Analysis
-
max time kernel
141s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 18:44
Behavioral task
behavioral1
Sample
02030d14465485d4d6de2f522dba8470_NEAS.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
02030d14465485d4d6de2f522dba8470_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
02030d14465485d4d6de2f522dba8470_NEAS.exe
-
Size
367KB
-
MD5
02030d14465485d4d6de2f522dba8470
-
SHA1
3b5a27c6a7e188444dcfbd5ca72bce8a0ec3a9d1
-
SHA256
debe5cacd924cd844ca1165aac2f0b858df5c1a2ac62f81159560413f80313c4
-
SHA512
3eb3dd904dd7ba9feffbd77894079e9daeb163ac670395fc32d2fff0a8b38b51908b04d7943527a9da1c99a1628d4ac6b51b7e4e4416e61951c3cbcd85884ad5
-
SSDEEP
6144:WeOKXLEGOs7ttnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:We/LJNZtJCXqP77D7FB24lwR45FB24lX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocddono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahfmgoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdoihpbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifgbnlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geohklaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliaoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnlmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loglacfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdqfll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgghhlhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egdqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgljmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behbag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkmgblok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qoifflkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmolepp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojlngce.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000d000000023b2d-6.dat family_berbew behavioral2/files/0x000a000000023b97-15.dat family_berbew behavioral2/files/0x000a000000023b9a-24.dat family_berbew behavioral2/files/0x000a000000023b9c-31.dat family_berbew behavioral2/files/0x000a000000023b9e-38.dat family_berbew behavioral2/files/0x000a000000023ba0-46.dat family_berbew behavioral2/files/0x000a000000023ba2-54.dat family_berbew behavioral2/files/0x000a000000023ba4-62.dat family_berbew behavioral2/files/0x000a000000023ba6-71.dat family_berbew behavioral2/files/0x000a000000023ba8-79.dat family_berbew behavioral2/files/0x000a000000023baa-87.dat family_berbew behavioral2/files/0x000a000000023bac-94.dat family_berbew behavioral2/files/0x000a000000023bad-102.dat family_berbew behavioral2/files/0x000a000000023baf-111.dat family_berbew behavioral2/files/0x000a000000023bb1-119.dat family_berbew behavioral2/files/0x000a000000023bb3-126.dat family_berbew behavioral2/files/0x000a000000023bb6-134.dat family_berbew behavioral2/files/0x000a000000023bb8-143.dat family_berbew behavioral2/files/0x000a000000023bba-151.dat family_berbew behavioral2/files/0x000a000000023bbc-158.dat family_berbew behavioral2/files/0x0031000000023bbe-165.dat family_berbew behavioral2/files/0x000a000000023bc0-173.dat family_berbew behavioral2/files/0x000a000000023bc2-183.dat family_berbew behavioral2/files/0x000a000000023bc8-205.dat family_berbew behavioral2/files/0x000a000000023bce-226.dat family_berbew behavioral2/files/0x000a000000023bd0-233.dat family_berbew behavioral2/files/0x000a000000023bd4-247.dat family_berbew behavioral2/files/0x000a000000023bd2-240.dat family_berbew behavioral2/files/0x000a000000023bcc-219.dat family_berbew behavioral2/files/0x000a000000023bca-212.dat family_berbew behavioral2/files/0x000a000000023bc6-198.dat family_berbew behavioral2/files/0x000a000000023bc4-191.dat family_berbew behavioral2/files/0x0007000000023cb6-478.dat family_berbew behavioral2/files/0x0007000000023cd2-569.dat family_berbew behavioral2/files/0x0007000000023cd4-576.dat family_berbew behavioral2/files/0x0007000000023ce0-611.dat family_berbew behavioral2/files/0x0007000000023ce3-623.dat family_berbew behavioral2/files/0x0007000000023d0e-756.dat family_berbew behavioral2/files/0x0007000000023d30-873.dat family_berbew behavioral2/files/0x0007000000023d34-886.dat family_berbew behavioral2/files/0x0007000000023d3e-917.dat family_berbew behavioral2/files/0x0007000000023d42-930.dat family_berbew behavioral2/files/0x0007000000023d50-975.dat family_berbew behavioral2/files/0x0007000000023d5c-1016.dat family_berbew behavioral2/files/0x0007000000023d8d-1185.dat family_berbew behavioral2/files/0x0007000000023d93-1206.dat family_berbew behavioral2/files/0x0007000000023db6-1318.dat family_berbew behavioral2/files/0x0007000000023dbc-1338.dat family_berbew behavioral2/files/0x0007000000023dc0-1351.dat family_berbew behavioral2/files/0x0007000000023dcb-1382.dat family_berbew behavioral2/files/0x0007000000023df4-1575.dat family_berbew behavioral2/files/0x0007000000023e0c-1655.dat family_berbew behavioral2/files/0x0007000000023e14-1680.dat family_berbew behavioral2/files/0x0007000000023e1b-1701.dat family_berbew behavioral2/files/0x0007000000023e21-1722.dat family_berbew behavioral2/files/0x0007000000023e2f-1767.dat family_berbew behavioral2/files/0x0007000000023e40-1819.dat family_berbew behavioral2/files/0x0007000000023ea7-2160.dat family_berbew behavioral2/files/0x0007000000023ee7-2375.dat family_berbew behavioral2/files/0x0007000000023eeb-2389.dat family_berbew behavioral2/files/0x0007000000023ef1-2407.dat family_berbew behavioral2/files/0x0007000000023efd-2447.dat family_berbew behavioral2/files/0x0007000000023f14-2487.dat family_berbew behavioral2/files/0x0007000000023f1c-2515.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3852 Jpjqhgol.exe 4596 Jfdida32.exe 5076 Jmpngk32.exe 1360 Jigollag.exe 4880 Jkfkfohj.exe 984 Kdopod32.exe 1984 Kkihknfg.exe 5056 Kkkdan32.exe 1632 Kphmie32.exe 3496 Kgbefoji.exe 4660 Kcifkp32.exe 4628 Kajfig32.exe 4864 Kgfoan32.exe 3960 Liggbi32.exe 2708 Laopdgcg.exe 3492 Lpcmec32.exe 2336 Lgneampk.exe 3120 Lpfijcfl.exe 464 Lgpagm32.exe 2248 Laefdf32.exe 4984 Lknjmkdo.exe 3888 Mjqjih32.exe 4636 Mpkbebbf.exe 3844 Mjcgohig.exe 960 Mpmokb32.exe 2564 Mdiklqhm.exe 2944 Mgghhlhq.exe 3644 Mkbchk32.exe 884 Mnapdf32.exe 3476 Mamleegg.exe 1220 Mdkhapfj.exe 4280 Mcnhmm32.exe 1364 Mgidml32.exe 3748 Mjhqjg32.exe 1568 Mncmjfmk.exe 700 Mpaifalo.exe 4192 Mdmegp32.exe 3028 Mcpebmkb.exe 1944 Mjjmog32.exe 4788 Mnfipekh.exe 3532 Maaepd32.exe 828 Mdpalp32.exe 3340 Mcbahlip.exe 748 Mgnnhk32.exe 4620 Njljefql.exe 2504 Nnhfee32.exe 4952 Nqfbaq32.exe 4848 Ndbnboqb.exe 3944 Ngpjnkpf.exe 4972 Nklfoi32.exe 3188 Njogjfoj.exe 1684 Nafokcol.exe 3520 Nqiogp32.exe 4492 Ncgkcl32.exe 4676 Ngcgcjnc.exe 4260 Ndkahnhh.exe 3660 Ogjmdigk.exe 1752 Oqbamo32.exe 4360 Ogljjiei.exe 3892 Ojjffddl.exe 3300 Occkojkm.exe 1320 Okjbpglo.exe 5024 Obdkma32.exe 1680 Odbgim32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kenggi32.exe Kndojobi.exe File created C:\Windows\SysWOW64\Jklbcn32.dll Knflpoqf.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dmennnni.exe File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Addaif32.exe Aafemk32.exe File created C:\Windows\SysWOW64\Bgfeip32.dll Cohkokgj.exe File created C:\Windows\SysWOW64\Gpkonb32.dll Ggcfja32.exe File opened for modification C:\Windows\SysWOW64\Ohjlgefb.exe Ohgoaehe.exe File created C:\Windows\SysWOW64\Gmdcfidg.exe Gihgfk32.exe File created C:\Windows\SysWOW64\Cogmkl32.exe Cliaoq32.exe File created C:\Windows\SysWOW64\Nnambi32.dll Dccbbhld.exe File created C:\Windows\SysWOW64\Chncif32.dll Ehljfnpn.exe File created C:\Windows\SysWOW64\Ochpdn32.dll Pjjhbl32.exe File created C:\Windows\SysWOW64\Pclneicb.exe Pbkamqmd.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Fckajehi.exe Flqimk32.exe File created C:\Windows\SysWOW64\Oijgnaaa.dll Ffimfqgm.exe File opened for modification C:\Windows\SysWOW64\Kfckahdj.exe Kbhoqj32.exe File opened for modification C:\Windows\SysWOW64\Ocohmc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fijkdmhn.exe Fflohaij.exe File opened for modification C:\Windows\SysWOW64\Eekaebcm.exe Ekemhj32.exe File created C:\Windows\SysWOW64\Ocaikjof.dll Hgelek32.exe File opened for modification C:\Windows\SysWOW64\Ahcajk32.exe Aeddnp32.exe File created C:\Windows\SysWOW64\Bndfbikc.dll Blielbfi.exe File created C:\Windows\SysWOW64\Benlnbhb.dll Lbmhlihl.exe File opened for modification C:\Windows\SysWOW64\Cjecpkcg.exe Bbnkonbd.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Hbeqmoji.exe Hkkhqd32.exe File created C:\Windows\SysWOW64\Bbekbm32.dll Liqihglg.exe File created C:\Windows\SysWOW64\Mbenmk32.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Kgldjcmk.dll Qmkadgpo.exe File opened for modification C:\Windows\SysWOW64\Coknoaic.exe Ciafbg32.exe File opened for modification C:\Windows\SysWOW64\Aamknj32.exe Ahdged32.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Process not Found File created C:\Windows\SysWOW64\Gijlad32.dll Mibpda32.exe File created C:\Windows\SysWOW64\Kkcfid32.exe Kiejmi32.exe File opened for modification C:\Windows\SysWOW64\Ahqddk32.exe Qebhhp32.exe File created C:\Windows\SysWOW64\Mamjbp32.dll Nlfnaicd.exe File created C:\Windows\SysWOW64\Ggmookkn.dll Noehba32.exe File opened for modification C:\Windows\SysWOW64\Kcifkp32.exe Kgbefoji.exe File created C:\Windows\SysWOW64\Dhidjpqc.exe Dekhneap.exe File opened for modification C:\Windows\SysWOW64\Gdqgmmjb.exe Gbbkaako.exe File created C:\Windows\SysWOW64\Cghane32.dll Chiigadc.exe File created C:\Windows\SysWOW64\Ockkandf.dll Qemhbj32.exe File created C:\Windows\SysWOW64\Gpgind32.exe Geaepk32.exe File opened for modification C:\Windows\SysWOW64\Lgdidgjg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Hfnphn32.exe Hbbdholl.exe File opened for modification C:\Windows\SysWOW64\Ghbbcd32.exe Ggcfja32.exe File opened for modification C:\Windows\SysWOW64\Jeekkafl.exe Jkmgblok.exe File created C:\Windows\SysWOW64\Kmijbcpl.exe Kebbafoj.exe File created C:\Windows\SysWOW64\Cdhhdlid.exe Cajlhqjp.exe File opened for modification C:\Windows\SysWOW64\Jifhaenk.exe Jblpek32.exe File created C:\Windows\SysWOW64\Npgmpf32.exe Process not Found File created C:\Windows\SysWOW64\Kqnbkl32.exe Jkaicd32.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Fcniglmb.exe File created C:\Windows\SysWOW64\Effkpc32.dll Coadnlnb.exe File opened for modification C:\Windows\SysWOW64\Chdialdl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pgmcqggf.exe Pbpjhp32.exe File created C:\Windows\SysWOW64\Jhnhbn32.dll Ebejfk32.exe File created C:\Windows\SysWOW64\Kpnihq32.dll Abngjnmo.exe File created C:\Windows\SysWOW64\Flcmfp32.dll Malgcg32.exe File opened for modification C:\Windows\SysWOW64\Ilqoobdd.exe Process not Found File created C:\Windows\SysWOW64\Mioaanec.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 15320 15236 Process not Found 1297 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll" Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poliea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplcdidf.dll" Eefhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclnpmna.dll" Kgmcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddmgi32.dll" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceelqcdb.dll" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll" Ocnjidkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjjpnlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pclneicb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbkfdh.dll" Cbgbgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fohoigfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjjnae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpengmlg.dll" Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkojc32.dll" Pclneicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hajpbckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamlc32.dll" Jnhidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbjikdh.dll" Oaqbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnfnlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiefcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkellk32.dll" Aleckinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgeihcme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggcfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmcj32.dll" Objpoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pchlpfjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djjebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efmmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcfahbpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Fflohaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhmqp32.dll" Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echmafdm.dll" Occkojkm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1988 wrote to memory of 3852 1988 02030d14465485d4d6de2f522dba8470_NEAS.exe 84 PID 1988 wrote to memory of 3852 1988 02030d14465485d4d6de2f522dba8470_NEAS.exe 84 PID 1988 wrote to memory of 3852 1988 02030d14465485d4d6de2f522dba8470_NEAS.exe 84 PID 3852 wrote to memory of 4596 3852 Jpjqhgol.exe 85 PID 3852 wrote to memory of 4596 3852 Jpjqhgol.exe 85 PID 3852 wrote to memory of 4596 3852 Jpjqhgol.exe 85 PID 4596 wrote to memory of 5076 4596 Jfdida32.exe 86 PID 4596 wrote to memory of 5076 4596 Jfdida32.exe 86 PID 4596 wrote to memory of 5076 4596 Jfdida32.exe 86 PID 5076 wrote to memory of 1360 5076 Jmpngk32.exe 87 PID 5076 wrote to memory of 1360 5076 Jmpngk32.exe 87 PID 5076 wrote to memory of 1360 5076 Jmpngk32.exe 87 PID 1360 wrote to memory of 4880 1360 Jigollag.exe 88 PID 1360 wrote to memory of 4880 1360 Jigollag.exe 88 PID 1360 wrote to memory of 4880 1360 Jigollag.exe 88 PID 4880 wrote to memory of 984 4880 Jkfkfohj.exe 89 PID 4880 wrote to memory of 984 4880 Jkfkfohj.exe 89 PID 4880 wrote to memory of 984 4880 Jkfkfohj.exe 89 PID 984 wrote to memory of 1984 984 Kdopod32.exe 90 PID 984 wrote to memory of 1984 984 Kdopod32.exe 90 PID 984 wrote to memory of 1984 984 Kdopod32.exe 90 PID 1984 wrote to memory of 5056 1984 Kkihknfg.exe 91 PID 1984 wrote to memory of 5056 1984 Kkihknfg.exe 91 PID 1984 wrote to memory of 5056 1984 Kkihknfg.exe 91 PID 5056 wrote to memory of 1632 5056 Kkkdan32.exe 92 PID 5056 wrote to memory of 1632 5056 Kkkdan32.exe 92 PID 5056 wrote to memory of 1632 5056 Kkkdan32.exe 92 PID 1632 wrote to memory of 3496 1632 Kphmie32.exe 94 PID 1632 wrote to memory of 3496 1632 Kphmie32.exe 94 PID 1632 wrote to memory of 3496 1632 Kphmie32.exe 94 PID 3496 wrote to memory of 4660 3496 Kgbefoji.exe 95 PID 3496 wrote to memory of 4660 3496 Kgbefoji.exe 95 PID 3496 wrote to memory of 4660 3496 Kgbefoji.exe 95 PID 4660 wrote to memory of 4628 4660 Kcifkp32.exe 96 PID 4660 wrote to memory of 4628 4660 Kcifkp32.exe 96 PID 4660 wrote to memory of 4628 4660 Kcifkp32.exe 96 PID 4628 wrote to memory of 4864 4628 Kajfig32.exe 97 PID 4628 wrote to memory of 4864 4628 Kajfig32.exe 97 PID 4628 wrote to memory of 4864 4628 Kajfig32.exe 97 PID 4864 wrote to memory of 3960 4864 Kgfoan32.exe 99 PID 4864 wrote to memory of 3960 4864 Kgfoan32.exe 99 PID 4864 wrote to memory of 3960 4864 Kgfoan32.exe 99 PID 3960 wrote to memory of 2708 3960 Liggbi32.exe 100 PID 3960 wrote to memory of 2708 3960 Liggbi32.exe 100 PID 3960 wrote to memory of 2708 3960 Liggbi32.exe 100 PID 2708 wrote to memory of 3492 2708 Laopdgcg.exe 101 PID 2708 wrote to memory of 3492 2708 Laopdgcg.exe 101 PID 2708 wrote to memory of 3492 2708 Laopdgcg.exe 101 PID 3492 wrote to memory of 2336 3492 Lpcmec32.exe 102 PID 3492 wrote to memory of 2336 3492 Lpcmec32.exe 102 PID 3492 wrote to memory of 2336 3492 Lpcmec32.exe 102 PID 2336 wrote to memory of 3120 2336 Lgneampk.exe 103 PID 2336 wrote to memory of 3120 2336 Lgneampk.exe 103 PID 2336 wrote to memory of 3120 2336 Lgneampk.exe 103 PID 3120 wrote to memory of 464 3120 Lpfijcfl.exe 105 PID 3120 wrote to memory of 464 3120 Lpfijcfl.exe 105 PID 3120 wrote to memory of 464 3120 Lpfijcfl.exe 105 PID 464 wrote to memory of 2248 464 Lgpagm32.exe 106 PID 464 wrote to memory of 2248 464 Lgpagm32.exe 106 PID 464 wrote to memory of 2248 464 Lgpagm32.exe 106 PID 2248 wrote to memory of 4984 2248 Laefdf32.exe 107 PID 2248 wrote to memory of 4984 2248 Laefdf32.exe 107 PID 2248 wrote to memory of 4984 2248 Laefdf32.exe 107 PID 4984 wrote to memory of 3888 4984 Lknjmkdo.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\02030d14465485d4d6de2f522dba8470_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\02030d14465485d4d6de2f522dba8470_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe23⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe24⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe25⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe27⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe29⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe30⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe31⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe32⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe33⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe34⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe35⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe36⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe37⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe38⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe39⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe40⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe41⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe43⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe44⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe46⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe47⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe48⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe49⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe50⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4972 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe52⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe53⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe54⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe55⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe56⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe57⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe58⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe59⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe60⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe61⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe63⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe64⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe65⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe66⤵PID:548
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe67⤵PID:2024
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe68⤵PID:3516
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe69⤵PID:2032
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe70⤵PID:5072
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe71⤵PID:5060
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe72⤵PID:2732
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe73⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe74⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe75⤵PID:224
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe76⤵PID:1428
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe77⤵PID:4416
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe78⤵PID:4860
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe79⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe80⤵PID:3408
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe81⤵PID:2444
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe82⤵
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe83⤵PID:1400
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe84⤵PID:1876
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe85⤵PID:1472
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe86⤵PID:2976
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe87⤵PID:4648
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe88⤵PID:3396
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe89⤵PID:4440
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe90⤵PID:2904
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe91⤵PID:4632
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe92⤵PID:5084
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe93⤵PID:4940
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe94⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe95⤵PID:5176
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe96⤵PID:5216
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe97⤵PID:5256
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe98⤵PID:5296
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe99⤵PID:5332
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe100⤵PID:5376
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe101⤵PID:5416
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe102⤵PID:5456
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe103⤵PID:5496
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe104⤵PID:5536
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe106⤵PID:5616
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe107⤵PID:5656
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe108⤵PID:5708
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe110⤵PID:5792
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe111⤵PID:5832
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe112⤵PID:5904
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe113⤵PID:5944
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe114⤵PID:5980
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe115⤵PID:6048
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe116⤵PID:6096
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe117⤵PID:4744
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe118⤵PID:5204
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe119⤵PID:5288
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe120⤵PID:5364
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-