932 Bkamdi32.exe 100 PID 3844 wrote to memory of 3876 3844 Bndblcdq.exe 101 PID 3844 wrote to memory of 3876 3844 Bndblcdq.exe 101 PID 3844 wrote to memory of 3876 3844 Bndblcdq.exe 101 PID 3876 wrote to memory of 2016 3876 Bnfoac32.exe 102 PID 3876 wrote to memory of 2016 3876 Bnfoac32.exe 102 PID 3876 wrote to memory of 2016 3876 Bnfoac32.exe 102 PID 2016 wrote to memory of 1352 2016 Ckafkfkp.exe 103 PID 2016 wrote to memory of 1352 2016 Ckafkfkp.exe 103 PID 2016 wrote to memory of 1352 2016 Ckafkfkp.exe 103 PID 1352 wrote to memory of 1160 1352 Dbgndoho.exe 104 PID 1352 wrote to memory of 1160 1352 Dbgndoho.exe 104 PID 1352 wrote to memory of 1160 1352 Dbgndoho.exe 104 PID 1160 wrote to memory of 1292 1160 Eaenkj32.exe 105 PID 1160 wrote to memory of 1292 1160 Eaenkj32.exe 105 PID 1160 wrote to memory of 1292 1160 Eaenkj32.exe 105 PID 1292 wrote to memory of 5032 1292 Ficlmf32.exe 106 PID 1292 wrote to memory of 5032 1292 Ficlmf32.exe 106 PID 1292 wrote to memory of 5032 1292 Ficlmf32.exe 106 PID 5032 wrote to memory of 2308 5032 Hkgnalep.exe 107 PID 5032 wrote to memory of 2308 5032 Hkgnalep.exe 107 PID 5032 wrote to memory of 2308 5032 Hkgnalep.exe 107 PID 2308 wrote to memory of 4364 2308 Hojpbigq.exe 108 PID 2308 wrote to memory of 4364 2308 Hojpbigq.exe 108 PID 2308 wrote to memory of 4364 2308 Hojpbigq.exe 108 PID 4364 wrote to memory of 3516 4364 Ihgnfnjl.exe 109 PID 4364 wrote to memory of 3516 4364 Ihgnfnjl.exe 109 PID 4364 wrote to memory of 3516 4364 Ihgnfnjl.exe 109 PID 3516 wrote to memory of 324 3516 Jllmml32.exe 110 PID 3516 wrote to memory of 324 3516 Jllmml32.exe 110 PID 3516 wrote to memory of 324 3516 Jllmml32.exe 110 PID 324 wrote to memory of 4232 324 Jkfcigkm.exe 111 PID 324 wrote to memory of 4232 324 Jkfcigkm.exe 111 PID 324 wrote to memory of 4232 324 Jkfcigkm.exe 111 PID 4232 wrote to memory of 4680 4232 Jodlof32.exe 112 PID 4232 wrote to memory of 4680 4232 Jodlof32.exe 112 PID 4232 wrote to memory of 4680 4232 Jodlof32.exe 112 PID 4680 wrote to memory of 3020 4680 Lfjchn32.exe 113 PID 4680 wrote to memory of 3020 4680 Lfjchn32.exe 113 PID 4680 wrote to memory of 3020 4680 Lfjchn32.exe 113 PID 3020 wrote to memory of 3888 3020 Mldhacpj.exe 114 PID 3020 wrote to memory of 3888 3020 Mldhacpj.exe 114 PID 3020 wrote to memory of 3888 3020 Mldhacpj.exe 114 PID 3888 wrote to memory of 4064 3888 Mbamcm32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b8e7256d7526d056c5bc33e244517540.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b8e7256d7526d056c5bc33e244517540.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Bnfoac32.exeC:\Windows\system32\Bnfoac32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ihgnfnjl.exeC:\Windows\system32\Ihgnfnjl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Jllmml32.exeC:\Windows\system32\Jllmml32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe23⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe27⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe28⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe30⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe31⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe32⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe33⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe34⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Iolfmcbb.exeC:\Windows\system32\Iolfmcbb.exe35⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ihfglhfp.exeC:\Windows\system32\Ihfglhfp.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ildpbfmf.exeC:\Windows\system32\Ildpbfmf.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Iemdkl32.exeC:\Windows\system32\Iemdkl32.exe38⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Jedjkkmo.exeC:\Windows\system32\Jedjkkmo.exe39⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe40⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\Nnlqig32.exeC:\Windows\system32\Nnlqig32.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Oianmm32.exeC:\Windows\system32\Oianmm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Affgno32.exeC:\Windows\system32\Affgno32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Bedgejbo.exeC:\Windows\system32\Bedgejbo.exe45⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Ccfcpm32.exeC:\Windows\system32\Ccfcpm32.exe46⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe47⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe48⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Dqfceoje.exeC:\Windows\system32\Dqfceoje.exe49⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Dgbhgi32.exeC:\Windows\system32\Dgbhgi32.exe50⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Eqpfknbj.exeC:\Windows\system32\Eqpfknbj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe52⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Efolidno.exeC:\Windows\system32\Efolidno.exe53⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Egnhcgeb.exeC:\Windows\system32\Egnhcgeb.exe54⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Fakfglhm.exeC:\Windows\system32\Fakfglhm.exe56⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Fmbflm32.exeC:\Windows\system32\Fmbflm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Fggkifmg.exeC:\Windows\system32\Fggkifmg.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Gpelchhp.exeC:\Windows\system32\Gpelchhp.exe59⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Gnfmapqo.exeC:\Windows\system32\Gnfmapqo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4668 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe61⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Hjdcfp32.exeC:\Windows\system32\Hjdcfp32.exe62⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe64⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Iajkohmj.exeC:\Windows\system32\Iajkohmj.exe65⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ikbphn32.exeC:\Windows\system32\Ikbphn32.exe66⤵PID:4712
-
C:\Windows\SysWOW64\Ipohpdbb.exeC:\Windows\system32\Ipohpdbb.exe67⤵PID:4656
-
C:\Windows\SysWOW64\Ikdlmmbh.exeC:\Windows\system32\Ikdlmmbh.exe68⤵PID:3076
-
C:\Windows\SysWOW64\Jdajabdc.exeC:\Windows\system32\Jdajabdc.exe69⤵PID:792
-
C:\Windows\SysWOW64\Jgdphm32.exeC:\Windows\system32\Jgdphm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe71⤵PID:3368
-
C:\Windows\SysWOW64\Jggmnmmo.exeC:\Windows\system32\Jggmnmmo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Jalakeme.exeC:\Windows\system32\Jalakeme.exe73⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Kaonaekb.exeC:\Windows\system32\Kaonaekb.exe74⤵PID:2176
-
C:\Windows\SysWOW64\Kgkfil32.exeC:\Windows\system32\Kgkfil32.exe75⤵
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Kaajfe32.exeC:\Windows\system32\Kaajfe32.exe76⤵PID:2600
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe77⤵PID:4484
-
C:\Windows\SysWOW64\Mojmbf32.exeC:\Windows\system32\Mojmbf32.exe78⤵PID:4528
-
C:\Windows\SysWOW64\Mhbakk32.exeC:\Windows\system32\Mhbakk32.exe79⤵
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\Mkcjlf32.exeC:\Windows\system32\Mkcjlf32.exe80⤵PID:3348
-
C:\Windows\SysWOW64\Mhgkfkhl.exeC:\Windows\system32\Mhgkfkhl.exe81⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Mbpoop32.exeC:\Windows\system32\Mbpoop32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4852 -
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe83⤵
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Nkmmbe32.exeC:\Windows\system32\Nkmmbe32.exe84⤵PID:5136
-
C:\Windows\SysWOW64\Nbfeoohe.exeC:\Windows\system32\Nbfeoohe.exe85⤵PID:5180
-
C:\Windows\SysWOW64\Nicjaino.exeC:\Windows\system32\Nicjaino.exe86⤵PID:5216
-
C:\Windows\SysWOW64\Nnpcjplf.exeC:\Windows\system32\Nnpcjplf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe88⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Opdiobod.exeC:\Windows\system32\Opdiobod.exe89⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Oilmhhfd.exeC:\Windows\system32\Oilmhhfd.exe90⤵PID:5408
-
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe91⤵
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Ppkopail.exeC:\Windows\system32\Ppkopail.exe92⤵PID:5496
-
C:\Windows\SysWOW64\Picchg32.exeC:\Windows\system32\Picchg32.exe93⤵PID:5540
-
C:\Windows\SysWOW64\Pnplqn32.exeC:\Windows\system32\Pnplqn32.exe94⤵PID:5580
-
C:\Windows\SysWOW64\Piepnfnj.exeC:\Windows\system32\Piepnfnj.exe95⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668 -
C:\Windows\SysWOW64\Pbpall32.exeC:\Windows\system32\Pbpall32.exe97⤵PID:5716
-
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Ppdbfpaa.exeC:\Windows\system32\Ppdbfpaa.exe99⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Apndloif.exeC:\Windows\system32\Apndloif.exe100⤵PID:5856
-
C:\Windows\SysWOW64\Aejmdegn.exeC:\Windows\system32\Aejmdegn.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Abnnnjfh.exeC:\Windows\system32\Abnnnjfh.exe102⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Ahkffqdo.exeC:\Windows\system32\Ahkffqdo.exe103⤵PID:5988
-
C:\Windows\SysWOW64\Abqjci32.exeC:\Windows\system32\Abqjci32.exe104⤵PID:6032
-
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe105⤵PID:6072
-
C:\Windows\SysWOW64\Bafgdfim.exeC:\Windows\system32\Bafgdfim.exe106⤵PID:6112
-
C:\Windows\SysWOW64\Bhppap32.exeC:\Windows\system32\Bhppap32.exe107⤵PID:2484
-
C:\Windows\SysWOW64\Bojhnjgf.exeC:\Windows\system32\Bojhnjgf.exe108⤵PID:5208
-
C:\Windows\SysWOW64\Bhgeao32.exeC:\Windows\system32\Bhgeao32.exe109⤵PID:5260
-
C:\Windows\SysWOW64\Baojkdqb.exeC:\Windows\system32\Baojkdqb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Eodlad32.exeC:\Windows\system32\Eodlad32.exe111⤵PID:5440
-
C:\Windows\SysWOW64\Gfqjkljn.exeC:\Windows\system32\Gfqjkljn.exe112⤵PID:3728
-
C:\Windows\SysWOW64\Gcdkdpih.exeC:\Windows\system32\Gcdkdpih.exe113⤵PID:5548
-
C:\Windows\SysWOW64\Gmmome32.exeC:\Windows\system32\Gmmome32.exe114⤵PID:5608
-
C:\Windows\SysWOW64\Gfedfk32.exeC:\Windows\system32\Gfedfk32.exe115⤵PID:5696
-
C:\Windows\SysWOW64\Hakhcd32.exeC:\Windows\system32\Hakhcd32.exe116⤵PID:5752
-
C:\Windows\SysWOW64\Hbldkllm.exeC:\Windows\system32\Hbldkllm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Hmaihekc.exeC:\Windows\system32\Hmaihekc.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Hclaeocp.exeC:\Windows\system32\Hclaeocp.exe119⤵PID:5936
-
C:\Windows\SysWOW64\Hihimfag.exeC:\Windows\system32\Hihimfag.exe120⤵PID:6004
-
C:\Windows\SysWOW64\Hikfbeod.exeC:\Windows\system32\Hikfbeod.exe121⤵PID:6052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-