Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2023 08:46
Behavioral task
behavioral1
Sample
NEAS.a3ee9832e9470284fc2df5c51e726400.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a3ee9832e9470284fc2df5c51e726400.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.a3ee9832e9470284fc2df5c51e726400.exe
-
Size
357KB
-
MD5
a3ee9832e9470284fc2df5c51e726400
-
SHA1
5d40b195165706d8d5f121e310fe043bec0dd600
-
SHA256
74ac6539e88c9d0f339704d8a3e5691b5950e337424dd82ee41d2c077d3407fd
-
SHA512
e8e148a661b3e4a58a0c51e740d549f99fcf31d843b350f600d1780d3d91462187df740c341c8c8f628a8062b3e899561a233ccfa26deb46a3d6edff66ce1687
-
SSDEEP
6144:ibp+tdX+wgOb/t1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXt:I+XX3gOrZoXpKtCe1eehil6ZR5ZrQegO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjghgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edjgpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkgoke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmghklif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihfmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiglen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmmmnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhlleeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkbkkbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmjomlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfdkiac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifffoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohapb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdechnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnglhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbfklei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhgjll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pplobcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmneemaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbfaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbncapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bflagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehnpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmieae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjlnhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kagimmol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhmmchpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfobofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naodbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpkbfdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjcof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibeqgdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajhpbme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfafhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmdng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppafpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkechjib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmomecoi.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022e2e-6.dat family_berbew behavioral2/files/0x0007000000022e2e-8.dat family_berbew behavioral2/files/0x0008000000022e2a-14.dat family_berbew behavioral2/files/0x0008000000022e2a-16.dat family_berbew behavioral2/files/0x0007000000022e31-23.dat family_berbew behavioral2/files/0x0007000000022e31-22.dat family_berbew behavioral2/files/0x0007000000022e33-30.dat family_berbew behavioral2/files/0x0007000000022e33-31.dat family_berbew behavioral2/files/0x0007000000022e35-38.dat family_berbew behavioral2/files/0x0007000000022e35-39.dat family_berbew behavioral2/files/0x0007000000022e37-46.dat family_berbew behavioral2/files/0x0007000000022e37-48.dat family_berbew behavioral2/files/0x0007000000022e3a-55.dat family_berbew behavioral2/files/0x0007000000022e3a-54.dat family_berbew behavioral2/files/0x0007000000022e3c-62.dat family_berbew behavioral2/files/0x0007000000022e3c-63.dat family_berbew behavioral2/files/0x0007000000022e3e-70.dat family_berbew behavioral2/files/0x0007000000022e3e-72.dat family_berbew behavioral2/files/0x0007000000022e40-73.dat family_berbew behavioral2/files/0x0007000000022e40-78.dat family_berbew behavioral2/files/0x0007000000022e40-80.dat family_berbew behavioral2/files/0x0007000000022e42-86.dat family_berbew behavioral2/files/0x0007000000022e42-87.dat family_berbew behavioral2/files/0x0007000000022e44-94.dat family_berbew behavioral2/files/0x0007000000022e44-96.dat family_berbew behavioral2/files/0x0007000000022e47-102.dat family_berbew behavioral2/files/0x0007000000022e47-104.dat family_berbew behavioral2/files/0x0007000000022e49-110.dat family_berbew behavioral2/files/0x0007000000022e49-111.dat family_berbew behavioral2/files/0x0007000000022e4b-119.dat family_berbew behavioral2/files/0x0007000000022e4b-118.dat family_berbew behavioral2/files/0x0007000000022e4d-126.dat family_berbew behavioral2/files/0x0007000000022e4d-128.dat family_berbew behavioral2/files/0x0007000000022e4f-134.dat family_berbew behavioral2/files/0x0007000000022e51-142.dat family_berbew behavioral2/files/0x0007000000022e53-150.dat family_berbew behavioral2/files/0x0007000000022e57-166.dat family_berbew behavioral2/files/0x0007000000022e59-174.dat family_berbew behavioral2/files/0x0007000000022e5b-182.dat family_berbew behavioral2/files/0x0007000000022e59-175.dat family_berbew behavioral2/files/0x0007000000022e5f-199.dat family_berbew behavioral2/files/0x0007000000022e5f-198.dat family_berbew behavioral2/files/0x0007000000022e61-207.dat family_berbew behavioral2/files/0x0007000000022e61-206.dat family_berbew behavioral2/files/0x0007000000022e5d-191.dat family_berbew behavioral2/files/0x0007000000022e5d-190.dat family_berbew behavioral2/files/0x0007000000022e5b-183.dat family_berbew behavioral2/files/0x0007000000022e64-214.dat family_berbew behavioral2/files/0x0007000000022e64-215.dat family_berbew behavioral2/files/0x0007000000022e67-222.dat family_berbew behavioral2/files/0x0007000000022e57-167.dat family_berbew behavioral2/files/0x0007000000022e67-223.dat family_berbew behavioral2/files/0x0007000000022e55-159.dat family_berbew behavioral2/files/0x0007000000022e55-158.dat family_berbew behavioral2/files/0x0007000000022e53-151.dat family_berbew behavioral2/files/0x0007000000022e51-143.dat family_berbew behavioral2/files/0x0007000000022e4f-135.dat family_berbew behavioral2/files/0x0007000000022e69-230.dat family_berbew behavioral2/files/0x0007000000022e69-231.dat family_berbew behavioral2/files/0x0007000000022e6c-238.dat family_berbew behavioral2/files/0x0007000000022e6c-239.dat family_berbew behavioral2/files/0x0007000000022e6e-247.dat family_berbew behavioral2/files/0x0007000000022e6e-246.dat family_berbew behavioral2/files/0x000200000002244f-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4020 Pidabppl.exe 1856 Pcmeke32.exe 788 Pkhjph32.exe 560 Piijno32.exe 1508 Qhngolpo.exe 4592 Qaflgago.exe 2192 Aojlaeei.exe 224 Ahcajk32.exe 812 Aakebqbj.exe 508 Akcjkfij.exe 4328 Alcfei32.exe 1064 Acmobchj.exe 4948 Acokhc32.exe 4972 Bkkple32.exe 1744 Bjlpjm32.exe 4452 Bbgeno32.exe 1616 Bbiado32.exe 3896 Bkafmd32.exe 4128 Bjbfklei.exe 1208 Bckkca32.exe 1604 Cjecpkcg.exe 5072 Cobkhb32.exe 3756 Cjgpfk32.exe 1504 Codhnb32.exe 4296 Cjjlkk32.exe 4444 Cbeapmll.exe 1116 Cbgnemjj.exe 1776 Diccgfpd.exe 2292 Dcigeooj.exe 4488 Dckdjomg.exe 4528 Djelgied.exe 336 Eiaoid32.exe 4816 Ebjcajjd.exe 4040 Epndknin.exe 3576 Ejchhgid.exe 3180 Eppqqn32.exe 4196 Elgaeolp.exe 3604 Fcniglmb.exe 3664 Fjhacf32.exe 4960 Fjjnifbl.exe 888 Fpggamqc.exe 1368 Ffaong32.exe 1528 Flngfn32.exe 208 Fbhpch32.exe 4860 Flqdlnde.exe 4908 Fffhifdk.exe 4896 Fmpqfq32.exe 1388 Gmbmkpie.exe 4796 Giinpa32.exe 2964 Gdobnj32.exe 3196 Gljgbllj.exe 2824 Gingkqkd.exe 3852 Gdcliikj.exe 2648 Gkmdecbg.exe 1704 Hloqml32.exe 4708 Hgdejd32.exe 4152 Hlambk32.exe 1412 Hkbmqb32.exe 996 Hmpjmn32.exe 548 Hcmbee32.exe 1044 Hmbfbn32.exe 4920 Hcpojd32.exe 1812 Hlhccj32.exe 3620 Hgmgqc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fkjfloeo.exe Fhljpcfk.exe File created C:\Windows\SysWOW64\Oenmdg32.dll Dhdmfljb.exe File created C:\Windows\SysWOW64\Kfcdaehf.exe Kaflio32.exe File opened for modification C:\Windows\SysWOW64\Obkiqi32.exe Oplmdnpc.exe File opened for modification C:\Windows\SysWOW64\Pgmkbg32.exe Pdoofl32.exe File opened for modification C:\Windows\SysWOW64\Akgcdc32.exe Admkgifd.exe File created C:\Windows\SysWOW64\Dfkecidg.dll Ffaong32.exe File opened for modification C:\Windows\SysWOW64\Ilafiihp.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Dicbfhni.exe Dbijinfl.exe File created C:\Windows\SysWOW64\Gkkgaf32.dll Process not Found File created C:\Windows\SysWOW64\Pkbjjbda.exe Pdhbmh32.exe File created C:\Windows\SysWOW64\Gledpe32.exe Gjghdj32.exe File created C:\Windows\SysWOW64\Lniphngj.dll Nmbamdkm.exe File opened for modification C:\Windows\SysWOW64\Ngemjg32.exe Mgbpdgap.exe File opened for modification C:\Windows\SysWOW64\Fpcdof32.exe Fiilblom.exe File opened for modification C:\Windows\SysWOW64\Keakqeal.exe Kbbodj32.exe File opened for modification C:\Windows\SysWOW64\Hnodkjhq.exe Hkpgooim.exe File created C:\Windows\SysWOW64\Okpkaqmp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bkadoo32.exe Bichcc32.exe File created C:\Windows\SysWOW64\Egflpjbk.dll Mhmmchpd.exe File created C:\Windows\SysWOW64\Komkno32.dll Fipbnn32.exe File opened for modification C:\Windows\SysWOW64\Cphgca32.exe Cjnoggoh.exe File opened for modification C:\Windows\SysWOW64\Cbeapmll.exe Cjjlkk32.exe File created C:\Windows\SysWOW64\Boljdcel.dll Gnanioad.exe File created C:\Windows\SysWOW64\Iddehb32.dll Dpnbmi32.exe File created C:\Windows\SysWOW64\Gbbkjgpl.exe Gkhbnm32.exe File created C:\Windows\SysWOW64\Lgnekcei.exe Lijdbofo.exe File opened for modification C:\Windows\SysWOW64\Jnfcbg32.exe Jkggfl32.exe File opened for modification C:\Windows\SysWOW64\Lalnfooo.exe Liqibm32.exe File created C:\Windows\SysWOW64\Imcqacfq.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Minipm32.exe Mhmmieil.exe File opened for modification C:\Windows\SysWOW64\Qlajkm32.exe Qibmoa32.exe File created C:\Windows\SysWOW64\Comddn32.exe Cjpllgme.exe File opened for modification C:\Windows\SysWOW64\Lijdbofo.exe Ldmlih32.exe File created C:\Windows\SysWOW64\Bbkbabje.dll Cjlilndf.exe File created C:\Windows\SysWOW64\Kohhopdk.dll Process not Found File created C:\Windows\SysWOW64\Fbhhlbgb.dll Pjnbfmom.exe File created C:\Windows\SysWOW64\Mpqmcoei.dll Kbmoodbb.exe File created C:\Windows\SysWOW64\Blgeik32.dll Kfhnme32.exe File created C:\Windows\SysWOW64\Fpeapilo.exe Fmgecn32.exe File created C:\Windows\SysWOW64\Fkpoha32.exe Fdffkgpc.exe File opened for modification C:\Windows\SysWOW64\Jlmfomcp.exe Process not Found File created C:\Windows\SysWOW64\Ndpcdjho.exe Nkgoke32.exe File created C:\Windows\SysWOW64\Pnmjomlg.exe Pgcbbc32.exe File opened for modification C:\Windows\SysWOW64\Aijeme32.exe Abpmpkoh.exe File opened for modification C:\Windows\SysWOW64\Bnehgmob.exe Bkglkapo.exe File created C:\Windows\SysWOW64\Mknjopdf.dll Kppimogj.exe File created C:\Windows\SysWOW64\Dhjcdimf.exe Dpckclld.exe File created C:\Windows\SysWOW64\Ljmmnf32.exe Kgopbj32.exe File created C:\Windows\SysWOW64\Lalnfooo.exe Liqibm32.exe File created C:\Windows\SysWOW64\Akcjel32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe Knooej32.exe File created C:\Windows\SysWOW64\Ejiiippb.exe Dicbfhni.exe File created C:\Windows\SysWOW64\Npqmipjq.exe Nmbamdkm.exe File created C:\Windows\SysWOW64\Ldphjaof.dll Khpgmqpp.exe File opened for modification C:\Windows\SysWOW64\Kjffngap.exe Knofif32.exe File created C:\Windows\SysWOW64\Hemqgjog.dll Kqbdldnq.exe File created C:\Windows\SysWOW64\Hehkga32.dll Nndjndbh.exe File created C:\Windows\SysWOW64\Egbcih32.dll Ifmqfm32.exe File created C:\Windows\SysWOW64\Moakbk32.dll Phcogice.exe File opened for modification C:\Windows\SysWOW64\Akfdcq32.exe Qdllffpo.exe File opened for modification C:\Windows\SysWOW64\Jcknpi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mebchf32.exe Process not Found File created C:\Windows\SysWOW64\Iljpij32.exe Hgmgqc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgamhjja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmlafk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apobakpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfjjqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okkalnjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbhmnhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolqpa32.dll" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjafhlf.dll" Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dijppjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llieej32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkklqq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkklkejm.dll" Lajhpbme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqfcmdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhoiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knofif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padkjq32.dll" Biljib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkhdmeh.dll" Pgnblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ababkdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefked32.dll" Qffoejkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbfmcg32.dll" Eoindndf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Menpgmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddhjo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjejdglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkechjib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnkfj32.dll" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfclmfhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcjfpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbdoakj.dll" Kagimmol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpcklpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idieob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amblpikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqoijcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgoj32.dll" Afpbkicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihnhc32.dll" Ifihdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdhlhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbeapmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dakampio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcjnikhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpbdfgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhabgce.dll" Fkmbbajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nldhpeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgofoamj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaacbec.dll" Hcbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nieoal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghaghfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikojc32.dll" Ffekom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldckan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmiljn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pncanhaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccgjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidbpa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1012 wrote to memory of 4020 1012 NEAS.a3ee9832e9470284fc2df5c51e726400.exe 88 PID 1012 wrote to memory of 4020 1012 NEAS.a3ee9832e9470284fc2df5c51e726400.exe 88 PID 1012 wrote to memory of 4020 1012 NEAS.a3ee9832e9470284fc2df5c51e726400.exe 88 PID 4020 wrote to memory of 1856 4020 Pidabppl.exe 90 PID 4020 wrote to memory of 1856 4020 Pidabppl.exe 90 PID 4020 wrote to memory of 1856 4020 Pidabppl.exe 90 PID 1856 wrote to memory of 788 1856 Pcmeke32.exe 91 PID 1856 wrote to memory of 788 1856 Pcmeke32.exe 91 PID 1856 wrote to memory of 788 1856 Pcmeke32.exe 91 PID 788 wrote to memory of 560 788 Pkhjph32.exe 92 PID 788 wrote to memory of 560 788 Pkhjph32.exe 92 PID 788 wrote to memory of 560 788 Pkhjph32.exe 92 PID 560 wrote to memory of 1508 560 Piijno32.exe 93 PID 560 wrote to memory of 1508 560 Piijno32.exe 93 PID 560 wrote to memory of 1508 560 Piijno32.exe 93 PID 1508 wrote to memory of 4592 1508 Qhngolpo.exe 94 PID 1508 wrote to memory of 4592 1508 Qhngolpo.exe 94 PID 1508 wrote to memory of 4592 1508 Qhngolpo.exe 94 PID 4592 wrote to memory of 2192 4592 Qaflgago.exe 95 PID 4592 wrote to memory of 2192 4592 Qaflgago.exe 95 PID 4592 wrote to memory of 2192 4592 Qaflgago.exe 95 PID 2192 wrote to memory of 224 2192 Aojlaeei.exe 96 PID 2192 wrote to memory of 224 2192 Aojlaeei.exe 96 PID 2192 wrote to memory of 224 2192 Aojlaeei.exe 96 PID 224 wrote to memory of 812 224 Ahcajk32.exe 97 PID 224 wrote to memory of 812 224 Ahcajk32.exe 97 PID 224 wrote to memory of 812 224 Ahcajk32.exe 97 PID 812 wrote to memory of 508 812 Aakebqbj.exe 98 PID 812 wrote to memory of 508 812 Aakebqbj.exe 98 PID 812 wrote to memory of 508 812 Aakebqbj.exe 98 PID 508 wrote to memory of 4328 508 Akcjkfij.exe 99 PID 508 wrote to memory of 4328 508 Akcjkfij.exe 99 PID 508 wrote to memory of 4328 508 Akcjkfij.exe 99 PID 4328 wrote to memory of 1064 4328 Alcfei32.exe 100 PID 4328 wrote to memory of 1064 4328 Alcfei32.exe 100 PID 4328 wrote to memory of 1064 4328 Alcfei32.exe 100 PID 1064 wrote to memory of 4948 1064 Acmobchj.exe 101 PID 1064 wrote to memory of 4948 1064 Acmobchj.exe 101 PID 1064 wrote to memory of 4948 1064 Acmobchj.exe 101 PID 4948 wrote to memory of 4972 4948 Acokhc32.exe 102 PID 4948 wrote to memory of 4972 4948 Acokhc32.exe 102 PID 4948 wrote to memory of 4972 4948 Acokhc32.exe 102 PID 4972 wrote to memory of 1744 4972 Bkkple32.exe 103 PID 4972 wrote to memory of 1744 4972 Bkkple32.exe 103 PID 4972 wrote to memory of 1744 4972 Bkkple32.exe 103 PID 1744 wrote to memory of 4452 1744 Bjlpjm32.exe 104 PID 1744 wrote to memory of 4452 1744 Bjlpjm32.exe 104 PID 1744 wrote to memory of 4452 1744 Bjlpjm32.exe 104 PID 4452 wrote to memory of 1616 4452 Bbgeno32.exe 105 PID 4452 wrote to memory of 1616 4452 Bbgeno32.exe 105 PID 4452 wrote to memory of 1616 4452 Bbgeno32.exe 105 PID 1616 wrote to memory of 3896 1616 Bbiado32.exe 117 PID 1616 wrote to memory of 3896 1616 Bbiado32.exe 117 PID 1616 wrote to memory of 3896 1616 Bbiado32.exe 117 PID 3896 wrote to memory of 4128 3896 Bkafmd32.exe 106 PID 3896 wrote to memory of 4128 3896 Bkafmd32.exe 106 PID 3896 wrote to memory of 4128 3896 Bkafmd32.exe 106 PID 4128 wrote to memory of 1208 4128 Bjbfklei.exe 116 PID 4128 wrote to memory of 1208 4128 Bjbfklei.exe 116 PID 4128 wrote to memory of 1208 4128 Bjbfklei.exe 116 PID 1208 wrote to memory of 1604 1208 Bckkca32.exe 115 PID 1208 wrote to memory of 1604 1208 Bckkca32.exe 115 PID 1208 wrote to memory of 1604 1208 Bckkca32.exe 115 PID 1604 wrote to memory of 5072 1604 Cjecpkcg.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a3ee9832e9470284fc2df5c51e726400.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a3ee9832e9470284fc2df5c51e726400.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208
-
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe2⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe3⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe4⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe5⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe6⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe7⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe8⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe9⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe10⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe11⤵
- Executes dropped EXE
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe12⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe13⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe14⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe15⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe16⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe18⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe19⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe20⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe21⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe23⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe24⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe25⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe26⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe27⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe28⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe29⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe30⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe31⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe32⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe33⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe34⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe36⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe40⤵PID:4360
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe41⤵PID:3672
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:620 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe43⤵PID:4748
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe44⤵PID:2968
-
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe45⤵PID:5172
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe46⤵PID:5212
-
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe47⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe48⤵PID:5316
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe49⤵PID:5368
-
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe51⤵PID:5488
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe52⤵PID:5536
-
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe53⤵PID:5584
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe54⤵PID:5636
-
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe55⤵PID:5680
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe56⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe57⤵PID:5788
-
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe58⤵PID:5832
-
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe59⤵PID:5880
-
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe60⤵PID:5924
-
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe61⤵PID:5968
-
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe62⤵PID:6016
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe64⤵PID:6104
-
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe65⤵PID:4228
-
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe66⤵PID:5196
-
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe67⤵PID:5268
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe68⤵PID:5348
-
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe69⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe70⤵PID:5564
-
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe72⤵PID:5780
-
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe73⤵PID:5844
-
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe74⤵PID:5900
-
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe75⤵PID:5980
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe76⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe77⤵PID:6084
-
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe78⤵PID:5200
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe79⤵PID:5288
-
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe80⤵PID:5476
-
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe81⤵PID:3384
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe82⤵PID:5724
-
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe83⤵PID:5864
-
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe84⤵PID:5952
-
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe85⤵PID:6092
-
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe86⤵PID:5220
-
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe87⤵PID:5516
-
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe88⤵PID:5712
-
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe89⤵PID:5908
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe90⤵PID:6088
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe91⤵PID:5436
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe92⤵PID:5692
-
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe93⤵PID:6040
-
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe94⤵PID:1280
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe95⤵PID:5728
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe96⤵PID:6100
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe97⤵PID:5336
-
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe98⤵PID:5256
-
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe99⤵PID:5252
-
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe100⤵PID:6168
-
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe101⤵
- Drops file in System32 directory
PID:6228 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe102⤵PID:6276
-
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe103⤵PID:6320
-
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe104⤵PID:6364
-
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe105⤵PID:6408
-
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe106⤵PID:6452
-
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe107⤵PID:6496
-
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe108⤵PID:6540
-
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6584 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe110⤵PID:6628
-
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe111⤵PID:6668
-
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe112⤵PID:6704
-
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe113⤵PID:6752
-
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe114⤵PID:6800
-
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe115⤵PID:6844
-
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe116⤵PID:6888
-
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe117⤵PID:6932
-
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe118⤵PID:6980
-
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe119⤵PID:7024
-
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe120⤵PID:7068
-
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe121⤵PID:7116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-