Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 20:16
Behavioral task
behavioral1
Sample
NEAS.e2b0311932916b2b2a7bdd726ffef610.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e2b0311932916b2b2a7bdd726ffef610.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e2b0311932916b2b2a7bdd726ffef610.exe
-
Size
169KB
-
MD5
e2b0311932916b2b2a7bdd726ffef610
-
SHA1
0f2bd26467ec1ac718a14ff33ef44dc4df760143
-
SHA256
45ade39d1d06fa805db44786e5df17c9b2ae73bd447675146d3deeea1195c4e5
-
SHA512
03da79b93570212ae1e01d36eee1e619175b07030ea4638956ec135ac7a7f0d839addc2903ba2b558d32d390b4ed9600010673030814d54e4ebc83371d36bba7
-
SSDEEP
3072:cxrBl8JIKhuBjjs2KfuLIC7PxMeEvPOdgujv6NLPfFFrKP92f65Ha:8lxxcfuLB7JML3OdgawrFZKPf9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcbodf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpbkicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cflkpblf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadlbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimhmkgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpmbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffoejkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeaiij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbaclegm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclljaei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjahe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbiamhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbdbjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lopmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adbkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjmpfdhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oggbfdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjdokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefbdjgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcncodki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehafq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangjkkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfgloiqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cghgpgqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehdib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eflceb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdnjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janghmia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbifol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eemgkpef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckcap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfemdcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpmpkoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igieoleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inmgmijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnamofdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmiikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhoeef32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2116-0-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/memory/4832-8-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/4728-16-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0007000000022de9-15.dat family_berbew behavioral2/files/0x0007000000022de9-14.dat family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x0006000000022ded-22.dat family_berbew behavioral2/files/0x0006000000022ded-23.dat family_berbew behavioral2/memory/3756-24-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022df0-30.dat family_berbew behavioral2/memory/3500-32-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022df2-38.dat family_berbew behavioral2/memory/412-39-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022df2-40.dat family_berbew behavioral2/files/0x0006000000022df0-31.dat family_berbew behavioral2/files/0x0006000000022df4-46.dat family_berbew behavioral2/files/0x0006000000022df4-48.dat family_berbew behavioral2/memory/3032-47-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022df5-54.dat family_berbew behavioral2/memory/2812-55-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022df5-56.dat family_berbew behavioral2/files/0x0006000000022df7-57.dat family_berbew behavioral2/files/0x0006000000022df7-62.dat family_berbew behavioral2/files/0x0006000000022df7-64.dat family_berbew behavioral2/memory/3368-63-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfc-70.dat family_berbew behavioral2/memory/3876-71-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfc-72.dat family_berbew behavioral2/memory/2116-77-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/4832-78-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e02-80.dat family_berbew behavioral2/memory/3968-81-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e02-82.dat family_berbew behavioral2/files/0x0006000000022e05-88.dat family_berbew behavioral2/memory/4728-89-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e05-90.dat family_berbew behavioral2/memory/2764-91-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e07-97.dat family_berbew behavioral2/memory/3756-98-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e07-99.dat family_berbew behavioral2/memory/3500-100-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e09-106.dat family_berbew behavioral2/files/0x0006000000022e09-107.dat family_berbew behavioral2/memory/2576-109-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/2452-108-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0b-115.dat family_berbew behavioral2/memory/412-116-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0b-117.dat family_berbew behavioral2/memory/3104-118-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/3032-125-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/2564-130-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0d-126.dat family_berbew behavioral2/files/0x0006000000022e0d-124.dat family_berbew behavioral2/files/0x0006000000022e0f-133.dat family_berbew behavioral2/files/0x0006000000022e11-142.dat family_berbew behavioral2/files/0x0006000000022e11-144.dat family_berbew behavioral2/memory/3368-143-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/4056-140-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/3876-145-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/memory/2812-135-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e13-152.dat family_berbew behavioral2/memory/4204-154-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral2/files/0x0006000000022e13-153.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4832 Gfbibikg.exe 4728 Gnmnfkia.exe 3756 Ghbbcd32.exe 3500 Hffcmh32.exe 412 Hfipbh32.exe 3032 Hnddgjbj.exe 2812 Hocqam32.exe 3368 Hbdjchgn.exe 3876 Hkmnln32.exe 3968 Inmgmijo.exe 2764 Lnqeqd32.exe 2452 Lhijijbg.exe 2576 Lhkgoiqe.exe 3104 Lflgmqhd.exe 2564 Leadnm32.exe 4056 Mpghkf32.exe 5108 Mhbmphjm.exe 4204 Mfcmmp32.exe 4180 Mplafeil.exe 4700 Midfokpm.exe 1352 Mekgdl32.exe 3504 Mfjcnold.exe 5112 Nhlpfgbb.exe 1572 Neppokal.exe 5104 Nbcqiope.exe 4476 Ncfmno32.exe 1528 Nhbfff32.exe 2772 Nheble32.exe 2680 Oeicejia.exe 4112 Oghppm32.exe 1480 Olehhc32.exe 4592 Oiihahme.exe 2692 Ogmijllo.exe 3260 Opemca32.exe 2840 Ojnblg32.exe 244 Pgbbek32.exe 680 Phcomcng.exe 3240 Pgdokkfg.exe 3140 Pckppl32.exe 3580 Phhhhc32.exe 4792 Poaqemao.exe 4852 Ppamophb.exe 3816 Pjjahe32.exe 4224 Pofjpl32.exe 2484 Qhonib32.exe 1732 Qoifflkg.exe 4292 Qqhcpo32.exe 3352 Afelhf32.exe 4944 Aqkpeopg.exe 2240 Ajcdnd32.exe 3268 Aopmfk32.exe 4980 Afjeceml.exe 3524 Amcmpodi.exe 708 Agiamhdo.exe 4288 Aijnep32.exe 4684 Aodfajaj.exe 380 Aglnbhal.exe 1760 Aimkjp32.exe 4364 Bogcgj32.exe 2336 Bfqkddfd.exe 4624 Biogppeg.exe 3380 Bcelmhen.exe 4756 Bjodjb32.exe 2720 Bcghch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hhljen32.dll Khhaanop.exe File created C:\Windows\SysWOW64\Nncoaq32.exe Nkebee32.exe File created C:\Windows\SysWOW64\Apqddgbj.dll Nncoaq32.exe File opened for modification C:\Windows\SysWOW64\Nagngjmj.exe Njmejp32.exe File created C:\Windows\SysWOW64\Mgkjch32.exe Mejnlpai.exe File created C:\Windows\SysWOW64\Mnpkiqbe.dll Jjdokb32.exe File opened for modification C:\Windows\SysWOW64\Jbncbpqd.exe Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Aeopfl32.exe Aflpkpjm.exe File created C:\Windows\SysWOW64\Hodqlq32.exe Gjghdj32.exe File opened for modification C:\Windows\SysWOW64\Olehhc32.exe Oghppm32.exe File opened for modification C:\Windows\SysWOW64\Jdopjh32.exe Jbncbpqd.exe File created C:\Windows\SysWOW64\Bnppkj32.exe Bichcc32.exe File created C:\Windows\SysWOW64\Pdjgha32.exe Pmpolgoi.exe File created C:\Windows\SysWOW64\Donklfgn.dll Ajodef32.exe File created C:\Windows\SysWOW64\Miaajlho.dll Bjaqpbkh.exe File created C:\Windows\SysWOW64\Ljnakk32.dll Koimbpbc.exe File created C:\Windows\SysWOW64\Pkjdhm32.dll Afqifo32.exe File opened for modification C:\Windows\SysWOW64\Meadlo32.exe Mmjlkb32.exe File opened for modification C:\Windows\SysWOW64\Ehkcgkdj.exe Eemgkpef.exe File created C:\Windows\SysWOW64\Jcihjl32.exe Jqklnp32.exe File created C:\Windows\SysWOW64\Ginlmijp.dll Lflgmqhd.exe File created C:\Windows\SysWOW64\Aahgec32.dll Beoimjce.exe File opened for modification C:\Windows\SysWOW64\Cbjogmlf.exe Clpgkcdj.exe File created C:\Windows\SysWOW64\Mklpof32.exe Mdagbl32.exe File opened for modification C:\Windows\SysWOW64\Pfpidk32.exe Pnfdnnbo.exe File created C:\Windows\SysWOW64\Fbhnec32.exe Efampahd.exe File created C:\Windows\SysWOW64\Aqpika32.exe Qnamofdf.exe File opened for modification C:\Windows\SysWOW64\Iglhob32.exe Ienlbf32.exe File created C:\Windows\SysWOW64\Nemchn32.exe Nockkcjg.exe File created C:\Windows\SysWOW64\Qhghge32.exe Qnbdjl32.exe File created C:\Windows\SysWOW64\Ndhqmknd.dll Chkjpm32.exe File created C:\Windows\SysWOW64\Oefaplcm.dll Fochecog.exe File opened for modification C:\Windows\SysWOW64\Ldanloba.exe Ljijci32.exe File opened for modification C:\Windows\SysWOW64\Ohbfeh32.exe Oediim32.exe File opened for modification C:\Windows\SysWOW64\Gchflq32.exe Glnnofhi.exe File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Nnhmnn32.exe File created C:\Windows\SysWOW64\Qaqegecm.exe Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Jqhphq32.exe Ijngkf32.exe File created C:\Windows\SysWOW64\Nocckb32.dll Efhcbodf.exe File opened for modification C:\Windows\SysWOW64\Kfnfjehl.exe Kcpjnjii.exe File created C:\Windows\SysWOW64\Eelche32.dll Kcpjnjii.exe File created C:\Windows\SysWOW64\Ilcdofmo.dll Hkmnln32.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Pjbcplpe.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qmgelf32.exe File created C:\Windows\SysWOW64\Jhmhpfmi.exe Jnedgq32.exe File created C:\Windows\SysWOW64\Pfkpiled.exe Poagma32.exe File created C:\Windows\SysWOW64\Minipm32.exe Mdaqhf32.exe File opened for modification C:\Windows\SysWOW64\Nmbjcljl.exe Mjcngpjh.exe File created C:\Windows\SysWOW64\Ehofco32.dll Mgbpdgap.exe File created C:\Windows\SysWOW64\Ealijm32.dll Oafacn32.exe File opened for modification C:\Windows\SysWOW64\Ngklppei.exe Ndmpddfe.exe File created C:\Windows\SysWOW64\Bogcgj32.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Jaljbmkd.exe Iloajfml.exe File opened for modification C:\Windows\SysWOW64\Necqbo32.exe Moiheebb.exe File created C:\Windows\SysWOW64\Eaoimpil.dll Cjdfgc32.exe File created C:\Windows\SysWOW64\Ojnblg32.exe Opemca32.exe File created C:\Windows\SysWOW64\Abdoqd32.exe Agnkck32.exe File created C:\Windows\SysWOW64\Lhgkmjog.dll Adbkmo32.exe File created C:\Windows\SysWOW64\Aopmfk32.exe Ajcdnd32.exe File created C:\Windows\SysWOW64\Djbehfpe.dll Cdjlap32.exe File opened for modification C:\Windows\SysWOW64\Ajjjjghg.exe Adnbapjp.exe File created C:\Windows\SysWOW64\Impjjbmh.dll Aimkjp32.exe File created C:\Windows\SysWOW64\Ejdonq32.exe Dehgejep.exe File opened for modification C:\Windows\SysWOW64\Ljqhkckn.exe Lgbloglj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9484 9424 WerFault.exe 630 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pckppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgjaf32.dll" Aiqkmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpolgoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkafdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpdbjleo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Likcdpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfgahikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfqgkgc.dll" Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekmam32.dll" Ddcqedkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpmifkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbaqaamj.dll" Mdokmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nockkcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clpgkcdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phhhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biogppeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omgmeigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioejo32.dll" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemqkk32.dll" Agobna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idhiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfgefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabbod32.dll" Ehhpla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biedhclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Likcdpop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abipfifn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjnndime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll" Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoch32.dll" Cpifeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malnklgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" Jhhodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qckfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfgji32.dll" Lmnlpcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Kcpjnjii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaljbmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pofjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acbmjcgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdbqm32.dll" Hocqam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll" Qkdohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqpika32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mekgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmgmhgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnailf32.dll" Omlkmign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogdofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnlpgibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miagbi32.dll" Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogcike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpifeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjbdbjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iloajfml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaqejcep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 4832 2116 NEAS.e2b0311932916b2b2a7bdd726ffef610.exe 85 PID 2116 wrote to memory of 4832 2116 NEAS.e2b0311932916b2b2a7bdd726ffef610.exe 85 PID 2116 wrote to memory of 4832 2116 NEAS.e2b0311932916b2b2a7bdd726ffef610.exe 85 PID 4832 wrote to memory of 4728 4832 Gfbibikg.exe 86 PID 4832 wrote to memory of 4728 4832 Gfbibikg.exe 86 PID 4832 wrote to memory of 4728 4832 Gfbibikg.exe 86 PID 4728 wrote to memory of 3756 4728 Gnmnfkia.exe 87 PID 4728 wrote to memory of 3756 4728 Gnmnfkia.exe 87 PID 4728 wrote to memory of 3756 4728 Gnmnfkia.exe 87 PID 3756 wrote to memory of 3500 3756 Ghbbcd32.exe 88 PID 3756 wrote to memory of 3500 3756 Ghbbcd32.exe 88 PID 3756 wrote to memory of 3500 3756 Ghbbcd32.exe 88 PID 3500 wrote to memory of 412 3500 Hffcmh32.exe 89 PID 3500 wrote to memory of 412 3500 Hffcmh32.exe 89 PID 3500 wrote to memory of 412 3500 Hffcmh32.exe 89 PID 412 wrote to memory of 3032 412 Hfipbh32.exe 90 PID 412 wrote to memory of 3032 412 Hfipbh32.exe 90 PID 412 wrote to memory of 3032 412 Hfipbh32.exe 90 PID 3032 wrote to memory of 2812 3032 Hnddgjbj.exe 92 PID 3032 wrote to memory of 2812 3032 Hnddgjbj.exe 92 PID 3032 wrote to memory of 2812 3032 Hnddgjbj.exe 92 PID 2812 wrote to memory of 3368 2812 Hocqam32.exe 93 PID 2812 wrote to memory of 3368 2812 Hocqam32.exe 93 PID 2812 wrote to memory of 3368 2812 Hocqam32.exe 93 PID 3368 wrote to memory of 3876 3368 Hbdjchgn.exe 94 PID 3368 wrote to memory of 3876 3368 Hbdjchgn.exe 94 PID 3368 wrote to memory of 3876 3368 Hbdjchgn.exe 94 PID 3876 wrote to memory of 3968 3876 Hkmnln32.exe 95 PID 3876 wrote to memory of 3968 3876 Hkmnln32.exe 95 PID 3876 wrote to memory of 3968 3876 Hkmnln32.exe 95 PID 3968 wrote to memory of 2764 3968 Inmgmijo.exe 96 PID 3968 wrote to memory of 2764 3968 Inmgmijo.exe 96 PID 3968 wrote to memory of 2764 3968 Inmgmijo.exe 96 PID 2764 wrote to memory of 2452 2764 Lnqeqd32.exe 97 PID 2764 wrote to memory of 2452 2764 Lnqeqd32.exe 97 PID 2764 wrote to memory of 2452 2764 Lnqeqd32.exe 97 PID 2452 wrote to memory of 2576 2452 Lhijijbg.exe 98 PID 2452 wrote to memory of 2576 2452 Lhijijbg.exe 98 PID 2452 wrote to memory of 2576 2452 Lhijijbg.exe 98 PID 2576 wrote to memory of 3104 2576 Lhkgoiqe.exe 100 PID 2576 wrote to memory of 3104 2576 Lhkgoiqe.exe 100 PID 2576 wrote to memory of 3104 2576 Lhkgoiqe.exe 100 PID 3104 wrote to memory of 2564 3104 Lflgmqhd.exe 101 PID 3104 wrote to memory of 2564 3104 Lflgmqhd.exe 101 PID 3104 wrote to memory of 2564 3104 Lflgmqhd.exe 101 PID 2564 wrote to memory of 4056 2564 Leadnm32.exe 102 PID 2564 wrote to memory of 4056 2564 Leadnm32.exe 102 PID 2564 wrote to memory of 4056 2564 Leadnm32.exe 102 PID 4056 wrote to memory of 5108 4056 Mpghkf32.exe 103 PID 4056 wrote to memory of 5108 4056 Mpghkf32.exe 103 PID 4056 wrote to memory of 5108 4056 Mpghkf32.exe 103 PID 5108 wrote to memory of 4204 5108 Mhbmphjm.exe 104 PID 5108 wrote to memory of 4204 5108 Mhbmphjm.exe 104 PID 5108 wrote to memory of 4204 5108 Mhbmphjm.exe 104 PID 4204 wrote to memory of 4180 4204 Mfcmmp32.exe 105 PID 4204 wrote to memory of 4180 4204 Mfcmmp32.exe 105 PID 4204 wrote to memory of 4180 4204 Mfcmmp32.exe 105 PID 4180 wrote to memory of 4700 4180 Mplafeil.exe 106 PID 4180 wrote to memory of 4700 4180 Mplafeil.exe 106 PID 4180 wrote to memory of 4700 4180 Mplafeil.exe 106 PID 4700 wrote to memory of 1352 4700 Midfokpm.exe 107 PID 4700 wrote to memory of 1352 4700 Midfokpm.exe 107 PID 4700 wrote to memory of 1352 4700 Midfokpm.exe 107 PID 1352 wrote to memory of 3504 1352 Mekgdl32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e2b0311932916b2b2a7bdd726ffef610.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e2b0311932916b2b2a7bdd726ffef610.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe23⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe24⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe25⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe26⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe27⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe28⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe29⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe30⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4112 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe32⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe33⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe34⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe36⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe37⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe38⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe39⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe43⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe46⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe47⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe48⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe49⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe50⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe52⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe53⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe54⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe55⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe56⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe57⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe58⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe61⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe63⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe64⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe65⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe66⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe67⤵PID:4588
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe69⤵PID:932
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe70⤵PID:4940
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4716 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe72⤵PID:3280
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4780 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe74⤵PID:3320
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3384 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe76⤵PID:2588
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe77⤵PID:4744
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe78⤵PID:4220
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe79⤵PID:4160
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe80⤵PID:1532
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe81⤵PID:1592
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe82⤵PID:1028
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe83⤵PID:3744
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe85⤵PID:3972
-
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe86⤵PID:4240
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe87⤵
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe88⤵PID:1628
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe89⤵PID:3188
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe90⤵PID:2496
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4948 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe92⤵PID:5140
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe93⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe95⤵PID:5268
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe96⤵PID:5308
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe97⤵PID:5348
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe98⤵PID:5392
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe100⤵PID:5480
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe101⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe102⤵PID:5624
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe103⤵PID:5684
-
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe104⤵PID:5748
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5812 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe106⤵PID:5856
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe108⤵PID:5948
-
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe109⤵PID:5984
-
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe111⤵PID:6084
-
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe112⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Kofkbk32.exeC:\Windows\system32\Kofkbk32.exe113⤵PID:5212
-
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe114⤵PID:5332
-
C:\Windows\SysWOW64\Lljklo32.exeC:\Windows\system32\Lljklo32.exe115⤵PID:5400
-
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe116⤵PID:5464
-
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe117⤵PID:5524
-
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe118⤵PID:5576
-
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe120⤵PID:2128
-
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe121⤵PID:4676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-