Analysis
-
max time kernel
164s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2023 03:20
Behavioral task
behavioral1
Sample
NEAS.1b47fde9da62a070ee7f0deca1317310.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1b47fde9da62a070ee7f0deca1317310.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1b47fde9da62a070ee7f0deca1317310.exe
-
Size
432KB
-
MD5
1b47fde9da62a070ee7f0deca1317310
-
SHA1
26b565b0a61a4c503f2feaf787c059e50aca6298
-
SHA256
67a6ed8c7d44361c5befa32d4b6588e07140ddfebe863a71eef41c99ea10c013
-
SHA512
3222ebaf955ecf311de78b3461dddd6388246b8f8d1e560c2bfd54b4577ba9f7a9538f8d98fb921a7f8e7c7e55fddf676ef83b3d72f30a5332e1298cab621bba
-
SSDEEP
12288:+9P7yO5t6NSN6G5tsLc5t6NSN6G5tgA1F:+9P7yhc6TTc6tA1F
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifemfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppiklc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igneng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcccol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhglelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaodek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmnpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdkbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iickdgpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmighf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojgnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnblgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjheaad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filailgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaafcml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfanmcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppiklc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfomagf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbippolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anaofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcfajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occgkngd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijdnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnqoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppeikjle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejhajil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqbadf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgkno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdbakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbllfboa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjofefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efikco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokkqbog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnqhbap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjeacjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjeahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcibnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbodj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkgljkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmdkbok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqcjgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hagodlge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfqmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlclnhho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaenlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgoflpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladpnepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpfhianp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpacmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjiagf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmjce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgngbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okiljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkogce32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1644-0-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf0-6.dat family_berbew behavioral2/memory/3140-7-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf0-8.dat family_berbew behavioral2/files/0x0007000000022cf2-14.dat family_berbew behavioral2/files/0x0007000000022cf2-16.dat family_berbew behavioral2/memory/4532-15-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf4-21.dat family_berbew behavioral2/files/0x0008000000022cf4-24.dat family_berbew behavioral2/memory/1712-23-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf8-30.dat family_berbew behavioral2/files/0x0007000000022cf8-31.dat family_berbew behavioral2/memory/2520-35-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0007000000022cfa-38.dat family_berbew behavioral2/files/0x0007000000022cfa-40.dat family_berbew behavioral2/memory/1300-39-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0009000000022cff-45.dat family_berbew behavioral2/memory/1432-48-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0009000000022cff-47.dat family_berbew behavioral2/files/0x0006000000022d01-54.dat family_berbew behavioral2/files/0x0006000000022d01-56.dat family_berbew behavioral2/memory/2696-55-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-62.dat family_berbew behavioral2/memory/3304-63-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-64.dat family_berbew behavioral2/files/0x0006000000022d06-65.dat family_berbew behavioral2/files/0x0006000000022d06-70.dat family_berbew behavioral2/memory/3244-71-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d06-72.dat family_berbew behavioral2/files/0x0006000000022d08-78.dat family_berbew behavioral2/files/0x0006000000022d08-80.dat family_berbew behavioral2/memory/2052-79-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-86.dat family_berbew behavioral2/memory/4048-87-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-88.dat family_berbew behavioral2/files/0x0006000000022d0c-94.dat family_berbew behavioral2/memory/3176-95-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-96.dat family_berbew behavioral2/files/0x0006000000022d0e-102.dat family_berbew behavioral2/memory/4756-103-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0e-104.dat family_berbew behavioral2/files/0x0006000000022d10-105.dat family_berbew behavioral2/files/0x0006000000022d10-110.dat family_berbew behavioral2/files/0x0006000000022d10-112.dat family_berbew behavioral2/memory/5060-111-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d12-118.dat family_berbew behavioral2/memory/2984-119-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/memory/4440-120-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-126.dat family_berbew behavioral2/files/0x0006000000022d16-128.dat family_berbew behavioral2/memory/2444-127-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d18-134.dat family_berbew behavioral2/memory/1452-135-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d18-136.dat family_berbew behavioral2/files/0x0006000000022d1a-138.dat family_berbew behavioral2/files/0x0006000000022d1a-142.dat family_berbew behavioral2/memory/3528-143-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1a-144.dat family_berbew behavioral2/files/0x0006000000022d1c-150.dat family_berbew behavioral2/memory/4732-152-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1c-151.dat family_berbew behavioral2/files/0x0006000000022d1e-153.dat family_berbew behavioral2/files/0x0006000000022d1e-158.dat family_berbew behavioral2/files/0x0006000000022d1e-159.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3140 Ghmbib32.exe 4532 Hikkdc32.exe 1712 Hcflch32.exe 2520 Ijdnka32.exe 1300 Jbkbkbfo.exe 1432 Jfikaqme.exe 2696 Kcdakd32.exe 3304 Lflpmn32.exe 3244 Mcnmhpoj.exe 2052 Nbhcdl32.exe 4048 Omnqhbap.exe 3176 Akgcdc32.exe 4756 Bpkbmi32.exe 5060 Cmmbmiag.exe 2984 Dqbadf32.exe 2444 Eelifc32.exe 1452 Eaegqc32.exe 3528 Gdheol32.exe 4732 Hhkgpjqn.exe 3896 Inhion32.exe 4900 Kohnpoib.exe 4944 Nlmdml32.exe 4680 Pbjbfclk.exe 1460 Dqomdppm.exe 4920 Eggbbhkj.exe 1676 Eobffk32.exe 1568 Emhdeoel.exe 3852 Ffjkdc32.exe 1288 Gagebknp.exe 3204 Hanlcjgh.exe 1896 Ihcclb32.exe 3708 Jkplilgk.exe 4640 Kklkej32.exe 3352 Lamjbc32.exe 3356 Lhgbomfo.exe 3652 Lqfpoope.exe 768 Mkangg32.exe 1604 Ngaabfio.exe 2492 Nqifkl32.exe 4120 Onifpodl.exe 4024 Ppphkq32.exe 1972 Plfipakk.exe 4964 Qimfoe32.exe 2192 Aiapjecl.exe 2716 Abnnnjfh.exe 2676 Cbofdg32.exe 1792 Cpbgnlfo.exe 4936 Caimachg.exe 2516 Dfbebpdq.exe 4076 Efikco32.exe 4408 Eoapldei.exe 4308 Ebbinp32.exe 3664 Foplnb32.exe 4468 Hbldkllm.exe 3760 Ijfbhflj.exe 1112 Jpjqaldi.exe 2644 Jidbpa32.exe 620 Lanpml32.exe 1900 Mjqjbn32.exe 4304 Nneiikqe.exe 3416 Nnolojhk.exe 4976 Oqbagd32.exe 3316 Ahmlaj32.exe 4508 Dccbln32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aimpafok.dll Lhgbomfo.exe File created C:\Windows\SysWOW64\Ijbkqe32.dll Qmccecfp.exe File created C:\Windows\SysWOW64\Mccodp32.exe Mlifgfnj.exe File opened for modification C:\Windows\SysWOW64\Bpomoc32.exe Bejhajil.exe File opened for modification C:\Windows\SysWOW64\Oqbagd32.exe Nnolojhk.exe File created C:\Windows\SysWOW64\Cfidqmol.dll Nacmnlkd.exe File created C:\Windows\SysWOW64\Pnknbc32.exe Pfpinq32.exe File created C:\Windows\SysWOW64\Bejhajil.exe Bpmpickd.exe File created C:\Windows\SysWOW64\Dhgfoioi.exe Cjejdglp.exe File created C:\Windows\SysWOW64\Dbbcmdai.dll Eoccii32.exe File created C:\Windows\SysWOW64\Bcqebkmh.dll Pjlcclfl.exe File opened for modification C:\Windows\SysWOW64\Hccgqa32.exe Hnfohj32.exe File opened for modification C:\Windows\SysWOW64\Pdkcinco.exe Pookqgeg.exe File created C:\Windows\SysWOW64\Kjnjip32.dll Lmaafcml.exe File opened for modification C:\Windows\SysWOW64\Dolmijef.exe Ddfikaeq.exe File created C:\Windows\SysWOW64\Lbaipffa.dll Odbgmf32.exe File created C:\Windows\SysWOW64\Qkobck32.dll Mokmnm32.exe File created C:\Windows\SysWOW64\Oglcdlob.exe Nejglc32.exe File created C:\Windows\SysWOW64\Egkgljkm.exe Emcbcd32.exe File created C:\Windows\SysWOW64\Odfmdoph.dll Pgaboa32.exe File created C:\Windows\SysWOW64\Pjlldcdi.dll Cmbpckog.exe File opened for modification C:\Windows\SysWOW64\Dbfomagf.exe Dllfpg32.exe File created C:\Windows\SysWOW64\Edknjonl.exe Dodbkiho.exe File opened for modification C:\Windows\SysWOW64\Hhglhi32.exe Hbmclobc.exe File opened for modification C:\Windows\SysWOW64\Mcjlna32.exe Lcebcbaf.exe File created C:\Windows\SysWOW64\Kklkej32.exe Jkplilgk.exe File created C:\Windows\SysWOW64\Hekgppma.exe Hlnjlkjf.exe File created C:\Windows\SysWOW64\Bhfdmj32.dll Diqnda32.exe File created C:\Windows\SysWOW64\Mmgoohbo.exe Mgngbn32.exe File created C:\Windows\SysWOW64\Apompo32.dll Cdpckbli.exe File created C:\Windows\SysWOW64\Pnnebn32.dll Egjobl32.exe File opened for modification C:\Windows\SysWOW64\Ekgqnccj.exe Epalakcd.exe File opened for modification C:\Windows\SysWOW64\Kbbodj32.exe Keonke32.exe File created C:\Windows\SysWOW64\Pafcda32.dll Aplahpdo.exe File created C:\Windows\SysWOW64\Pbodojdg.dll Eiijpj32.exe File created C:\Windows\SysWOW64\Jebfgl32.exe Igneng32.exe File created C:\Windows\SysWOW64\Llhcag32.dll Iikmlnae.exe File created C:\Windows\SysWOW64\Eqkfapoe.exe Eojijg32.exe File opened for modification C:\Windows\SysWOW64\Nhbcbfak.exe Nojoiakk.exe File created C:\Windows\SysWOW64\Hmjkncea.dll Nolloq32.exe File opened for modification C:\Windows\SysWOW64\Pkfbpoog.exe Pdljce32.exe File opened for modification C:\Windows\SysWOW64\Aplahpdo.exe Qakdke32.exe File created C:\Windows\SysWOW64\Pbigeg32.dll Hnfohj32.exe File opened for modification C:\Windows\SysWOW64\Kdjhde32.exe Knmplopo.exe File created C:\Windows\SysWOW64\Kbbodj32.exe Keonke32.exe File created C:\Windows\SysWOW64\Hlnjlkjf.exe Hiomppkc.exe File opened for modification C:\Windows\SysWOW64\Ifcimb32.exe Fkcibnmd.exe File created C:\Windows\SysWOW64\Pmnbqj32.dll Ipjocgdm.exe File created C:\Windows\SysWOW64\Ifcimb32.exe Fkcibnmd.exe File created C:\Windows\SysWOW64\Fkllghoq.exe Egkgljkm.exe File created C:\Windows\SysWOW64\Cjcohn32.dll Dpjofefp.exe File created C:\Windows\SysWOW64\Pocdlg32.exe Philomje.exe File opened for modification C:\Windows\SysWOW64\Kggcgeop.exe Kknfmdko.exe File opened for modification C:\Windows\SysWOW64\Lnendhol.exe Kgkfhngo.exe File created C:\Windows\SysWOW64\Pdkcinco.exe Pookqgeg.exe File created C:\Windows\SysWOW64\Afnljenh.exe Alihmlna.exe File created C:\Windows\SysWOW64\Aioelpki.exe Acbmcima.exe File opened for modification C:\Windows\SysWOW64\Akgcdc32.exe Omnqhbap.exe File created C:\Windows\SysWOW64\Qiapdp32.dll Lfcdph32.exe File created C:\Windows\SysWOW64\Khdiln32.dll Ejchbmna.exe File created C:\Windows\SysWOW64\Fpflqjhe.dll Cfdgcmqd.exe File created C:\Windows\SysWOW64\Ekjcipef.dll Mnanpfdo.exe File created C:\Windows\SysWOW64\Ajeljnae.dll Lepnli32.exe File created C:\Windows\SysWOW64\Ffiblg32.exe Fldnoo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmighf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacmjf32.dll" Pjhpccnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heegjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddgifgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfllca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghiogkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnendhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaiflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcpedal.dll" Cpofdndi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagpdenb.dll" Nphhfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjfqljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkcng32.dll" Gjnlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoapqgi.dll" Lfeldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqdpilb.dll" Phmhgmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdjfo32.dll" Iohede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dakieedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemndfob.dll" Fcpadd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhgdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpcnlaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobjho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllnhn32.dll" Ahofidlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmicc32.dll" Aioelpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldgoh32.dll" Japmmlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkjijo32.dll" Nnlhjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejiiif.dll" Njhglelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkjjncgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcfmgkgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfedhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhdjka32.dll" Kedcml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ildibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjelebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odedcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nambpl32.dll" Hbihdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkklkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpcmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpckbli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmokljp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jffodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdoiaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikbhiaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmccecfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpacmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikmlnae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnloi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiljpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edcghbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocdlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnimglb.dll" Dhgfoioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmjheaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iggomhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jffodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhlcfn32.dll" Bejhajil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgboiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoao32.dll" Mfqlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aikecelb.dll" Mgkjmnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhnqoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afplbhim.dll" Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abnnnjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabocb32.dll" Eoapldei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoifoa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 3140 1644 NEAS.1b47fde9da62a070ee7f0deca1317310.exe 94 PID 1644 wrote to memory of 3140 1644 NEAS.1b47fde9da62a070ee7f0deca1317310.exe 94 PID 1644 wrote to memory of 3140 1644 NEAS.1b47fde9da62a070ee7f0deca1317310.exe 94 PID 3140 wrote to memory of 4532 3140 Ghmbib32.exe 95 PID 3140 wrote to memory of 4532 3140 Ghmbib32.exe 95 PID 3140 wrote to memory of 4532 3140 Ghmbib32.exe 95 PID 4532 wrote to memory of 1712 4532 Hikkdc32.exe 96 PID 4532 wrote to memory of 1712 4532 Hikkdc32.exe 96 PID 4532 wrote to memory of 1712 4532 Hikkdc32.exe 96 PID 1712 wrote to memory of 2520 1712 Hcflch32.exe 97 PID 1712 wrote to memory of 2520 1712 Hcflch32.exe 97 PID 1712 wrote to memory of 2520 1712 Hcflch32.exe 97 PID 2520 wrote to memory of 1300 2520 Ijdnka32.exe 98 PID 2520 wrote to memory of 1300 2520 Ijdnka32.exe 98 PID 2520 wrote to memory of 1300 2520 Ijdnka32.exe 98 PID 1300 wrote to memory of 1432 1300 Jbkbkbfo.exe 99 PID 1300 wrote to memory of 1432 1300 Jbkbkbfo.exe 99 PID 1300 wrote to memory of 1432 1300 Jbkbkbfo.exe 99 PID 1432 wrote to memory of 2696 1432 Jfikaqme.exe 100 PID 1432 wrote to memory of 2696 1432 Jfikaqme.exe 100 PID 1432 wrote to memory of 2696 1432 Jfikaqme.exe 100 PID 2696 wrote to memory of 3304 2696 Kcdakd32.exe 101 PID 2696 wrote to memory of 3304 2696 Kcdakd32.exe 101 PID 2696 wrote to memory of 3304 2696 Kcdakd32.exe 101 PID 3304 wrote to memory of 3244 3304 Lflpmn32.exe 102 PID 3304 wrote to memory of 3244 3304 Lflpmn32.exe 102 PID 3304 wrote to memory of 3244 3304 Lflpmn32.exe 102 PID 3244 wrote to memory of 2052 3244 Mcnmhpoj.exe 103 PID 3244 wrote to memory of 2052 3244 Mcnmhpoj.exe 103 PID 3244 wrote to memory of 2052 3244 Mcnmhpoj.exe 103 PID 2052 wrote to memory of 4048 2052 Nbhcdl32.exe 104 PID 2052 wrote to memory of 4048 2052 Nbhcdl32.exe 104 PID 2052 wrote to memory of 4048 2052 Nbhcdl32.exe 104 PID 4048 wrote to memory of 3176 4048 Omnqhbap.exe 105 PID 4048 wrote to memory of 3176 4048 Omnqhbap.exe 105 PID 4048 wrote to memory of 3176 4048 Omnqhbap.exe 105 PID 3176 wrote to memory of 4756 3176 Akgcdc32.exe 106 PID 3176 wrote to memory of 4756 3176 Akgcdc32.exe 106 PID 3176 wrote to memory of 4756 3176 Akgcdc32.exe 106 PID 4756 wrote to memory of 5060 4756 Bpkbmi32.exe 107 PID 4756 wrote to memory of 5060 4756 Bpkbmi32.exe 107 PID 4756 wrote to memory of 5060 4756 Bpkbmi32.exe 107 PID 5060 wrote to memory of 2984 5060 Cmmbmiag.exe 108 PID 5060 wrote to memory of 2984 5060 Cmmbmiag.exe 108 PID 5060 wrote to memory of 2984 5060 Cmmbmiag.exe 108 PID 4440 wrote to memory of 2444 4440 Eegpkcbd.exe 110 PID 4440 wrote to memory of 2444 4440 Eegpkcbd.exe 110 PID 4440 wrote to memory of 2444 4440 Eegpkcbd.exe 110 PID 2444 wrote to memory of 1452 2444 Eelifc32.exe 111 PID 2444 wrote to memory of 1452 2444 Eelifc32.exe 111 PID 2444 wrote to memory of 1452 2444 Eelifc32.exe 111 PID 1452 wrote to memory of 3528 1452 Eaegqc32.exe 112 PID 1452 wrote to memory of 3528 1452 Eaegqc32.exe 112 PID 1452 wrote to memory of 3528 1452 Eaegqc32.exe 112 PID 3528 wrote to memory of 4732 3528 Gdheol32.exe 113 PID 3528 wrote to memory of 4732 3528 Gdheol32.exe 113 PID 3528 wrote to memory of 4732 3528 Gdheol32.exe 113 PID 4732 wrote to memory of 3896 4732 Hhkgpjqn.exe 114 PID 4732 wrote to memory of 3896 4732 Hhkgpjqn.exe 114 PID 4732 wrote to memory of 3896 4732 Hhkgpjqn.exe 114 PID 3896 wrote to memory of 4900 3896 Inhion32.exe 116 PID 3896 wrote to memory of 4900 3896 Inhion32.exe 116 PID 3896 wrote to memory of 4900 3896 Inhion32.exe 116 PID 4900 wrote to memory of 4944 4900 Kohnpoib.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1b47fde9da62a070ee7f0deca1317310.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1b47fde9da62a070ee7f0deca1317310.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Jbkbkbfo.exeC:\Windows\system32\Jbkbkbfo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Kcdakd32.exeC:\Windows\system32\Kcdakd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Lflpmn32.exeC:\Windows\system32\Lflpmn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Bpkbmi32.exeC:\Windows\system32\Bpkbmi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Eegpkcbd.exeC:\Windows\system32\Eegpkcbd.exe17⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Gdheol32.exeC:\Windows\system32\Gdheol32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Hhkgpjqn.exeC:\Windows\system32\Hhkgpjqn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Inhion32.exeC:\Windows\system32\Inhion32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Kohnpoib.exeC:\Windows\system32\Kohnpoib.exe23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe24⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe25⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe26⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe27⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Eobffk32.exeC:\Windows\system32\Eobffk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Emhdeoel.exeC:\Windows\system32\Emhdeoel.exe29⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ffjkdc32.exeC:\Windows\system32\Ffjkdc32.exe30⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Gagebknp.exeC:\Windows\system32\Gagebknp.exe31⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe32⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ihcclb32.exeC:\Windows\system32\Ihcclb32.exe33⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Kklkej32.exeC:\Windows\system32\Kklkej32.exe35⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Lamjbc32.exeC:\Windows\system32\Lamjbc32.exe36⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Lhgbomfo.exeC:\Windows\system32\Lhgbomfo.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Lqfpoope.exeC:\Windows\system32\Lqfpoope.exe38⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Mkangg32.exeC:\Windows\system32\Mkangg32.exe39⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ngaabfio.exeC:\Windows\system32\Ngaabfio.exe40⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Nqifkl32.exeC:\Windows\system32\Nqifkl32.exe41⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe42⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Ppphkq32.exeC:\Windows\system32\Ppphkq32.exe43⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Plfipakk.exeC:\Windows\system32\Plfipakk.exe44⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Qimfoe32.exeC:\Windows\system32\Qimfoe32.exe45⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Aiapjecl.exeC:\Windows\system32\Aiapjecl.exe46⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Abnnnjfh.exeC:\Windows\system32\Abnnnjfh.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe48⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Cpbgnlfo.exeC:\Windows\system32\Cpbgnlfo.exe49⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Caimachg.exeC:\Windows\system32\Caimachg.exe50⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Dfbebpdq.exeC:\Windows\system32\Dfbebpdq.exe51⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Efikco32.exeC:\Windows\system32\Efikco32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Eoapldei.exeC:\Windows\system32\Eoapldei.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Ebbinp32.exeC:\Windows\system32\Ebbinp32.exe54⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Foplnb32.exeC:\Windows\system32\Foplnb32.exe55⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Hbldkllm.exeC:\Windows\system32\Hbldkllm.exe56⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ijfbhflj.exeC:\Windows\system32\Ijfbhflj.exe57⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Jpjqaldi.exeC:\Windows\system32\Jpjqaldi.exe58⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Jidbpa32.exeC:\Windows\system32\Jidbpa32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Lanpml32.exeC:\Windows\system32\Lanpml32.exe60⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Mjqjbn32.exeC:\Windows\system32\Mjqjbn32.exe61⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Nneiikqe.exeC:\Windows\system32\Nneiikqe.exe62⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Nnolojhk.exeC:\Windows\system32\Nnolojhk.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Oqbagd32.exeC:\Windows\system32\Oqbagd32.exe64⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Ahmlaj32.exeC:\Windows\system32\Ahmlaj32.exe65⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Dccbln32.exeC:\Windows\system32\Dccbln32.exe66⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Fkcibnmd.exeC:\Windows\system32\Fkcibnmd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Ifcimb32.exeC:\Windows\system32\Ifcimb32.exe68⤵PID:4424
-
C:\Windows\SysWOW64\Ilpaei32.exeC:\Windows\system32\Ilpaei32.exe69⤵PID:1924
-
C:\Windows\SysWOW64\Ibijbc32.exeC:\Windows\system32\Ibijbc32.exe70⤵PID:1304
-
C:\Windows\SysWOW64\Ifgbhbbh.exeC:\Windows\system32\Ifgbhbbh.exe71⤵PID:3700
-
C:\Windows\SysWOW64\Jfllca32.exeC:\Windows\system32\Jfllca32.exe72⤵
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Jfoihalp.exeC:\Windows\system32\Jfoihalp.exe73⤵PID:1300
-
C:\Windows\SysWOW64\Kmijliej.exeC:\Windows\system32\Kmijliej.exe74⤵PID:4620
-
C:\Windows\SysWOW64\Lepnli32.exeC:\Windows\system32\Lepnli32.exe75⤵
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Meknhh32.exeC:\Windows\system32\Meknhh32.exe76⤵PID:4684
-
C:\Windows\SysWOW64\Ngpcmj32.exeC:\Windows\system32\Ngpcmj32.exe77⤵
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Nphhfp32.exeC:\Windows\system32\Nphhfp32.exe78⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Ofncde32.exeC:\Windows\system32\Ofncde32.exe79⤵PID:3536
-
C:\Windows\SysWOW64\Qmkanmel.exeC:\Windows\system32\Qmkanmel.exe80⤵PID:1952
-
C:\Windows\SysWOW64\Aqkgikip.exeC:\Windows\system32\Aqkgikip.exe81⤵PID:4792
-
C:\Windows\SysWOW64\Ajckbp32.exeC:\Windows\system32\Ajckbp32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Aclpkffa.exeC:\Windows\system32\Aclpkffa.exe83⤵PID:2052
-
C:\Windows\SysWOW64\Ajfhhp32.exeC:\Windows\system32\Ajfhhp32.exe84⤵PID:2456
-
C:\Windows\SysWOW64\Bccfleqi.exeC:\Windows\system32\Bccfleqi.exe85⤵PID:5080
-
C:\Windows\SysWOW64\Dmnpah32.exeC:\Windows\system32\Dmnpah32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Dodbkiho.exeC:\Windows\system32\Dodbkiho.exe87⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Edknjonl.exeC:\Windows\system32\Edknjonl.exe88⤵PID:3788
-
C:\Windows\SysWOW64\Egijfjmp.exeC:\Windows\system32\Egijfjmp.exe89⤵PID:684
-
C:\Windows\SysWOW64\Emcbcd32.exeC:\Windows\system32\Emcbcd32.exe90⤵
- Drops file in System32 directory
PID:4632 -
C:\Windows\SysWOW64\Egkgljkm.exeC:\Windows\system32\Egkgljkm.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Fkllghoq.exeC:\Windows\system32\Fkllghoq.exe92⤵PID:3832
-
C:\Windows\SysWOW64\Gaogja32.exeC:\Windows\system32\Gaogja32.exe93⤵PID:3088
-
C:\Windows\SysWOW64\Ghiogkfp.exeC:\Windows\system32\Ghiogkfp.exe94⤵
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Hnmnpano.exeC:\Windows\system32\Hnmnpano.exe95⤵PID:5048
-
C:\Windows\SysWOW64\Hbmclobc.exeC:\Windows\system32\Hbmclobc.exe96⤵
- Drops file in System32 directory
PID:4608 -
C:\Windows\SysWOW64\Hhglhi32.exeC:\Windows\system32\Hhglhi32.exe97⤵PID:3668
-
C:\Windows\SysWOW64\Hoadecal.exeC:\Windows\system32\Hoadecal.exe98⤵PID:1676
-
C:\Windows\SysWOW64\Iickdgpb.exeC:\Windows\system32\Iickdgpb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Kicdke32.exeC:\Windows\system32\Kicdke32.exe100⤵PID:5068
-
C:\Windows\SysWOW64\Keonke32.exeC:\Windows\system32\Keonke32.exe101⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Kbbodj32.exeC:\Windows\system32\Kbbodj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4988 -
C:\Windows\SysWOW64\Lfcdph32.exeC:\Windows\system32\Lfcdph32.exe103⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Llpmhodc.exeC:\Windows\system32\Llpmhodc.exe104⤵PID:3772
-
C:\Windows\SysWOW64\Midfiq32.exeC:\Windows\system32\Midfiq32.exe105⤵PID:2476
-
C:\Windows\SysWOW64\Ngaihcli.exeC:\Windows\system32\Ngaihcli.exe106⤵PID:3708
-
C:\Windows\SysWOW64\Pllnbh32.exeC:\Windows\system32\Pllnbh32.exe107⤵PID:2832
-
C:\Windows\SysWOW64\Pgaboa32.exeC:\Windows\system32\Pgaboa32.exe108⤵
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Aoifoa32.exeC:\Windows\system32\Aoifoa32.exe109⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Bqfokblg.exeC:\Windows\system32\Bqfokblg.exe110⤵PID:3236
-
C:\Windows\SysWOW64\Bgpggm32.exeC:\Windows\system32\Bgpggm32.exe111⤵PID:4296
-
C:\Windows\SysWOW64\Biadoeib.exeC:\Windows\system32\Biadoeib.exe112⤵PID:1604
-
C:\Windows\SysWOW64\Bpkllo32.exeC:\Windows\system32\Bpkllo32.exe113⤵PID:4776
-
C:\Windows\SysWOW64\Bfedhihl.exeC:\Windows\system32\Bfedhihl.exe114⤵
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\Bgeabloo.exeC:\Windows\system32\Bgeabloo.exe115⤵PID:60
-
C:\Windows\SysWOW64\Cifmjd32.exeC:\Windows\system32\Cifmjd32.exe116⤵PID:408
-
C:\Windows\SysWOW64\Cclagm32.exeC:\Windows\system32\Cclagm32.exe117⤵PID:1652
-
C:\Windows\SysWOW64\Cjejdglp.exeC:\Windows\system32\Cjejdglp.exe118⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Dhgfoioi.exeC:\Windows\system32\Dhgfoioi.exe119⤵
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Eibfmp32.exeC:\Windows\system32\Eibfmp32.exe120⤵PID:1972
-
C:\Windows\SysWOW64\Ehcfkhel.exeC:\Windows\system32\Ehcfkhel.exe121⤵PID:3144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-