Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 05:53
Behavioral task
behavioral1
Sample
NEAS.de2b5c16f509c4994e98986612fb39d0.exe
Resource
win7-20231023-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.de2b5c16f509c4994e98986612fb39d0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.de2b5c16f509c4994e98986612fb39d0.exe
-
Size
1.2MB
-
MD5
de2b5c16f509c4994e98986612fb39d0
-
SHA1
77b2f7100d77e4708a3bac193089574b06459f9b
-
SHA256
a679892c4f5dcac7623cb2f9e21c5eb1bcd4f84d95cf7f6eb678a57ea9ad4ad6
-
SHA512
98d3786938a344b217050b46c4ac314010d3f07be0308639ddef8f26b953f17311ce10fc9500289d4b97096a75e42396d9dc7e32d722fe0a07169ce2adae1c37
-
SSDEEP
24576:YbG39aPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWQy60as:Yb29EbazR0vKLXZWy60as
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpbpepo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmkehcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgbhbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibbjoij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daiegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naodbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfobfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkihedld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihnihm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illmho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdllim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmjcfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeolonem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meefhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnjan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neppiagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkfhngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikpjml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclaeocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iandjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbgnlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjkka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakelfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqqeahl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gganjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlafaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocphd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdlgnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkdaij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imieblgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqbohocd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnkdfce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifpoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgjfdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahomk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmokljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfehoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfhngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldohogfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foghhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgebif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfepa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhckmmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmejopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmooak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cienhc32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000022cca-6.dat family_berbew behavioral2/files/0x000a000000022cca-8.dat family_berbew behavioral2/files/0x0005000000022308-15.dat family_berbew behavioral2/files/0x0005000000022308-16.dat family_berbew behavioral2/files/0x0008000000022ce3-23.dat family_berbew behavioral2/files/0x0008000000022ce3-25.dat family_berbew behavioral2/files/0x0006000000022ce6-33.dat family_berbew behavioral2/files/0x0006000000022ce6-31.dat family_berbew behavioral2/files/0x0007000000022ce9-39.dat family_berbew behavioral2/files/0x0007000000022ce9-41.dat family_berbew behavioral2/files/0x0006000000022cee-47.dat family_berbew behavioral2/files/0x0006000000022cee-49.dat family_berbew behavioral2/files/0x0006000000022cf7-55.dat family_berbew behavioral2/files/0x0006000000022cf7-57.dat family_berbew behavioral2/files/0x0006000000022cf9-64.dat family_berbew behavioral2/files/0x0006000000022cf9-63.dat family_berbew behavioral2/files/0x0006000000022cfb-66.dat family_berbew behavioral2/files/0x0006000000022cfb-71.dat family_berbew behavioral2/files/0x0006000000022cfb-72.dat family_berbew behavioral2/files/0x0007000000022cf0-79.dat family_berbew behavioral2/files/0x0007000000022cf0-81.dat family_berbew behavioral2/files/0x0007000000022cf2-82.dat family_berbew behavioral2/files/0x0007000000022cf2-87.dat family_berbew behavioral2/files/0x0007000000022cf2-89.dat family_berbew behavioral2/files/0x0007000000022cf4-96.dat family_berbew behavioral2/files/0x0007000000022cf4-98.dat family_berbew behavioral2/files/0x0006000000022cfe-104.dat family_berbew behavioral2/files/0x0006000000022cfe-108.dat family_berbew behavioral2/files/0x0006000000022d00-114.dat family_berbew behavioral2/files/0x0006000000022d00-116.dat family_berbew behavioral2/files/0x0006000000022d02-123.dat family_berbew behavioral2/files/0x0006000000022d02-125.dat family_berbew behavioral2/files/0x0006000000022d04-132.dat family_berbew behavioral2/files/0x0006000000022d04-133.dat family_berbew behavioral2/files/0x0006000000022d06-141.dat family_berbew behavioral2/files/0x0006000000022d0a-151.dat family_berbew behavioral2/files/0x0006000000022d0a-152.dat family_berbew behavioral2/files/0x0006000000022d0c-160.dat family_berbew behavioral2/files/0x0006000000022d0c-162.dat family_berbew behavioral2/files/0x0006000000022d0f-169.dat family_berbew behavioral2/files/0x0006000000022d0f-171.dat family_berbew behavioral2/files/0x0006000000022d11-178.dat family_berbew behavioral2/files/0x0006000000022d11-180.dat family_berbew behavioral2/files/0x0006000000022d13-187.dat family_berbew behavioral2/files/0x0006000000022d13-189.dat family_berbew behavioral2/files/0x0006000000022d15-196.dat family_berbew behavioral2/files/0x0006000000022d15-198.dat family_berbew behavioral2/files/0x0006000000022d17-205.dat family_berbew behavioral2/files/0x0006000000022d17-207.dat family_berbew behavioral2/files/0x0006000000022d19-214.dat family_berbew behavioral2/files/0x0006000000022d19-216.dat family_berbew behavioral2/files/0x0006000000022d1b-222.dat family_berbew behavioral2/files/0x0006000000022d1b-224.dat family_berbew behavioral2/files/0x0006000000022d1d-231.dat family_berbew behavioral2/files/0x0006000000022d1d-233.dat family_berbew behavioral2/files/0x0006000000022d1f-234.dat family_berbew behavioral2/files/0x0006000000022d1f-239.dat family_berbew behavioral2/files/0x0006000000022d1f-241.dat family_berbew behavioral2/files/0x0006000000022d21-244.dat family_berbew behavioral2/files/0x0006000000022d21-248.dat family_berbew behavioral2/files/0x0006000000022d21-250.dat family_berbew behavioral2/files/0x0006000000022d23-257.dat family_berbew behavioral2/files/0x0006000000022d23-259.dat family_berbew behavioral2/files/0x0006000000022d25-267.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4076 Hjjldpdf.exe 4220 Kfkamk32.exe 3912 Lacbpccn.exe 3044 Nncoaq32.exe 2564 Oggbfdog.exe 2188 Pkonbamc.exe 2400 Aeglbeea.exe 3500 Cnpibh32.exe 3464 Dpkehi32.exe 468 Eoladdeo.exe 4060 Gipbck32.exe 1208 Gcmpgpkp.exe 3800 Ioppho32.exe 4644 Kgngqico.exe 5064 Labkempb.exe 1536 Mpedgghj.exe 4396 Nkboeobh.exe 4280 Pgpobmca.exe 4132 Pknghk32.exe 4428 Abflfc32.exe 3860 Bqbohocd.exe 4444 Cjomldfp.exe 560 Dgmpkg32.exe 4560 Eliecc32.exe 3320 Gklnem32.exe 3144 Hhnkppbf.exe 3828 Iooimi32.exe 1188 Jhqqlmba.exe 2696 Jbpkfa32.exe 2100 Kiajck32.exe 3360 Mpnglbkf.exe 1852 Mihikgod.exe 1560 Nmmgae32.exe 764 Ndliin32.exe 3956 Acgacegg.exe 2276 Ccendc32.exe 2776 Dnfanjqp.exe 1392 Dmnkdfce.exe 748 Eeimqc32.exe 4248 Fnpmkg32.exe 4044 Fhjoilop.exe 2272 Gaepgacn.exe 708 Hoepmd32.exe 2864 Hmlicp32.exe 2072 Imofip32.exe 4640 Ilbclg32.exe 2876 Idmhqi32.exe 2364 Ioeicajh.exe 2160 Jhpjbgne.exe 2092 Jdgjgh32.exe 324 Jnoopm32.exe 4208 Jnalem32.exe 1356 Kfmmajed.exe 3492 Lnbdlkje.exe 2204 Lbpmbipk.exe 812 Lbbjhini.exe 2524 Lmjkka32.exe 948 Mokdllim.exe 1532 Mmodfqhf.exe 4424 Mbkmngfn.exe 4388 Nnbfjf32.exe 4324 Pekkhn32.exe 2892 Pfmdgq32.exe 4048 Qpibke32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qajhigcj.exe Qecgcfmf.exe File created C:\Windows\SysWOW64\Cccppgcp.exe Chnlbndj.exe File created C:\Windows\SysWOW64\Lbjlpo32.exe Lmncgh32.exe File created C:\Windows\SysWOW64\Lmmhlkim.dll Knefnkla.exe File created C:\Windows\SysWOW64\Fdccka32.exe Ffobbmpp.exe File created C:\Windows\SysWOW64\Dkpjnd32.exe Dagfeo32.exe File opened for modification C:\Windows\SysWOW64\Fhjoilop.exe Fnpmkg32.exe File created C:\Windows\SysWOW64\Ncnjkoaj.dll Emoaopnf.exe File created C:\Windows\SysWOW64\Afoqbkld.dll Fppqjcli.exe File opened for modification C:\Windows\SysWOW64\Jacnegep.exe Iandjg32.exe File created C:\Windows\SysWOW64\Kknhjj32.exe Kkioojpp.exe File opened for modification C:\Windows\SysWOW64\Icfnjcec.exe Imieblgl.exe File opened for modification C:\Windows\SysWOW64\Kcfgaq32.exe Icfnjcec.exe File created C:\Windows\SysWOW64\Mccefjja.dll Gdobgp32.exe File opened for modification C:\Windows\SysWOW64\Mqhmbqlh.exe Mcdlil32.exe File opened for modification C:\Windows\SysWOW64\Hhfplejl.exe Gghdkg32.exe File opened for modification C:\Windows\SysWOW64\Cibabdno.exe Cpjmjn32.exe File created C:\Windows\SysWOW64\Ifhnohkp.dll Fqmlmiif.exe File created C:\Windows\SysWOW64\Mggcbo32.dll Hmlpkd32.exe File opened for modification C:\Windows\SysWOW64\Mjbopcip.exe Meefhl32.exe File created C:\Windows\SysWOW64\Gjkqpa32.exe Gjhdkajh.exe File opened for modification C:\Windows\SysWOW64\Omjhgoco.exe Odhman32.exe File opened for modification C:\Windows\SysWOW64\Oejijiip.exe Okedmp32.exe File opened for modification C:\Windows\SysWOW64\Dhbelp32.exe Dojqcjgi.exe File opened for modification C:\Windows\SysWOW64\Oqmhlego.exe Nkgmmpab.exe File created C:\Windows\SysWOW64\Bebkdhkf.dll Mdanjaqf.exe File created C:\Windows\SysWOW64\Hkdmmfmn.dll Klifhpjk.exe File created C:\Windows\SysWOW64\Hoepmd32.exe Gaepgacn.exe File created C:\Windows\SysWOW64\Llmghjen.dll Apbngn32.exe File opened for modification C:\Windows\SysWOW64\Ameipl32.exe Qpahghbg.exe File opened for modification C:\Windows\SysWOW64\Fcpadd32.exe Fkempa32.exe File created C:\Windows\SysWOW64\Kbjenkaf.dll Nieggill.exe File created C:\Windows\SysWOW64\Eecfjhpp.dll Hpofbobf.exe File created C:\Windows\SysWOW64\Leppfinp.dll Kfmejopp.exe File opened for modification C:\Windows\SysWOW64\Pgpobmca.exe Ppdjpcng.exe File opened for modification C:\Windows\SysWOW64\Blbabnbk.exe Blpemn32.exe File created C:\Windows\SysWOW64\Jiageecb.exe Jgakkb32.exe File created C:\Windows\SysWOW64\Lfjjqg32.exe Lhijcohe.exe File opened for modification C:\Windows\SysWOW64\Fppqjcli.exe Ejchbmna.exe File opened for modification C:\Windows\SysWOW64\Ijcjgcni.exe Idfaolpb.exe File opened for modification C:\Windows\SysWOW64\Hmlicp32.exe Hoepmd32.exe File created C:\Windows\SysWOW64\Ogklob32.exe Oekpdoll.exe File created C:\Windows\SysWOW64\Mhejhkma.dll Fjfegl32.exe File created C:\Windows\SysWOW64\Ndjleb32.dll Fkempa32.exe File created C:\Windows\SysWOW64\Gflapl32.exe Fjepkk32.exe File opened for modification C:\Windows\SysWOW64\Eggmqk32.exe Eajehd32.exe File created C:\Windows\SysWOW64\Iohjebkd.exe Ifpemmdd.exe File created C:\Windows\SysWOW64\Miomcihm.dll Agpoqoaf.exe File created C:\Windows\SysWOW64\Hgfdjnll.dll Pmmleg32.exe File created C:\Windows\SysWOW64\Jpfbco32.dll Pfmdgq32.exe File created C:\Windows\SysWOW64\Cjdecfcc.dll Gjhdkajh.exe File created C:\Windows\SysWOW64\Kkkdjcjb.exe Kkihedld.exe File created C:\Windows\SysWOW64\Fphneijl.exe Fhmiqfma.exe File created C:\Windows\SysWOW64\Agcbng32.dll Ebocpd32.exe File created C:\Windows\SysWOW64\Naeijp32.dll Aadgadai.exe File created C:\Windows\SysWOW64\Ifdgaond.exe Hjfplo32.exe File created C:\Windows\SysWOW64\Hijohoki.exe Hkfookmo.exe File created C:\Windows\SysWOW64\Flooaied.dll Lbhojo32.exe File opened for modification C:\Windows\SysWOW64\Bagfeioc.exe Bccfleqi.exe File created C:\Windows\SysWOW64\Ihdhon32.dll Cckkmg32.exe File created C:\Windows\SysWOW64\Hpofbobf.exe Hkbmjhdo.exe File opened for modification C:\Windows\SysWOW64\Illmho32.exe Idahcm32.exe File opened for modification C:\Windows\SysWOW64\Fqfmlm32.exe Epgpajdp.exe File created C:\Windows\SysWOW64\Cfopki32.dll Oekpdoll.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljgjdib.dll" Mnpice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgakkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqealm32.dll" Afghgkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjljlijg.dll" Afjjil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapbmd32.dll" Apndloif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbcklkee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaookkg.dll" Lqhdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgnfpi32.dll" Clldhljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpknhfoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdgaond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldoadabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iickdgpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meadgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfmoei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncoaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neppiagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqhmbqlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkimc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkpjnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iandjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fphneijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dakieedj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcaidlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfef32.dll" Ncifdlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpcgaqk.dll" Mhbmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akhmng32.dll" Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlhpgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkelbl32.dll" Ngikpjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnkjb32.dll" Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gofkckoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlafaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acicefid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiehjgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fniiabfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfbpfedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncakglka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnefhfih.dll" Jhpjbgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbdfgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeolonem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdodq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcjgcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnhgcgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dakieedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anpnmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdehpnep.dll" Cafhap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbbcmdai.dll" Enfceefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fndpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imikmhae.dll" Qgopplkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopghggd.dll" Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkbakj.dll" Nkboeobh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmcmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbphinj.dll" Hkfookmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcona32.dll" Meefhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpbpepo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgfg32.dll" Aemqdk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 4076 1112 NEAS.de2b5c16f509c4994e98986612fb39d0.exe 92 PID 1112 wrote to memory of 4076 1112 NEAS.de2b5c16f509c4994e98986612fb39d0.exe 92 PID 1112 wrote to memory of 4076 1112 NEAS.de2b5c16f509c4994e98986612fb39d0.exe 92 PID 4076 wrote to memory of 4220 4076 Hjjldpdf.exe 94 PID 4076 wrote to memory of 4220 4076 Hjjldpdf.exe 94 PID 4076 wrote to memory of 4220 4076 Hjjldpdf.exe 94 PID 4220 wrote to memory of 3912 4220 Kfkamk32.exe 96 PID 4220 wrote to memory of 3912 4220 Kfkamk32.exe 96 PID 4220 wrote to memory of 3912 4220 Kfkamk32.exe 96 PID 3912 wrote to memory of 3044 3912 Lacbpccn.exe 97 PID 3912 wrote to memory of 3044 3912 Lacbpccn.exe 97 PID 3912 wrote to memory of 3044 3912 Lacbpccn.exe 97 PID 3044 wrote to memory of 2564 3044 Nncoaq32.exe 98 PID 3044 wrote to memory of 2564 3044 Nncoaq32.exe 98 PID 3044 wrote to memory of 2564 3044 Nncoaq32.exe 98 PID 2564 wrote to memory of 2188 2564 Oggbfdog.exe 99 PID 2564 wrote to memory of 2188 2564 Oggbfdog.exe 99 PID 2564 wrote to memory of 2188 2564 Oggbfdog.exe 99 PID 2188 wrote to memory of 2400 2188 Pkonbamc.exe 100 PID 2188 wrote to memory of 2400 2188 Pkonbamc.exe 100 PID 2188 wrote to memory of 2400 2188 Pkonbamc.exe 100 PID 2400 wrote to memory of 3500 2400 Aeglbeea.exe 101 PID 2400 wrote to memory of 3500 2400 Aeglbeea.exe 101 PID 2400 wrote to memory of 3500 2400 Aeglbeea.exe 101 PID 3500 wrote to memory of 3464 3500 Cnpibh32.exe 102 PID 3500 wrote to memory of 3464 3500 Cnpibh32.exe 102 PID 3500 wrote to memory of 3464 3500 Cnpibh32.exe 102 PID 3464 wrote to memory of 468 3464 Dpkehi32.exe 103 PID 3464 wrote to memory of 468 3464 Dpkehi32.exe 103 PID 3464 wrote to memory of 468 3464 Dpkehi32.exe 103 PID 468 wrote to memory of 4060 468 Eoladdeo.exe 104 PID 468 wrote to memory of 4060 468 Eoladdeo.exe 104 PID 468 wrote to memory of 4060 468 Eoladdeo.exe 104 PID 4060 wrote to memory of 1208 4060 Gipbck32.exe 105 PID 4060 wrote to memory of 1208 4060 Gipbck32.exe 105 PID 4060 wrote to memory of 1208 4060 Gipbck32.exe 105 PID 1208 wrote to memory of 3800 1208 Gcmpgpkp.exe 106 PID 1208 wrote to memory of 3800 1208 Gcmpgpkp.exe 106 PID 1208 wrote to memory of 3800 1208 Gcmpgpkp.exe 106 PID 3800 wrote to memory of 4644 3800 Ioppho32.exe 107 PID 3800 wrote to memory of 4644 3800 Ioppho32.exe 107 PID 3800 wrote to memory of 4644 3800 Ioppho32.exe 107 PID 4644 wrote to memory of 5064 4644 Kgngqico.exe 108 PID 4644 wrote to memory of 5064 4644 Kgngqico.exe 108 PID 4644 wrote to memory of 5064 4644 Kgngqico.exe 108 PID 5064 wrote to memory of 1536 5064 Labkempb.exe 109 PID 5064 wrote to memory of 1536 5064 Labkempb.exe 109 PID 5064 wrote to memory of 1536 5064 Labkempb.exe 109 PID 1536 wrote to memory of 4396 1536 Mpedgghj.exe 110 PID 1536 wrote to memory of 4396 1536 Mpedgghj.exe 110 PID 1536 wrote to memory of 4396 1536 Mpedgghj.exe 110 PID 4192 wrote to memory of 4280 4192 Ppdjpcng.exe 112 PID 4192 wrote to memory of 4280 4192 Ppdjpcng.exe 112 PID 4192 wrote to memory of 4280 4192 Ppdjpcng.exe 112 PID 4280 wrote to memory of 4132 4280 Pgpobmca.exe 113 PID 4280 wrote to memory of 4132 4280 Pgpobmca.exe 113 PID 4280 wrote to memory of 4132 4280 Pgpobmca.exe 113 PID 4132 wrote to memory of 4428 4132 Pknghk32.exe 114 PID 4132 wrote to memory of 4428 4132 Pknghk32.exe 114 PID 4132 wrote to memory of 4428 4132 Pknghk32.exe 114 PID 4428 wrote to memory of 3860 4428 Abflfc32.exe 115 PID 4428 wrote to memory of 3860 4428 Abflfc32.exe 115 PID 4428 wrote to memory of 3860 4428 Abflfc32.exe 115 PID 3860 wrote to memory of 4444 3860 Bqbohocd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.de2b5c16f509c4994e98986612fb39d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.de2b5c16f509c4994e98986612fb39d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Eoladdeo.exeC:\Windows\system32\Eoladdeo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe19⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe25⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Eliecc32.exeC:\Windows\system32\Eliecc32.exe26⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe27⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe28⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe29⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe30⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Jbpkfa32.exeC:\Windows\system32\Jbpkfa32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe32⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mpnglbkf.exeC:\Windows\system32\Mpnglbkf.exe33⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe34⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe35⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe36⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe37⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe38⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe39⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Eeimqc32.exeC:\Windows\system32\Eeimqc32.exe41⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe43⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Gaepgacn.exeC:\Windows\system32\Gaepgacn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe46⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe47⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ilbclg32.exeC:\Windows\system32\Ilbclg32.exe48⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Idmhqi32.exeC:\Windows\system32\Idmhqi32.exe49⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe50⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jhpjbgne.exeC:\Windows\system32\Jhpjbgne.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Jdgjgh32.exeC:\Windows\system32\Jdgjgh32.exe52⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe53⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Jnalem32.exeC:\Windows\system32\Jnalem32.exe54⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Kfmmajed.exeC:\Windows\system32\Kfmmajed.exe55⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Lnbdlkje.exeC:\Windows\system32\Lnbdlkje.exe56⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe57⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Lbbjhini.exeC:\Windows\system32\Lbbjhini.exe58⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Lmjkka32.exeC:\Windows\system32\Lmjkka32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Mokdllim.exeC:\Windows\system32\Mokdllim.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe61⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe62⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Nnbfjf32.exeC:\Windows\system32\Nnbfjf32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe64⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Pfmdgq32.exeC:\Windows\system32\Pfmdgq32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe66⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4000 -
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe68⤵
- Modifies registry class
PID:4660 -
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe69⤵PID:1736
-
C:\Windows\SysWOW64\Cnlhme32.exeC:\Windows\system32\Cnlhme32.exe70⤵PID:3076
-
C:\Windows\SysWOW64\Copajm32.exeC:\Windows\system32\Copajm32.exe71⤵PID:3840
-
C:\Windows\SysWOW64\Emoaopnf.exeC:\Windows\system32\Emoaopnf.exe72⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Ejcaidlp.exeC:\Windows\system32\Ejcaidlp.exe73⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Efjbne32.exeC:\Windows\system32\Efjbne32.exe74⤵PID:1340
-
C:\Windows\SysWOW64\Epgpajdp.exeC:\Windows\system32\Epgpajdp.exe75⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Fqfmlm32.exeC:\Windows\system32\Fqfmlm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Fggkifmg.exeC:\Windows\system32\Fggkifmg.exe77⤵PID:4780
-
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe78⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Gjkqpa32.exeC:\Windows\system32\Gjkqpa32.exe79⤵PID:3008
-
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe80⤵PID:2064
-
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Ifdgaond.exeC:\Windows\system32\Ifdgaond.exe82⤵
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Idhgkcln.exeC:\Windows\system32\Idhgkcln.exe83⤵PID:4372
-
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe84⤵PID:3796
-
C:\Windows\SysWOW64\Iandjg32.exeC:\Windows\system32\Iandjg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Jacnegep.exeC:\Windows\system32\Jacnegep.exe86⤵PID:348
-
C:\Windows\SysWOW64\Jdkmgali.exeC:\Windows\system32\Jdkmgali.exe87⤵PID:3044
-
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe88⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe89⤵PID:1404
-
C:\Windows\SysWOW64\Lnanadfi.exeC:\Windows\system32\Lnanadfi.exe90⤵PID:5000
-
C:\Windows\SysWOW64\Lnfgmc32.exeC:\Windows\system32\Lnfgmc32.exe91⤵PID:4824
-
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe92⤵PID:1500
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe93⤵PID:2584
-
C:\Windows\SysWOW64\Mkangg32.exeC:\Windows\system32\Mkangg32.exe94⤵PID:2404
-
C:\Windows\SysWOW64\Mhenpk32.exeC:\Windows\system32\Mhenpk32.exe95⤵PID:4040
-
C:\Windows\SysWOW64\Nocphd32.exeC:\Windows\system32\Nocphd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Nildajdg.exeC:\Windows\system32\Nildajdg.exe97⤵PID:5152
-
C:\Windows\SysWOW64\Nnkioq32.exeC:\Windows\system32\Nnkioq32.exe98⤵PID:5204
-
C:\Windows\SysWOW64\Negoaj32.exeC:\Windows\system32\Negoaj32.exe99⤵PID:5248
-
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe100⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Ogjdheqd.exeC:\Windows\system32\Ogjdheqd.exe101⤵PID:5340
-
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe102⤵PID:5384
-
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe103⤵PID:5432
-
C:\Windows\SysWOW64\Oajoaj32.exeC:\Windows\system32\Oajoaj32.exe104⤵PID:5472
-
C:\Windows\SysWOW64\Plocob32.exeC:\Windows\system32\Plocob32.exe105⤵PID:5516
-
C:\Windows\SysWOW64\Picchg32.exeC:\Windows\system32\Picchg32.exe106⤵PID:5556
-
C:\Windows\SysWOW64\Panhmi32.exeC:\Windows\system32\Panhmi32.exe107⤵PID:5600
-
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe108⤵PID:5636
-
C:\Windows\SysWOW64\Ppbepp32.exeC:\Windows\system32\Ppbepp32.exe109⤵PID:5684
-
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe110⤵PID:5744
-
C:\Windows\SysWOW64\Paennh32.exeC:\Windows\system32\Paennh32.exe111⤵PID:5800
-
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe112⤵PID:5852
-
C:\Windows\SysWOW64\Qecgcfmf.exeC:\Windows\system32\Qecgcfmf.exe113⤵
- Drops file in System32 directory
PID:5896 -
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe114⤵PID:5952
-
C:\Windows\SysWOW64\Alplfpbp.exeC:\Windows\system32\Alplfpbp.exe115⤵PID:5996
-
C:\Windows\SysWOW64\Apndloif.exeC:\Windows\system32\Apndloif.exe116⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Apbngn32.exeC:\Windows\system32\Apbngn32.exe117⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Alioloje.exeC:\Windows\system32\Alioloje.exe118⤵PID:6128
-
C:\Windows\SysWOW64\Bimoecio.exeC:\Windows\system32\Bimoecio.exe119⤵PID:5172
-
C:\Windows\SysWOW64\Boldcj32.exeC:\Windows\system32\Boldcj32.exe120⤵PID:5244
-
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe121⤵
- Drops file in System32 directory
PID:4860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-