Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 04:29
Behavioral task
behavioral1
Sample
NEAS.d948a4b38d12536230ebd677935da9f0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d948a4b38d12536230ebd677935da9f0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.d948a4b38d12536230ebd677935da9f0.exe
-
Size
120KB
-
MD5
d948a4b38d12536230ebd677935da9f0
-
SHA1
131ae7ea49c266e8363a0cbcf7fef4eb16b0bb3b
-
SHA256
90e8442298c113ca59e5c2612e280bfc8eb438562079e91b4c81d2802ee78d32
-
SHA512
9621057710e0ab4d785afa8deed5a4e5cb46d8cd61b2bb84e47a0565f57f6cc087e43345ecc7004db0473f51d3993420e691b0e3282a8d424120b9cedcd7aa12
-
SSDEEP
3072:H7/5GO3PY4EZJsXl4ReaeHez203H/6TC+qF1SsB1bw4AVRrd9:bx9mygre+z9C81NBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calfpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Janghmia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcbnlcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqhjggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biiobo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fggdpnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnkbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebdcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfeeabda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oloipmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabmmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bheffh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdkdibjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbgfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqknkedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgeakekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obidcdfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqpamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkqfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmfimga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Almanf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oakbehfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchhfild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nooikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpell32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcebe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiapb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjmhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncchae32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022bdb-6.dat family_berbew behavioral2/files/0x0008000000022bdb-7.dat family_berbew behavioral2/files/0x0007000000022cc8-15.dat family_berbew behavioral2/files/0x0007000000022cc8-14.dat family_berbew behavioral2/files/0x0007000000022cca-22.dat family_berbew behavioral2/files/0x0007000000022cca-23.dat family_berbew behavioral2/files/0x0007000000022ccc-30.dat family_berbew behavioral2/files/0x0007000000022ccc-31.dat family_berbew behavioral2/files/0x0007000000022cce-38.dat family_berbew behavioral2/files/0x0007000000022cce-39.dat family_berbew behavioral2/files/0x0007000000022cd0-46.dat family_berbew behavioral2/files/0x0007000000022cd0-47.dat family_berbew behavioral2/files/0x0007000000022cd2-54.dat family_berbew behavioral2/files/0x0007000000022cd2-55.dat family_berbew behavioral2/files/0x0007000000022cd6-64.dat family_berbew behavioral2/files/0x0007000000022cd6-62.dat family_berbew behavioral2/files/0x0007000000022cd9-70.dat family_berbew behavioral2/files/0x0007000000022cd9-71.dat family_berbew behavioral2/files/0x0007000000022cdb-78.dat family_berbew behavioral2/files/0x0007000000022cdb-79.dat family_berbew behavioral2/files/0x0007000000022cdd-86.dat family_berbew behavioral2/files/0x0007000000022cdd-88.dat family_berbew behavioral2/files/0x0007000000022cdf-94.dat family_berbew behavioral2/files/0x0007000000022cdf-95.dat family_berbew behavioral2/files/0x0006000000022ce4-102.dat family_berbew behavioral2/files/0x0006000000022ce4-104.dat family_berbew behavioral2/files/0x0006000000022ce6-110.dat family_berbew behavioral2/files/0x0006000000022ce6-111.dat family_berbew behavioral2/files/0x0006000000022ce9-118.dat family_berbew behavioral2/files/0x0006000000022ce9-120.dat family_berbew behavioral2/files/0x0006000000022ceb-126.dat family_berbew behavioral2/files/0x0006000000022ceb-127.dat family_berbew behavioral2/files/0x0006000000022ced-134.dat family_berbew behavioral2/files/0x0006000000022ced-135.dat family_berbew behavioral2/files/0x0006000000022cf1-142.dat family_berbew behavioral2/files/0x0006000000022cf1-144.dat family_berbew behavioral2/files/0x0006000000022cf7-150.dat family_berbew behavioral2/files/0x0006000000022cf7-151.dat family_berbew behavioral2/files/0x0003000000022308-158.dat family_berbew behavioral2/files/0x0003000000022308-160.dat family_berbew behavioral2/files/0x0006000000022cfa-166.dat family_berbew behavioral2/files/0x0006000000022cfa-168.dat family_berbew behavioral2/files/0x0006000000022cfd-174.dat family_berbew behavioral2/files/0x0006000000022cfd-175.dat family_berbew behavioral2/files/0x0006000000022cff-182.dat family_berbew behavioral2/files/0x0006000000022cff-183.dat family_berbew behavioral2/files/0x0006000000022d03-190.dat family_berbew behavioral2/files/0x0006000000022d03-191.dat family_berbew behavioral2/files/0x0004000000022307-198.dat family_berbew behavioral2/files/0x0008000000022cf4-206.dat family_berbew behavioral2/files/0x0004000000022307-200.dat family_berbew behavioral2/files/0x0008000000022cf4-208.dat family_berbew behavioral2/files/0x0008000000022cf6-213.dat family_berbew behavioral2/files/0x0008000000022cf6-215.dat family_berbew behavioral2/files/0x0008000000022d05-222.dat family_berbew behavioral2/files/0x0008000000022d05-224.dat family_berbew behavioral2/files/0x0006000000022d07-230.dat family_berbew behavioral2/files/0x0006000000022d07-231.dat family_berbew behavioral2/files/0x0006000000022d09-238.dat family_berbew behavioral2/files/0x0006000000022d09-240.dat family_berbew behavioral2/files/0x0006000000022d0b-246.dat family_berbew behavioral2/files/0x0006000000022d0b-248.dat family_berbew behavioral2/files/0x0006000000022d0d-254.dat family_berbew behavioral2/files/0x0006000000022d0d-256.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1596 Phincl32.exe 1204 Qofcff32.exe 696 Qljcoj32.exe 4168 Ajndioga.exe 2768 Ajpqnneo.exe 4164 Alqjpi32.exe 1580 Ajdjin32.exe 1644 Ahjgjj32.exe 2264 Bjicdmmd.exe 5096 Bbdhiojo.exe 4252 Bohibc32.exe 5040 Bkoigdom.exe 2660 Bhcjqinf.exe 2672 Bheffh32.exe 2760 Bckkca32.exe 3920 Ccmgiaig.exe 4876 Cbeapmll.exe 1368 Ccdnjp32.exe 4240 Coknoaic.exe 1968 Djhimica.exe 648 Dpgnjo32.exe 1632 Elnoopdj.exe 2144 Ebjcajjd.exe 956 Epndknin.exe 4324 Fmfnpa32.exe 3612 Fbcfhibj.exe 4172 Fmikeaap.exe 2984 Fipkjb32.exe 1544 Glengm32.exe 1312 Gpcfmkff.exe 3780 Gbdoof32.exe 936 Gbfldf32.exe 3424 Hgdejd32.exe 2332 Hdhedh32.exe 2616 Hienlpel.exe 2212 Hkdjfb32.exe 1720 Hcpojd32.exe 1460 Hpcodihc.exe 3068 Iljpij32.exe 4652 Igpdfb32.exe 2744 Icfekc32.exe 3252 Ipjedh32.exe 2248 Inqbclob.exe 2160 Jjgchm32.exe 1692 Jcphab32.exe 1760 Jnelok32.exe 4352 Jjoiil32.exe 3516 Jcgnbaeo.exe 1664 Jqknkedi.exe 4552 Kkpbin32.exe 3344 Kdigadjo.exe 2280 Kjepjkhf.exe 3416 Kcndbp32.exe 2376 Kcpahpmd.exe 1392 Knfeeimj.exe 1812 Kdpmbc32.exe 3404 Knhakh32.exe 584 Ljobpiql.exe 4116 Lqikmc32.exe 2664 Lqkgbcff.exe 5056 Lkalplel.exe 940 Lqndhcdc.exe 4104 Lkchelci.exe 2236 Lqpamb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bakgoh32.exe Blnoga32.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Gejhef32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Ncchae32.exe Njjdho32.exe File created C:\Windows\SysWOW64\Bmaoca32.dll Hcjmhk32.exe File created C:\Windows\SysWOW64\Cdbijb32.dll Nlmdbh32.exe File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cklhcfle.exe File created C:\Windows\SysWOW64\Pmcclm32.exe Pdkoch32.exe File created C:\Windows\SysWOW64\Iocbnhog.dll Mfeeabda.exe File created C:\Windows\SysWOW64\Cnnjancb.dll Glhimp32.exe File created C:\Windows\SysWOW64\Egjgdg32.dll Aamknj32.exe File created C:\Windows\SysWOW64\Poigcbng.dll Dbkqfe32.exe File created C:\Windows\SysWOW64\Bpjmph32.exe Bkmeha32.exe File created C:\Windows\SysWOW64\Jhbejblj.dll Hgcmbj32.exe File created C:\Windows\SysWOW64\Kpjccmbf.dll Ehlhih32.exe File created C:\Windows\SysWOW64\Gcmjja32.dll Jaonbc32.exe File created C:\Windows\SysWOW64\Kpbgeaba.dll Mpeiie32.exe File created C:\Windows\SysWOW64\Gfomcn32.dll Pkklbh32.exe File created C:\Windows\SysWOW64\Bblcfo32.exe Albkieqj.exe File created C:\Windows\SysWOW64\Anhejhfp.dll Jgkmgk32.exe File opened for modification C:\Windows\SysWOW64\Onapdl32.exe Opqofe32.exe File created C:\Windows\SysWOW64\Ndidna32.exe Nchhfild.exe File created C:\Windows\SysWOW64\Bkobmnka.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Dmcain32.exe File created C:\Windows\SysWOW64\Kpcjgnhb.exe Kfnfjehl.exe File created C:\Windows\SysWOW64\Ieoigp32.dll Aggpfkjj.exe File created C:\Windows\SysWOW64\Hdhedh32.exe Hgdejd32.exe File created C:\Windows\SysWOW64\Bdbbme32.dll Cibain32.exe File opened for modification C:\Windows\SysWOW64\Hkcbnh32.exe Hejjanpm.exe File created C:\Windows\SysWOW64\Ddnobj32.exe Doagjc32.exe File opened for modification C:\Windows\SysWOW64\Lhnhajba.exe Kcapicdj.exe File opened for modification C:\Windows\SysWOW64\Lkchelci.exe Lqndhcdc.exe File created C:\Windows\SysWOW64\Ghaeocdd.dll Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Ddcebe32.exe Dgpeha32.exe File created C:\Windows\SysWOW64\Bhblllfo.exe Bahdob32.exe File created C:\Windows\SysWOW64\Mckmcadl.dll Ofckhj32.exe File created C:\Windows\SysWOW64\Fpiedd32.dll Fgqgfl32.exe File created C:\Windows\SysWOW64\Icajjnkn.dll Ibgmaqfl.exe File created C:\Windows\SysWOW64\Gejain32.dll Onkidm32.exe File created C:\Windows\SysWOW64\Njlmnj32.dll Hemmac32.exe File created C:\Windows\SysWOW64\Cqglioac.dll Meiioonj.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Aeaanjkl.exe File created C:\Windows\SysWOW64\Hopaik32.dll Lknjhokg.exe File created C:\Windows\SysWOW64\Acicqigg.dll Nchhfild.exe File created C:\Windows\SysWOW64\Chdjpphi.dll Odjmdocp.exe File opened for modification C:\Windows\SysWOW64\Fipkjb32.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Ncmhko32.exe Nhhdnf32.exe File opened for modification C:\Windows\SysWOW64\Ndpjnq32.exe Nhjjip32.exe File opened for modification C:\Windows\SysWOW64\Akccap32.exe Aefjii32.exe File opened for modification C:\Windows\SysWOW64\Klpakj32.exe Kpiqfima.exe File opened for modification C:\Windows\SysWOW64\Lfiokmkc.exe Llqjbhdc.exe File opened for modification C:\Windows\SysWOW64\Fggdpnkf.exe Ephbhd32.exe File created C:\Windows\SysWOW64\Pbjnik32.dll Fmfnpa32.exe File created C:\Windows\SysWOW64\Hleoiomo.dll Kdigadjo.exe File created C:\Windows\SysWOW64\Famcfn32.dll Lqikmc32.exe File created C:\Windows\SysWOW64\Enkdaepb.exe Emjgim32.exe File opened for modification C:\Windows\SysWOW64\Keceoj32.exe Koimbpbc.exe File opened for modification C:\Windows\SysWOW64\Hpchib32.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Fopjdidn.dll Mqkiok32.exe File created C:\Windows\SysWOW64\Fnebjidl.dll Lhnhajba.exe File created C:\Windows\SysWOW64\Aldclhie.dll Bmggingc.exe File created C:\Windows\SysWOW64\Pnifekmd.exe Phonha32.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Ckdkhq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1916 5740 WerFault.exe 639 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alnfpcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglblmfn.dll" Amjillkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iecmhlhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kocphojh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecakqg32.dll" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbeapmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofjqihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmgqpkip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gppcmeem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddekmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbcohkd.dll" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll" Bdocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlmdbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpdane.dll" Lkcccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll" Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eaceghcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjmodffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll" Ofmdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll" Qapnmopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmkcpdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geibhp32.dll" Coknoaic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aggpfkjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdkdibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocdgahag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll" Bmimdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} NEAS.d948a4b38d12536230ebd677935da9f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll" Kngkqbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cepadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncnofeof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll" Bpjmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poigcbng.dll" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll" Fdmaoahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lklnconj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeqca32.dll" Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll" Pmjhlklg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 1596 4688 NEAS.d948a4b38d12536230ebd677935da9f0.exe 91 PID 4688 wrote to memory of 1596 4688 NEAS.d948a4b38d12536230ebd677935da9f0.exe 91 PID 4688 wrote to memory of 1596 4688 NEAS.d948a4b38d12536230ebd677935da9f0.exe 91 PID 1596 wrote to memory of 1204 1596 Phincl32.exe 92 PID 1596 wrote to memory of 1204 1596 Phincl32.exe 92 PID 1596 wrote to memory of 1204 1596 Phincl32.exe 92 PID 1204 wrote to memory of 696 1204 Qofcff32.exe 93 PID 1204 wrote to memory of 696 1204 Qofcff32.exe 93 PID 1204 wrote to memory of 696 1204 Qofcff32.exe 93 PID 696 wrote to memory of 4168 696 Qljcoj32.exe 94 PID 696 wrote to memory of 4168 696 Qljcoj32.exe 94 PID 696 wrote to memory of 4168 696 Qljcoj32.exe 94 PID 4168 wrote to memory of 2768 4168 Ajndioga.exe 95 PID 4168 wrote to memory of 2768 4168 Ajndioga.exe 95 PID 4168 wrote to memory of 2768 4168 Ajndioga.exe 95 PID 2768 wrote to memory of 4164 2768 Ajpqnneo.exe 96 PID 2768 wrote to memory of 4164 2768 Ajpqnneo.exe 96 PID 2768 wrote to memory of 4164 2768 Ajpqnneo.exe 96 PID 4164 wrote to memory of 1580 4164 Alqjpi32.exe 97 PID 4164 wrote to memory of 1580 4164 Alqjpi32.exe 97 PID 4164 wrote to memory of 1580 4164 Alqjpi32.exe 97 PID 1580 wrote to memory of 1644 1580 Ajdjin32.exe 98 PID 1580 wrote to memory of 1644 1580 Ajdjin32.exe 98 PID 1580 wrote to memory of 1644 1580 Ajdjin32.exe 98 PID 1644 wrote to memory of 2264 1644 Ahjgjj32.exe 99 PID 1644 wrote to memory of 2264 1644 Ahjgjj32.exe 99 PID 1644 wrote to memory of 2264 1644 Ahjgjj32.exe 99 PID 2264 wrote to memory of 5096 2264 Bjicdmmd.exe 100 PID 2264 wrote to memory of 5096 2264 Bjicdmmd.exe 100 PID 2264 wrote to memory of 5096 2264 Bjicdmmd.exe 100 PID 5096 wrote to memory of 4252 5096 Bbdhiojo.exe 102 PID 5096 wrote to memory of 4252 5096 Bbdhiojo.exe 102 PID 5096 wrote to memory of 4252 5096 Bbdhiojo.exe 102 PID 4252 wrote to memory of 5040 4252 Bohibc32.exe 103 PID 4252 wrote to memory of 5040 4252 Bohibc32.exe 103 PID 4252 wrote to memory of 5040 4252 Bohibc32.exe 103 PID 5040 wrote to memory of 2660 5040 Bkoigdom.exe 104 PID 5040 wrote to memory of 2660 5040 Bkoigdom.exe 104 PID 5040 wrote to memory of 2660 5040 Bkoigdom.exe 104 PID 2660 wrote to memory of 2672 2660 Bhcjqinf.exe 105 PID 2660 wrote to memory of 2672 2660 Bhcjqinf.exe 105 PID 2660 wrote to memory of 2672 2660 Bhcjqinf.exe 105 PID 2672 wrote to memory of 2760 2672 Bheffh32.exe 106 PID 2672 wrote to memory of 2760 2672 Bheffh32.exe 106 PID 2672 wrote to memory of 2760 2672 Bheffh32.exe 106 PID 2760 wrote to memory of 3920 2760 Bckkca32.exe 107 PID 2760 wrote to memory of 3920 2760 Bckkca32.exe 107 PID 2760 wrote to memory of 3920 2760 Bckkca32.exe 107 PID 3920 wrote to memory of 4876 3920 Ccmgiaig.exe 108 PID 3920 wrote to memory of 4876 3920 Ccmgiaig.exe 108 PID 3920 wrote to memory of 4876 3920 Ccmgiaig.exe 108 PID 4876 wrote to memory of 1368 4876 Cbeapmll.exe 109 PID 4876 wrote to memory of 1368 4876 Cbeapmll.exe 109 PID 4876 wrote to memory of 1368 4876 Cbeapmll.exe 109 PID 1368 wrote to memory of 4240 1368 Ccdnjp32.exe 110 PID 1368 wrote to memory of 4240 1368 Ccdnjp32.exe 110 PID 1368 wrote to memory of 4240 1368 Ccdnjp32.exe 110 PID 4240 wrote to memory of 1968 4240 Coknoaic.exe 111 PID 4240 wrote to memory of 1968 4240 Coknoaic.exe 111 PID 4240 wrote to memory of 1968 4240 Coknoaic.exe 111 PID 1968 wrote to memory of 648 1968 Djhimica.exe 112 PID 1968 wrote to memory of 648 1968 Djhimica.exe 112 PID 1968 wrote to memory of 648 1968 Djhimica.exe 112 PID 648 wrote to memory of 1632 648 Dpgnjo32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d948a4b38d12536230ebd677935da9f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d948a4b38d12536230ebd677935da9f0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe23⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe25⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4172 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe29⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe30⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe31⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe32⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe33⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe35⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe37⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe38⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe39⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe40⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe41⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe42⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe43⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe44⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe45⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe46⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe47⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe48⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe49⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe51⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3344 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe53⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe55⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe56⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe57⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe58⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe59⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe61⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe62⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe64⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe66⤵PID:508
-
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe67⤵PID:2632
-
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe68⤵PID:3808
-
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe69⤵PID:2588
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe70⤵
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe71⤵PID:5024
-
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe72⤵PID:1820
-
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe73⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe74⤵PID:4304
-
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe75⤵PID:352
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe76⤵PID:2456
-
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe77⤵PID:4624
-
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe78⤵PID:5160
-
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe79⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe80⤵PID:5256
-
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe82⤵PID:5348
-
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe83⤵PID:5392
-
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe84⤵PID:5432
-
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe85⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe86⤵PID:5536
-
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe87⤵PID:5588
-
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe88⤵PID:5628
-
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe89⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe90⤵PID:5708
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe91⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe92⤵PID:5808
-
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe93⤵PID:5852
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe94⤵PID:5904
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe95⤵PID:5948
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe96⤵
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe97⤵PID:6036
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe98⤵PID:6080
-
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe99⤵PID:6124
-
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe100⤵PID:5148
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe101⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe102⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe103⤵PID:5332
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe104⤵PID:5428
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe105⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe106⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe107⤵PID:5620
-
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe109⤵PID:5792
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe111⤵PID:5912
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe112⤵PID:5984
-
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe113⤵PID:6048
-
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe114⤵PID:6116
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe117⤵PID:5416
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe118⤵PID:5460
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe119⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe120⤵PID:5736
-
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-