Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2023, 10:00
Behavioral task
behavioral1
Sample
NEAS.1c538ca4852a4d57f381ed3c38302180.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1c538ca4852a4d57f381ed3c38302180.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1c538ca4852a4d57f381ed3c38302180.exe
-
Size
368KB
-
MD5
1c538ca4852a4d57f381ed3c38302180
-
SHA1
540971138f58ad40ffd65ed77c90c0b61db96daf
-
SHA256
d31f954f20999cf0d1872ff1c5469e2ca47774136ce8465a7f5eb1e7faae35dc
-
SHA512
99701918feeda5194ec517bbb7495945142b129fa28de343c12264569b87b4b2b603b9a5388364fed90eb438232019cc5a1ee74318bfac4f82e5cc81fd4a207b
-
SSDEEP
6144:t18a6dLBDshE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOJfTo9t:tGa6dtDdaAD6RrI1+lDMEAD6Rr2NWL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacijjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblpcndd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddfbgelh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haidfpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lddble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaldjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdpagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfkqjmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjdedepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajaelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlidpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmjhlklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnmmboed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelonkph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfjjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofgmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmanljfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Napjdpcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfojblo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkcccn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbimjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbimjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.1c538ca4852a4d57f381ed3c38302180.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lchfib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbegqjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nggnadib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpnjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omaeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcbkl32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000224ad-6.dat family_berbew behavioral2/files/0x00090000000224ad-7.dat family_berbew behavioral2/files/0x0006000000022e2a-16.dat family_berbew behavioral2/files/0x0006000000022e2a-14.dat family_berbew behavioral2/files/0x0008000000022e23-22.dat family_berbew behavioral2/files/0x0008000000022e23-23.dat family_berbew behavioral2/files/0x0006000000022e2d-31.dat family_berbew behavioral2/files/0x0006000000022e2d-30.dat family_berbew behavioral2/files/0x0006000000022e2f-39.dat family_berbew behavioral2/files/0x0006000000022e2f-38.dat family_berbew behavioral2/files/0x0006000000022e31-47.dat family_berbew behavioral2/files/0x0006000000022e31-46.dat family_berbew behavioral2/files/0x0006000000022e33-55.dat family_berbew behavioral2/files/0x0006000000022e33-54.dat family_berbew behavioral2/files/0x0006000000022e37-70.dat family_berbew behavioral2/files/0x0006000000022e37-69.dat family_berbew behavioral2/files/0x0006000000022e35-62.dat family_berbew behavioral2/files/0x0006000000022e35-61.dat family_berbew behavioral2/files/0x0006000000022e39-79.dat family_berbew behavioral2/files/0x0006000000022e3d-87.dat family_berbew behavioral2/files/0x0006000000022e3f-95.dat family_berbew behavioral2/files/0x0006000000022e3f-94.dat family_berbew behavioral2/files/0x0006000000022e3d-86.dat family_berbew behavioral2/files/0x0006000000022e39-78.dat family_berbew behavioral2/files/0x0006000000022e41-102.dat family_berbew behavioral2/files/0x0006000000022e41-103.dat family_berbew behavioral2/files/0x0006000000022e43-110.dat family_berbew behavioral2/files/0x0006000000022e43-111.dat family_berbew behavioral2/files/0x0006000000022e45-118.dat family_berbew behavioral2/files/0x0006000000022e45-120.dat family_berbew behavioral2/files/0x0006000000022e47-126.dat family_berbew behavioral2/files/0x0006000000022e47-128.dat family_berbew behavioral2/files/0x0006000000022e49-134.dat family_berbew behavioral2/files/0x0006000000022e49-135.dat family_berbew behavioral2/files/0x0006000000022e4b-142.dat family_berbew behavioral2/files/0x0006000000022e4b-144.dat family_berbew behavioral2/files/0x0006000000022e4d-150.dat family_berbew behavioral2/files/0x0006000000022e4d-152.dat family_berbew behavioral2/files/0x0006000000022e4f-158.dat family_berbew behavioral2/files/0x0006000000022e4f-159.dat family_berbew behavioral2/files/0x0006000000022e51-166.dat family_berbew behavioral2/files/0x0006000000022e56-174.dat family_berbew behavioral2/files/0x0006000000022e56-175.dat family_berbew behavioral2/files/0x0006000000022e51-167.dat family_berbew behavioral2/files/0x0006000000022e58-182.dat family_berbew behavioral2/files/0x0006000000022e58-183.dat family_berbew behavioral2/files/0x0006000000022e5b-190.dat family_berbew behavioral2/files/0x0006000000022e5b-191.dat family_berbew behavioral2/files/0x0006000000022e5d-198.dat family_berbew behavioral2/files/0x0006000000022e5d-200.dat family_berbew behavioral2/files/0x0006000000022e5f-206.dat family_berbew behavioral2/files/0x0006000000022e63-214.dat family_berbew behavioral2/files/0x0006000000022e63-216.dat family_berbew behavioral2/files/0x0006000000022e65-222.dat family_berbew behavioral2/files/0x0006000000022e65-224.dat family_berbew behavioral2/files/0x0006000000022e67-230.dat family_berbew behavioral2/files/0x0006000000022e67-231.dat family_berbew behavioral2/files/0x0006000000022e6b-239.dat family_berbew behavioral2/files/0x0006000000022e6b-238.dat family_berbew behavioral2/files/0x0006000000022e6d-246.dat family_berbew behavioral2/files/0x0006000000022e6d-248.dat family_berbew behavioral2/files/0x0006000000022e6f-254.dat family_berbew behavioral2/files/0x0006000000022e6f-255.dat family_berbew behavioral2/files/0x0006000000022e71-262.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5032 Kjccdkki.exe 4688 Kqmkae32.exe 3212 Kjepjkhf.exe 2508 Knchpiom.exe 4592 Kcpahpmd.exe 1176 Knfeeimj.exe 2488 Kdpmbc32.exe 4324 Kjmfjj32.exe 4776 Kdbjhbbd.exe 4436 Lgqfdnah.exe 484 Ldgccb32.exe 3856 Lkalplel.exe 2676 Lgjijmin.exe 3600 Lndagg32.exe 2256 Mkjnfkma.exe 3468 Mebcop32.exe 2080 Mmpdhboj.exe 2344 Mjdebfnd.exe 2940 Napjdpcn.exe 4580 Nndjndbh.exe 4064 Nhmofj32.exe 4440 Njmhhefi.exe 2436 Nagpeo32.exe 2584 Oloahhki.exe 1956 Olanmgig.exe 540 Oejbfmpg.exe 2364 Oodcdb32.exe 4228 Ohmhmh32.exe 4640 Poimpapp.exe 4964 Pkpmdbfd.exe 4352 Pefabkej.exe 1340 Pehngkcg.exe 4192 Pejkmk32.exe 3016 Pkgcea32.exe 552 Qdphngfl.exe 4128 Qkipkani.exe 1784 Aeaanjkl.exe 3692 Aknifq32.exe 1380 Adfnofpd.exe 688 Akqfkp32.exe 2056 Aefjii32.exe 1420 Aonoao32.exe 324 Ahgcjddh.exe 2292 Anclbkbp.exe 384 Akglloai.exe 4008 Bhkmec32.exe 452 Bdbnjdfg.exe 4812 Bafndi32.exe 4268 Bhpfqcln.exe 3484 Bojomm32.exe 4336 Bhbcfbjk.exe 3920 Bakgoh32.exe 1752 Bheplb32.exe 4456 Cnahdi32.exe 2696 Chglab32.exe 4912 Coadnlnb.exe 3036 Cfkmkf32.exe 1632 Cocacl32.exe 848 Clgbmp32.exe 3464 Cfpffeaj.exe 5112 Dfdpad32.exe 1488 Domdjj32.exe 4412 Dheibpje.exe 692 Dooaoj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ojnkocdc.dll Mcbpjg32.exe File created C:\Windows\SysWOW64\Cknmplfo.dll Oiccje32.exe File created C:\Windows\SysWOW64\Hjfbjdnd.exe Hghfnioq.exe File created C:\Windows\SysWOW64\Dndnpf32.exe Dkfadkgf.exe File created C:\Windows\SysWOW64\Efgemb32.exe Epmmqheb.exe File created C:\Windows\SysWOW64\Nfcabp32.exe Nagiji32.exe File created C:\Windows\SysWOW64\Jlbngnmk.dll Jelonkph.exe File opened for modification C:\Windows\SysWOW64\Madbagif.exe Moefdljc.exe File opened for modification C:\Windows\SysWOW64\Gpnfge32.exe Gmojkj32.exe File created C:\Windows\SysWOW64\Ahofoogd.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Nfqnbjfi.exe Nofefp32.exe File created C:\Windows\SysWOW64\Cdjblf32.exe Cmpjoloh.exe File created C:\Windows\SysWOW64\Ggociklh.dll Abcppq32.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Inkaqb32.exe Ijpepcfj.exe File created C:\Windows\SysWOW64\Hiocnbpm.dll Ieeimlep.exe File created C:\Windows\SysWOW64\Mcbpjg32.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Mdbnmbhj.exe Madbagif.exe File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Panhbfep.exe File created C:\Windows\SysWOW64\Gnblnlhl.exe Giecfejd.exe File opened for modification C:\Windows\SysWOW64\Jnpjlajn.exe Jjdokb32.exe File opened for modification C:\Windows\SysWOW64\Lajokiaa.exe Lolcnman.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mfqlfb32.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mfchlbfd.exe File opened for modification C:\Windows\SysWOW64\Jlfhke32.exe Jhkljfok.exe File created C:\Windows\SysWOW64\Hblkjo32.exe Hpnoncim.exe File opened for modification C:\Windows\SysWOW64\Eiekog32.exe Eqlfhjig.exe File created C:\Windows\SysWOW64\Jmpjlk32.dll Mmhgmmbf.exe File created C:\Windows\SysWOW64\Mmebednk.dll Qcnjijoe.exe File created C:\Windows\SysWOW64\Pncmdhlq.dll Hgocgjgk.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Mmkdcm32.exe File created C:\Windows\SysWOW64\Lddble32.exe Laffpi32.exe File opened for modification C:\Windows\SysWOW64\Ldfoad32.exe Ledoegkm.exe File created C:\Windows\SysWOW64\Npbceggm.exe Nmdgikhi.exe File created C:\Windows\SysWOW64\Oppceehj.dll Nfohgqlg.exe File opened for modification C:\Windows\SysWOW64\Bbhildae.exe Bagmdllg.exe File opened for modification C:\Windows\SysWOW64\Jhfbog32.exe Jehfcl32.exe File opened for modification C:\Windows\SysWOW64\Ledoegkm.exe Lbebilli.exe File created C:\Windows\SysWOW64\Mdgmickl.dll Pkpmdbfd.exe File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Ipmgkhgl.dll Jhoeef32.exe File opened for modification C:\Windows\SysWOW64\Dfnbgc32.exe Dngjff32.exe File created C:\Windows\SysWOW64\Aajhndkb.exe Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Fqgedh32.exe Filapfbo.exe File created C:\Windows\SysWOW64\Heepfn32.exe Haidfpki.exe File opened for modification C:\Windows\SysWOW64\Flpmagqi.exe Fefedmil.exe File opened for modification C:\Windows\SysWOW64\Imgicgca.exe Iepaaico.exe File created C:\Windows\SysWOW64\Ckgohf32.exe Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Janghmia.exe Jnpjlajn.exe File created C:\Windows\SysWOW64\Omaeem32.exe Ofgmib32.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Cpmheahf.dll Hbiapb32.exe File created C:\Windows\SysWOW64\Dfhegp32.dll Ocdgahag.exe File created C:\Windows\SysWOW64\Cogcho32.dll Pecpknke.exe File opened for modification C:\Windows\SysWOW64\Anclbkbp.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Mlkpophj.dll Hmdlmg32.exe File created C:\Windows\SysWOW64\Bjdbkbbn.dll Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Lnjgfb32.exe Ljnlecmp.exe File created C:\Windows\SysWOW64\Bgimjd32.dll Gqpapacd.exe File created C:\Windows\SysWOW64\Hpfbcn32.exe Giljfddl.exe File created C:\Windows\SysWOW64\Kaadlo32.dll Njbgmjgl.exe File opened for modification C:\Windows\SysWOW64\Jhmhpfmi.exe Jeolckne.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe Klfaapbl.exe File created C:\Windows\SysWOW64\Onnnbnbp.dll Piocecgj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibnjkbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll" Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nagiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klddlckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggghajap.dll" Gnfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll" Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll" Gclafmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dngjff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haidfpki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdnjfojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njbgmjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dggkipii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll" Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll" Dcnlnaom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijpepcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mllccpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkbnj32.dll" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcbdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfenglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lolcnman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhgonidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jelonkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcgfpia.dll" Medglemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll" Nfnjbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgocgjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdcpb32.dll" Gkefmjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkglgq32.dll" Mcfkpjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll" Kemhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll" Poidhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll" Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll" Inkaqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpoalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll" Mfenglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqfojblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lddble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oomelheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijdf32.dll" Loopdmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" Ohmhmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdfpkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kocphojh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfbmdabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abcppq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll" Ijbbfc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3864 wrote to memory of 5032 3864 NEAS.1c538ca4852a4d57f381ed3c38302180.exe 86 PID 3864 wrote to memory of 5032 3864 NEAS.1c538ca4852a4d57f381ed3c38302180.exe 86 PID 3864 wrote to memory of 5032 3864 NEAS.1c538ca4852a4d57f381ed3c38302180.exe 86 PID 5032 wrote to memory of 4688 5032 Kjccdkki.exe 87 PID 5032 wrote to memory of 4688 5032 Kjccdkki.exe 87 PID 5032 wrote to memory of 4688 5032 Kjccdkki.exe 87 PID 4688 wrote to memory of 3212 4688 Kqmkae32.exe 88 PID 4688 wrote to memory of 3212 4688 Kqmkae32.exe 88 PID 4688 wrote to memory of 3212 4688 Kqmkae32.exe 88 PID 3212 wrote to memory of 2508 3212 Kjepjkhf.exe 89 PID 3212 wrote to memory of 2508 3212 Kjepjkhf.exe 89 PID 3212 wrote to memory of 2508 3212 Kjepjkhf.exe 89 PID 2508 wrote to memory of 4592 2508 Knchpiom.exe 91 PID 2508 wrote to memory of 4592 2508 Knchpiom.exe 91 PID 2508 wrote to memory of 4592 2508 Knchpiom.exe 91 PID 4592 wrote to memory of 1176 4592 Kcpahpmd.exe 90 PID 4592 wrote to memory of 1176 4592 Kcpahpmd.exe 90 PID 4592 wrote to memory of 1176 4592 Kcpahpmd.exe 90 PID 1176 wrote to memory of 2488 1176 Knfeeimj.exe 92 PID 1176 wrote to memory of 2488 1176 Knfeeimj.exe 92 PID 1176 wrote to memory of 2488 1176 Knfeeimj.exe 92 PID 2488 wrote to memory of 4324 2488 Kdpmbc32.exe 93 PID 2488 wrote to memory of 4324 2488 Kdpmbc32.exe 93 PID 2488 wrote to memory of 4324 2488 Kdpmbc32.exe 93 PID 4324 wrote to memory of 4776 4324 Kjmfjj32.exe 94 PID 4324 wrote to memory of 4776 4324 Kjmfjj32.exe 94 PID 4324 wrote to memory of 4776 4324 Kjmfjj32.exe 94 PID 4776 wrote to memory of 4436 4776 Kdbjhbbd.exe 95 PID 4776 wrote to memory of 4436 4776 Kdbjhbbd.exe 95 PID 4776 wrote to memory of 4436 4776 Kdbjhbbd.exe 95 PID 4436 wrote to memory of 484 4436 Lgqfdnah.exe 96 PID 4436 wrote to memory of 484 4436 Lgqfdnah.exe 96 PID 4436 wrote to memory of 484 4436 Lgqfdnah.exe 96 PID 484 wrote to memory of 3856 484 Ldgccb32.exe 98 PID 484 wrote to memory of 3856 484 Ldgccb32.exe 98 PID 484 wrote to memory of 3856 484 Ldgccb32.exe 98 PID 3856 wrote to memory of 2676 3856 Lkalplel.exe 99 PID 3856 wrote to memory of 2676 3856 Lkalplel.exe 99 PID 3856 wrote to memory of 2676 3856 Lkalplel.exe 99 PID 2676 wrote to memory of 3600 2676 Lgjijmin.exe 100 PID 2676 wrote to memory of 3600 2676 Lgjijmin.exe 100 PID 2676 wrote to memory of 3600 2676 Lgjijmin.exe 100 PID 3600 wrote to memory of 2256 3600 Lndagg32.exe 102 PID 3600 wrote to memory of 2256 3600 Lndagg32.exe 102 PID 3600 wrote to memory of 2256 3600 Lndagg32.exe 102 PID 2256 wrote to memory of 3468 2256 Mkjnfkma.exe 103 PID 2256 wrote to memory of 3468 2256 Mkjnfkma.exe 103 PID 2256 wrote to memory of 3468 2256 Mkjnfkma.exe 103 PID 3468 wrote to memory of 2080 3468 Mebcop32.exe 104 PID 3468 wrote to memory of 2080 3468 Mebcop32.exe 104 PID 3468 wrote to memory of 2080 3468 Mebcop32.exe 104 PID 2080 wrote to memory of 2344 2080 Mmpdhboj.exe 105 PID 2080 wrote to memory of 2344 2080 Mmpdhboj.exe 105 PID 2080 wrote to memory of 2344 2080 Mmpdhboj.exe 105 PID 2344 wrote to memory of 2940 2344 Mjdebfnd.exe 106 PID 2344 wrote to memory of 2940 2344 Mjdebfnd.exe 106 PID 2344 wrote to memory of 2940 2344 Mjdebfnd.exe 106 PID 2940 wrote to memory of 4580 2940 Napjdpcn.exe 108 PID 2940 wrote to memory of 4580 2940 Napjdpcn.exe 108 PID 2940 wrote to memory of 4580 2940 Napjdpcn.exe 108 PID 4580 wrote to memory of 4064 4580 Nndjndbh.exe 109 PID 4580 wrote to memory of 4064 4580 Nndjndbh.exe 109 PID 4580 wrote to memory of 4064 4580 Nndjndbh.exe 109 PID 4064 wrote to memory of 4440 4064 Nhmofj32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1c538ca4852a4d57f381ed3c38302180.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1c538ca4852a4d57f381ed3c38302180.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592
-
-
-
-
-
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe18⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe20⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe21⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4304 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe23⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe25⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe27⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe28⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe29⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe30⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe31⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe33⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe34⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe35⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe36⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe37⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe38⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe40⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe41⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe42⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe43⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe44⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe45⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe46⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe48⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe49⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe50⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe52⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe54⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe55⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe57⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe58⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe59⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe60⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe61⤵PID:2120
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe62⤵PID:2588
-
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe63⤵
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe64⤵PID:5144
-
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe66⤵PID:5248
-
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe68⤵PID:5356
-
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe69⤵PID:5404
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe70⤵PID:5448
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe71⤵PID:5492
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe72⤵PID:5532
-
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe73⤵PID:5576
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe74⤵PID:5616
-
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe75⤵PID:5660
-
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe76⤵PID:5712
-
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe77⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe78⤵PID:5800
-
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe79⤵PID:5844
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe80⤵PID:5888
-
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe81⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe82⤵PID:5972
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe83⤵PID:6012
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe84⤵PID:6052
-
C:\Windows\SysWOW64\Ffnknafg.exeC:\Windows\system32\Ffnknafg.exe85⤵PID:6092
-
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe86⤵PID:6136
-
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe87⤵PID:5184
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe88⤵PID:5272
-
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe89⤵PID:5384
-
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe90⤵PID:5464
-
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe91⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe92⤵PID:5624
-
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe93⤵PID:5696
-
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe94⤵PID:5796
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe95⤵
- Drops file in System32 directory
PID:5852 -
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe96⤵PID:5912
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe97⤵PID:5996
-
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe98⤵PID:6072
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe99⤵PID:6132
-
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe100⤵PID:5228
-
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe101⤵PID:5388
-
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe103⤵PID:5648
-
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe104⤵PID:5760
-
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe105⤵PID:5900
-
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe106⤵PID:5964
-
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe107⤵PID:6104
-
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe108⤵PID:5256
-
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe109⤵PID:5544
-
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe110⤵PID:3056
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe111⤵PID:5748
-
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe112⤵PID:5956
-
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe113⤵
- Drops file in System32 directory
PID:6036 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe114⤵PID:5436
-
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe115⤵PID:1516
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe116⤵PID:5872
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe117⤵PID:5216
-
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe118⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe119⤵PID:5176
-
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe121⤵PID:3364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-