Analysis
-
max time kernel
54s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 17:53
Behavioral task
behavioral1
Sample
NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe
-
Size
196KB
-
MD5
b8a1f87ffba6cbbcf685e45726efc7b1
-
SHA1
d9f1fef1b415f4e1fdca8778caa06a3469fc4c48
-
SHA256
5b1656faee4f07163b1d899a963a9570e5326211c431ed1080ddde14dc1c2fe9
-
SHA512
afaca0fc96340f8894c0495dbe747006f72d5f7212b9bcf2c7d56c8f4c79eb51337254cc8b3c21568e224aab19bb0b4975fd6a0ef373c6c5a4849ec5249d6659
-
SSDEEP
3072:8Sw5jgUm6GFohePKigyYq4YJH681+jq2832dp5Xp+7+10K0k7SS6S+psBB6sI69F:6ti1KBTsa81+jq4peBK02SjSM0zI6rH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bijncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdbmoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdehlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjknakhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aklciimh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqopeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfdojfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnlgjlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimelg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclljaei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfbbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfaqcclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihjeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laeoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgmeigd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqdfmajd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmglk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkcmild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmlhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahfkimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfjfqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impliekg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjfjhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piapkbeg.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022d50-7.dat family_berbew behavioral2/files/0x0007000000022d50-9.dat family_berbew behavioral2/files/0x0007000000022d5e-15.dat family_berbew behavioral2/files/0x0007000000022d5e-16.dat family_berbew behavioral2/files/0x0007000000022d62-23.dat family_berbew behavioral2/files/0x0007000000022d62-25.dat family_berbew behavioral2/files/0x0006000000022d71-31.dat family_berbew behavioral2/files/0x0006000000022d71-32.dat family_berbew behavioral2/files/0x0006000000022d73-39.dat family_berbew behavioral2/files/0x0006000000022d73-41.dat family_berbew behavioral2/files/0x0006000000022d75-47.dat family_berbew behavioral2/files/0x0006000000022d75-48.dat family_berbew behavioral2/files/0x0006000000022d77-55.dat family_berbew behavioral2/files/0x0008000000022d4b-63.dat family_berbew behavioral2/files/0x0006000000022d77-56.dat family_berbew behavioral2/files/0x0008000000022d4b-65.dat family_berbew behavioral2/files/0x0006000000022d7c-80.dat family_berbew behavioral2/files/0x0006000000022d7c-79.dat family_berbew behavioral2/files/0x0006000000022d7e-88.dat family_berbew behavioral2/files/0x0006000000022d7e-87.dat family_berbew behavioral2/files/0x0006000000022d7a-72.dat family_berbew behavioral2/files/0x0006000000022d7a-71.dat family_berbew behavioral2/files/0x0006000000022d80-96.dat family_berbew behavioral2/files/0x0006000000022d80-95.dat family_berbew behavioral2/files/0x0006000000022d82-103.dat family_berbew behavioral2/files/0x0006000000022d82-105.dat family_berbew behavioral2/files/0x0006000000022d84-112.dat family_berbew behavioral2/files/0x0006000000022d84-114.dat family_berbew behavioral2/files/0x0006000000022d86-120.dat family_berbew behavioral2/files/0x0006000000022d86-121.dat family_berbew behavioral2/files/0x0006000000022d88-128.dat family_berbew behavioral2/files/0x0006000000022d88-130.dat family_berbew behavioral2/files/0x0006000000022d8a-136.dat family_berbew behavioral2/files/0x0006000000022d8a-138.dat family_berbew behavioral2/files/0x0006000000022d8c-139.dat family_berbew behavioral2/files/0x0006000000022d8c-144.dat family_berbew behavioral2/files/0x0006000000022d8c-146.dat family_berbew behavioral2/files/0x0006000000022d8e-152.dat family_berbew behavioral2/files/0x0006000000022d90-160.dat family_berbew behavioral2/files/0x0006000000022d90-161.dat family_berbew behavioral2/files/0x0006000000022d8e-153.dat family_berbew behavioral2/files/0x0006000000022d92-168.dat family_berbew behavioral2/files/0x0006000000022d92-169.dat family_berbew behavioral2/files/0x0006000000022d94-176.dat family_berbew behavioral2/files/0x0006000000022d94-178.dat family_berbew behavioral2/files/0x0006000000022d96-184.dat family_berbew behavioral2/files/0x0006000000022d96-186.dat family_berbew behavioral2/files/0x0006000000022d98-192.dat family_berbew behavioral2/files/0x0006000000022d98-193.dat family_berbew behavioral2/files/0x0006000000022d9a-200.dat family_berbew behavioral2/files/0x0006000000022d9a-202.dat family_berbew behavioral2/files/0x0006000000022d9c-208.dat family_berbew behavioral2/files/0x0006000000022d9c-209.dat family_berbew behavioral2/files/0x0006000000022d9e-216.dat family_berbew behavioral2/files/0x0006000000022d9e-217.dat family_berbew behavioral2/files/0x0006000000022da0-219.dat family_berbew behavioral2/files/0x0006000000022da0-224.dat family_berbew behavioral2/files/0x0006000000022da0-226.dat family_berbew behavioral2/files/0x0006000000022da2-232.dat family_berbew behavioral2/files/0x0006000000022da2-234.dat family_berbew behavioral2/files/0x0006000000022da4-240.dat family_berbew behavioral2/files/0x0006000000022da4-242.dat family_berbew behavioral2/files/0x0006000000022da6-248.dat family_berbew behavioral2/files/0x0006000000022da6-250.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2008 Ccdnjp32.exe 4292 Cmmbbejp.exe 3820 Dbjkkl32.exe 2644 Dkdliame.exe 1584 Dmdhcddh.exe 3564 Djhimica.exe 2916 Dfoiaj32.exe 4956 Dpgnjo32.exe 2084 Elnoopdj.exe 1480 Emmkiclm.exe 4428 Efepbi32.exe 1980 Elbhjp32.exe 4556 Ejchhgid.exe 1684 Efjimhnh.exe 4856 Ffmfchle.exe 2104 Fbcfhibj.exe 4968 Fdccbl32.exe 4420 Fjohde32.exe 1200 Fmpqfq32.exe 1880 Gfheof32.exe 3848 Gpqjglii.exe 960 Giinpa32.exe 912 Gmggfp32.exe 400 Glldgljg.exe 4596 Kcbnnpka.exe 4460 Lgqfdnah.exe 3024 Lmmolepp.exe 224 Lgepom32.exe 5116 Lclpdncg.exe 1916 Lqpamb32.exe 5044 Lqbncb32.exe 412 Madjhb32.exe 2076 Mmkkmc32.exe 3264 Mgaokl32.exe 4180 Mnkggfkb.exe 4344 Mjahlgpf.exe 3840 Mjdebfnd.exe 1756 Manmoq32.exe 3104 Njfagf32.exe 2148 Ncofplba.exe 3620 Nndjndbh.exe 3556 Nlhkgi32.exe 3328 Naecop32.exe 1524 Njmhhefi.exe 1568 Nhahaiec.exe 2932 Najmjokc.exe 2788 Oloahhki.exe 3140 Oalipoiq.exe 4576 Ojdnid32.exe 2728 Ohhnbhok.exe 4868 Omegjomb.exe 5072 Ojigdcll.exe 944 Okkdic32.exe 3572 Paelfmaf.exe 3268 Plkpcfal.exe 2696 Pecellgl.exe 4200 Plmmif32.exe 860 Pefabkej.exe 3128 Pmaffnce.exe 4012 Plbfdekd.exe 4204 Pejkmk32.exe 1576 Pldcjeia.exe 3748 Qmepam32.exe 4796 Qlgpod32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pjcikejg.exe Process not Found File created C:\Windows\SysWOW64\Aijdpd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bomkcm32.exe Bdgged32.exe File created C:\Windows\SysWOW64\Bfolacnc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfpghccm.exe Nkjckkcg.exe File opened for modification C:\Windows\SysWOW64\Pbljoafi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Becknc32.exe Bnicai32.exe File opened for modification C:\Windows\SysWOW64\Iqmplbpl.exe Hhehkepj.exe File created C:\Windows\SysWOW64\Ipdndloi.exe Ieojgc32.exe File opened for modification C:\Windows\SysWOW64\Ilkoim32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jmgmhgig.exe Jgjeppkp.exe File created C:\Windows\SysWOW64\Jedoeg32.dll Pocdba32.exe File created C:\Windows\SysWOW64\Ojajin32.exe Ocgbld32.exe File created C:\Windows\SysWOW64\Mcbpjg32.exe Dngobghg.exe File created C:\Windows\SysWOW64\Ilgonc32.dll Pmlfqh32.exe File opened for modification C:\Windows\SysWOW64\Joqafgni.exe Nhcbidcd.exe File created C:\Windows\SysWOW64\Ogajpp32.dll Cgfbbb32.exe File opened for modification C:\Windows\SysWOW64\Dpmcmf32.exe Dickplko.exe File created C:\Windows\SysWOW64\Mejnlpai.exe Process not Found File created C:\Windows\SysWOW64\Addaif32.exe Amjillkj.exe File created C:\Windows\SysWOW64\Fkaokcqj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Piapkbeg.exe Pbhgoh32.exe File created C:\Windows\SysWOW64\Biklho32.exe Process not Found File created C:\Windows\SysWOW64\Foolmeif.dll Ddfbgelh.exe File created C:\Windows\SysWOW64\Bjiqiemm.dll Knkcmild.exe File created C:\Windows\SysWOW64\Qhhpop32.exe Pmblagmf.exe File created C:\Windows\SysWOW64\Nkjckkcg.exe Nfnjbdep.exe File created C:\Windows\SysWOW64\Kdogqi32.dll Aidomjaf.exe File opened for modification C:\Windows\SysWOW64\Adkqoohc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iebngial.exe Ipeeobbe.exe File created C:\Windows\SysWOW64\Fboqkn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe Pmlfqh32.exe File created C:\Windows\SysWOW64\Npakijcp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Njjmni32.exe Process not Found File created C:\Windows\SysWOW64\Kfanflne.exe Jepbodhg.exe File created C:\Windows\SysWOW64\Lajhpbme.exe Lokldg32.exe File created C:\Windows\SysWOW64\Nmnpml32.dll Emmkiclm.exe File created C:\Windows\SysWOW64\Keebjojo.dll Ehkcgkdj.exe File opened for modification C:\Windows\SysWOW64\Bphgeo32.exe Bogkmgba.exe File opened for modification C:\Windows\SysWOW64\Iahgad32.exe Ilkoim32.exe File opened for modification C:\Windows\SysWOW64\Kcoccc32.exe Khiofk32.exe File created C:\Windows\SysWOW64\Mhppik32.exe Mmjlkb32.exe File opened for modification C:\Windows\SysWOW64\Afpbkicl.exe Akjnnpcf.exe File opened for modification C:\Windows\SysWOW64\Loighj32.exe Lljklo32.exe File created C:\Windows\SysWOW64\Oenqhaga.dll Dpgnjo32.exe File opened for modification C:\Windows\SysWOW64\Bejobk32.exe Process not Found File created C:\Windows\SysWOW64\Icgbob32.exe Process not Found File created C:\Windows\SysWOW64\Becknc32.exe Bnicai32.exe File created C:\Windows\SysWOW64\Djhimica.exe Dmdhcddh.exe File opened for modification C:\Windows\SysWOW64\Hfhgkmpj.exe Process not Found File created C:\Windows\SysWOW64\Pnkbkk32.exe Pmlfqh32.exe File created C:\Windows\SysWOW64\Mablfnne.exe Mpapnfhg.exe File created C:\Windows\SysWOW64\Fhjaco32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Foonjd32.exe Fhefmjlp.exe File created C:\Windows\SysWOW64\Dbjkkl32.exe Cmmbbejp.exe File created C:\Windows\SysWOW64\Chfhllkp.dll Process not Found File created C:\Windows\SysWOW64\Gefklj32.dll Process not Found File created C:\Windows\SysWOW64\Amhmnagf.dll Jlikkkhn.exe File created C:\Windows\SysWOW64\Ppbjhj32.dll Eennefib.exe File created C:\Windows\SysWOW64\Gkcjcf32.dll Jgjeppkp.exe File created C:\Windows\SysWOW64\Njfagf32.exe Manmoq32.exe File opened for modification C:\Windows\SysWOW64\Coegoe32.exe Cdpcal32.exe File created C:\Windows\SysWOW64\Iamamcop.exe Ghbkdald.exe File created C:\Windows\SysWOW64\Pqolaipg.dll Ooibkpmi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5664 6816 Process not Found 1901 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmebednk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlipbfgc.dll" Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijjekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgflobdk.dll" Dfcqod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcplke32.dll" Knmpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdpaeehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oennph32.dll" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkhbi32.dll" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll" Ilkoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaecedp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Lhnhajba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qamago32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndhhnda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdllffpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckmjqi.dll" Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" Pgbkgmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkmlmnl.dll" Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cidgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcihc32.dll" Gjhonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdeqk32.dll" Iqgjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onempd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll" Acqgojmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobgiafa.dll" Diopep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppffec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfdojfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll" Inebjihf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnlenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqmkfni.dll" Khhaanop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geijac32.dll" Cpmifkgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll" Iahgad32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2008 1920 NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe 83 PID 1920 wrote to memory of 2008 1920 NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe 83 PID 1920 wrote to memory of 2008 1920 NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe 83 PID 2008 wrote to memory of 4292 2008 Ccdnjp32.exe 84 PID 2008 wrote to memory of 4292 2008 Ccdnjp32.exe 84 PID 2008 wrote to memory of 4292 2008 Ccdnjp32.exe 84 PID 4292 wrote to memory of 3820 4292 Cmmbbejp.exe 85 PID 4292 wrote to memory of 3820 4292 Cmmbbejp.exe 85 PID 4292 wrote to memory of 3820 4292 Cmmbbejp.exe 85 PID 3820 wrote to memory of 2644 3820 Dbjkkl32.exe 86 PID 3820 wrote to memory of 2644 3820 Dbjkkl32.exe 86 PID 3820 wrote to memory of 2644 3820 Dbjkkl32.exe 86 PID 2644 wrote to memory of 1584 2644 Dkdliame.exe 87 PID 2644 wrote to memory of 1584 2644 Dkdliame.exe 87 PID 2644 wrote to memory of 1584 2644 Dkdliame.exe 87 PID 1584 wrote to memory of 3564 1584 Dmdhcddh.exe 88 PID 1584 wrote to memory of 3564 1584 Dmdhcddh.exe 88 PID 1584 wrote to memory of 3564 1584 Dmdhcddh.exe 88 PID 3564 wrote to memory of 2916 3564 Djhimica.exe 89 PID 3564 wrote to memory of 2916 3564 Djhimica.exe 89 PID 3564 wrote to memory of 2916 3564 Djhimica.exe 89 PID 2916 wrote to memory of 4956 2916 Dfoiaj32.exe 90 PID 2916 wrote to memory of 4956 2916 Dfoiaj32.exe 90 PID 2916 wrote to memory of 4956 2916 Dfoiaj32.exe 90 PID 4956 wrote to memory of 2084 4956 Dpgnjo32.exe 91 PID 4956 wrote to memory of 2084 4956 Dpgnjo32.exe 91 PID 4956 wrote to memory of 2084 4956 Dpgnjo32.exe 91 PID 2084 wrote to memory of 1480 2084 Elnoopdj.exe 93 PID 2084 wrote to memory of 1480 2084 Elnoopdj.exe 93 PID 2084 wrote to memory of 1480 2084 Elnoopdj.exe 93 PID 1480 wrote to memory of 4428 1480 Emmkiclm.exe 94 PID 1480 wrote to memory of 4428 1480 Emmkiclm.exe 94 PID 1480 wrote to memory of 4428 1480 Emmkiclm.exe 94 PID 4428 wrote to memory of 1980 4428 Efepbi32.exe 95 PID 4428 wrote to memory of 1980 4428 Efepbi32.exe 95 PID 4428 wrote to memory of 1980 4428 Efepbi32.exe 95 PID 1980 wrote to memory of 4556 1980 Elbhjp32.exe 96 PID 1980 wrote to memory of 4556 1980 Elbhjp32.exe 96 PID 1980 wrote to memory of 4556 1980 Elbhjp32.exe 96 PID 4556 wrote to memory of 1684 4556 Ejchhgid.exe 97 PID 4556 wrote to memory of 1684 4556 Ejchhgid.exe 97 PID 4556 wrote to memory of 1684 4556 Ejchhgid.exe 97 PID 1684 wrote to memory of 4856 1684 Efjimhnh.exe 98 PID 1684 wrote to memory of 4856 1684 Efjimhnh.exe 98 PID 1684 wrote to memory of 4856 1684 Efjimhnh.exe 98 PID 4856 wrote to memory of 2104 4856 Ffmfchle.exe 99 PID 4856 wrote to memory of 2104 4856 Ffmfchle.exe 99 PID 4856 wrote to memory of 2104 4856 Ffmfchle.exe 99 PID 2104 wrote to memory of 4968 2104 Fbcfhibj.exe 100 PID 2104 wrote to memory of 4968 2104 Fbcfhibj.exe 100 PID 2104 wrote to memory of 4968 2104 Fbcfhibj.exe 100 PID 4968 wrote to memory of 4420 4968 Fdccbl32.exe 101 PID 4968 wrote to memory of 4420 4968 Fdccbl32.exe 101 PID 4968 wrote to memory of 4420 4968 Fdccbl32.exe 101 PID 4420 wrote to memory of 1200 4420 Fjohde32.exe 102 PID 4420 wrote to memory of 1200 4420 Fjohde32.exe 102 PID 4420 wrote to memory of 1200 4420 Fjohde32.exe 102 PID 1200 wrote to memory of 1880 1200 Fmpqfq32.exe 104 PID 1200 wrote to memory of 1880 1200 Fmpqfq32.exe 104 PID 1200 wrote to memory of 1880 1200 Fmpqfq32.exe 104 PID 1880 wrote to memory of 3848 1880 Gfheof32.exe 105 PID 1880 wrote to memory of 3848 1880 Gfheof32.exe 105 PID 1880 wrote to memory of 3848 1880 Gfheof32.exe 105 PID 3848 wrote to memory of 960 3848 Gpqjglii.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b8a1f87ffba6cbbcf685e45726efc7b1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe23⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe24⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe25⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe26⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe28⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe29⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe30⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe32⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe33⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe34⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe35⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe37⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe38⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe40⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe41⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe42⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe43⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe44⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe45⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe47⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe48⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe49⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe50⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe51⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe52⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe53⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe54⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe55⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe56⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe58⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe59⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe60⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe61⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe62⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe63⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe64⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe66⤵PID:876
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe67⤵PID:1596
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe68⤵PID:2188
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe69⤵
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe70⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe71⤵PID:1384
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe72⤵PID:4116
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe73⤵PID:4660
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe74⤵PID:740
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe75⤵PID:2052
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe76⤵PID:3172
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe77⤵PID:2928
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe78⤵PID:4392
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe79⤵PID:2388
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe81⤵PID:2220
-
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe82⤵PID:1784
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe83⤵PID:4608
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe84⤵PID:4052
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe85⤵PID:4584
-
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe86⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe87⤵PID:4496
-
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe88⤵PID:4400
-
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe89⤵PID:800
-
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe90⤵PID:4896
-
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe91⤵PID:1116
-
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe92⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe93⤵PID:2948
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe94⤵PID:3540
-
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe95⤵PID:2792
-
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe97⤵PID:992
-
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe98⤵PID:4488
-
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4908 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe100⤵PID:2772
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe101⤵PID:856
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe102⤵PID:4568
-
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe103⤵PID:5124
-
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe104⤵PID:5164
-
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe105⤵PID:5212
-
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe106⤵PID:5248
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe107⤵PID:5292
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe108⤵PID:5332
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe109⤵PID:5380
-
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe110⤵PID:5424
-
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe111⤵PID:5464
-
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe112⤵PID:5512
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe113⤵PID:5556
-
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe114⤵PID:5596
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe115⤵PID:5644
-
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe116⤵PID:5688
-
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe117⤵PID:5728
-
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe118⤵PID:5772
-
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe119⤵PID:5816
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe120⤵PID:5868
-
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe121⤵PID:5908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-