Analysis
-
max time kernel
115s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 20:44
Behavioral task
behavioral1
Sample
NEAS.0e157da268aff6160ba929f319b51bd0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0e157da268aff6160ba929f319b51bd0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.0e157da268aff6160ba929f319b51bd0.exe
-
Size
125KB
-
MD5
0e157da268aff6160ba929f319b51bd0
-
SHA1
d775aa4610a101b812cf5a936294d39b50e3b7c7
-
SHA256
4677db8a7a289f5ecb48a742324db9fd98a123f758f7a8621693759009de27ab
-
SHA512
d9eb92822f4f88298285dd57e9826c2768c367ef1211825b33b7ca419d81c6d172f374cde64bf1104cba4ed8178becd2abbe06281dcde8c91f2f9e311b5c5efb
-
SSDEEP
3072:z075HdhmfUarcF61WdTCn93OGey/ZhJakrPF:z0VHdhmNrc7TCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Balfko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qibmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokdllim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfoac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnkdfce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfieagka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhbflbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncenga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgpggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keinepch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghaghfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkqccbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajqgbjoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpbgnlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moljgeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpokm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dplebmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkbkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opjponbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apfhajjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlhcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fffqjfom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmacoep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biadoeib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbmehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkdqdokk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkegbfgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Almifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfjcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkeloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcbehbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbibfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgdphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqalfgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgiojf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnbgian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhmnhcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciokcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbjgcnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgfojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbiamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbceoped.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npldnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbihdhhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1656-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc5-6.dat family_berbew behavioral2/files/0x0007000000022cc5-8.dat family_berbew behavioral2/memory/348-7-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd9-14.dat family_berbew behavioral2/files/0x0008000000022cd9-16.dat family_berbew behavioral2/memory/3148-15-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc9-22.dat family_berbew behavioral2/files/0x0007000000022cc9-24.dat family_berbew behavioral2/memory/5068-23-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdc-32.dat family_berbew behavioral2/memory/4660-31-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdc-30.dat family_berbew behavioral2/files/0x0008000000022cdf-38.dat family_berbew behavioral2/files/0x0008000000022cdf-40.dat family_berbew behavioral2/memory/2840-39-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-46.dat family_berbew behavioral2/files/0x0006000000022ce1-48.dat family_berbew behavioral2/memory/2736-47-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce3-54.dat family_berbew behavioral2/memory/3244-55-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce3-56.dat family_berbew behavioral2/files/0x0006000000022ce5-62.dat family_berbew behavioral2/memory/2600-63-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce5-64.dat family_berbew behavioral2/files/0x0006000000022ce7-70.dat family_berbew behavioral2/memory/5116-71-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce7-72.dat family_berbew behavioral2/memory/3976-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-78.dat family_berbew behavioral2/files/0x0006000000022ce9-80.dat family_berbew behavioral2/files/0x0006000000022ceb-86.dat family_berbew behavioral2/memory/432-87-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ceb-88.dat family_berbew behavioral2/files/0x0006000000022ced-94.dat family_berbew behavioral2/memory/2876-95-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-96.dat family_berbew behavioral2/files/0x0006000000022cf3-97.dat family_berbew behavioral2/files/0x0006000000022cf3-102.dat family_berbew behavioral2/files/0x0006000000022cf3-104.dat family_berbew behavioral2/memory/4552-103-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-109.dat family_berbew behavioral2/memory/3388-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-112.dat family_berbew behavioral2/files/0x0006000000022cf7-118.dat family_berbew behavioral2/files/0x0006000000022cf7-120.dat family_berbew behavioral2/memory/2856-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf9-126.dat family_berbew behavioral2/files/0x0006000000022cf9-128.dat family_berbew behavioral2/memory/2176-127-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-134.dat family_berbew behavioral2/memory/3760-135-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-136.dat family_berbew behavioral2/files/0x0006000000022cfd-137.dat family_berbew behavioral2/files/0x0006000000022cfd-142.dat family_berbew behavioral2/memory/4532-144-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfd-143.dat family_berbew behavioral2/files/0x0006000000022cff-150.dat family_berbew behavioral2/files/0x0006000000022cff-152.dat family_berbew behavioral2/memory/1840-151-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d01-158.dat family_berbew behavioral2/memory/4864-159-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d01-160.dat family_berbew behavioral2/files/0x0006000000022d03-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 348 Gpdennml.exe 3148 Hpkknmgd.exe 5068 Hihibbjo.exe 4660 Iogopi32.exe 2840 Ipihpkkd.exe 2736 Jblmgf32.exe 3244 Jocnlg32.exe 2600 Jlikkkhn.exe 5116 Jbepme32.exe 3976 Kefiopki.exe 432 Kamjda32.exe 2876 Khiofk32.exe 4552 Mapppn32.exe 3388 Mofmobmo.exe 2856 Mbibfm32.exe 2176 Nimmifgo.exe 3760 Niojoeel.exe 4532 Ookoaokf.exe 1840 Ojemig32.exe 4864 Omfekbdh.exe 4004 Aiplmq32.exe 532 Bpcgpihi.exe 2392 Bbdpad32.exe 5012 Cbkfbcpb.exe 3484 Cgiohbfi.exe 3128 Dmjmekgn.exe 3808 Ddfbgelh.exe 5040 Daollh32.exe 4020 Ecbeip32.exe 5064 Ekljpm32.exe 3952 Ekqckmfb.exe 2884 Fdkdibjp.exe 368 Fkgillpj.exe 1260 Fqikob32.exe 2316 Gggmgk32.exe 412 Gndbie32.exe 4772 Hqdkkp32.exe 2284 Haidfpki.exe 4356 Hjfbjdnd.exe 3608 Ielfgmnj.exe 3940 Ibpgqa32.exe 4392 Inkaqb32.exe 2704 Klpjad32.exe 2320 Kejloi32.exe 3600 Kocphojh.exe 772 Kdpiqehp.exe 3912 Lolcnman.exe 4360 Lkcccn32.exe 2272 Mhnjna32.exe 3480 Mllccpfj.exe 4996 Nconfh32.exe 3008 Oohkai32.exe 3236 Obpkcc32.exe 3232 Pbgqdb32.exe 2708 Amkabind.exe 2536 Bihhhi32.exe 1352 Bliajd32.exe 1848 Beaecjab.exe 3736 Cpifeb32.exe 640 Clpgkcdj.exe 1136 Cidgdg32.exe 4752 Ciiaogon.exe 880 Cbaehl32.exe 1212 Dmbiackg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhmeii32.dll Nconfh32.exe File created C:\Windows\SysWOW64\Jhackbjl.dll Gkcdfl32.exe File opened for modification C:\Windows\SysWOW64\Pkigbfja.exe Ppccemjk.exe File opened for modification C:\Windows\SysWOW64\Fjcjpb32.exe Fjoadbbc.exe File opened for modification C:\Windows\SysWOW64\Gceaofmc.exe Gmkibl32.exe File opened for modification C:\Windows\SysWOW64\Nkagndmc.exe Negoaj32.exe File created C:\Windows\SysWOW64\Jagqfp32.exe Jfalhgni.exe File opened for modification C:\Windows\SysWOW64\Meljappg.exe Mdkabmjf.exe File created C:\Windows\SysWOW64\Ceehcc32.exe Cpipkl32.exe File created C:\Windows\SysWOW64\Cnndbecl.exe Cgdlfk32.exe File created C:\Windows\SysWOW64\Copekbjm.dll Ifcpgiji.exe File created C:\Windows\SysWOW64\Eedkniob.exe Eojcao32.exe File opened for modification C:\Windows\SysWOW64\Odkjgm32.exe Process not Found File created C:\Windows\SysWOW64\Pjpboibb.dll Hajpli32.exe File created C:\Windows\SysWOW64\Kkhpmigp.exe Kengqo32.exe File created C:\Windows\SysWOW64\Modkhnci.dll Mhhcne32.exe File opened for modification C:\Windows\SysWOW64\Kcfiof32.exe Kaemgn32.exe File created C:\Windows\SysWOW64\Nbhkjicf.exe Nkncno32.exe File created C:\Windows\SysWOW64\Dcfchp32.dll Gmjlmo32.exe File opened for modification C:\Windows\SysWOW64\Pjpokm32.exe Pgaboa32.exe File created C:\Windows\SysWOW64\Njdibmjj.dll Kjlcmdbb.exe File opened for modification C:\Windows\SysWOW64\Kfeagefd.exe Kmmmnp32.exe File created C:\Windows\SysWOW64\Mlolhd32.dll Kdeghfhj.exe File opened for modification C:\Windows\SysWOW64\Fgqehgco.exe Ecblbi32.exe File opened for modification C:\Windows\SysWOW64\Cpljdjnd.exe Cibagpgg.exe File created C:\Windows\SysWOW64\Hggonfbm.exe Hffbfn32.exe File opened for modification C:\Windows\SysWOW64\Pdmikb32.exe Pncanhaf.exe File created C:\Windows\SysWOW64\Bngcmp32.dll Mbpfig32.exe File created C:\Windows\SysWOW64\Obgeqcnn.exe Olnmdi32.exe File created C:\Windows\SysWOW64\Ogoncd32.exe Oaeegjeb.exe File created C:\Windows\SysWOW64\Bfkecd32.dll Ppjghgdg.exe File opened for modification C:\Windows\SysWOW64\Iogopi32.exe Hihibbjo.exe File created C:\Windows\SysWOW64\Gjnaef32.dll Mmiealgc.exe File created C:\Windows\SysWOW64\Jhjcbljf.exe Jbkbkbfo.exe File created C:\Windows\SysWOW64\Fjikeg32.exe Fdobhm32.exe File created C:\Windows\SysWOW64\Cofndo32.exe Bjielh32.exe File opened for modification C:\Windows\SysWOW64\Cfiiggpg.exe Cnndbecl.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Mbibfm32.exe File opened for modification C:\Windows\SysWOW64\Apfhajjf.exe Agndidce.exe File opened for modification C:\Windows\SysWOW64\Pohilc32.exe Obgeqcnn.exe File created C:\Windows\SysWOW64\Icmbcg32.exe Ihgnfnjl.exe File opened for modification C:\Windows\SysWOW64\Eakdje32.exe Dgcoaock.exe File created C:\Windows\SysWOW64\Mokdllim.exe Lbgcch32.exe File created C:\Windows\SysWOW64\Dcglfjgf.exe Dnjdncio.exe File created C:\Windows\SysWOW64\Amjpfc32.dll Fhkcfmbp.exe File created C:\Windows\SysWOW64\Hdlphjaf.exe Hnagkp32.exe File created C:\Windows\SysWOW64\Dmjmekgn.exe Cgiohbfi.exe File created C:\Windows\SysWOW64\Ghmbib32.exe Facjlhil.exe File created C:\Windows\SysWOW64\Effjdd32.dll Hkaqgjme.exe File opened for modification C:\Windows\SysWOW64\Bpodmb32.exe Bgfpdmho.exe File created C:\Windows\SysWOW64\Hhdfej32.dll Ajlngk32.exe File opened for modification C:\Windows\SysWOW64\Ggilbb32.exe Gpodfh32.exe File created C:\Windows\SysWOW64\Ppagmd32.dll Lnbkeclf.exe File created C:\Windows\SysWOW64\Gokmfe32.exe Ghadjkhh.exe File opened for modification C:\Windows\SysWOW64\Mnggnh32.exe Mmfjfp32.exe File created C:\Windows\SysWOW64\Becipn32.exe Bjnece32.exe File opened for modification C:\Windows\SysWOW64\Pgdodq32.exe Ppjghgdg.exe File created C:\Windows\SysWOW64\Hjfbjdnd.exe Haidfpki.exe File created C:\Windows\SysWOW64\Kmpaoopf.dll Ielfgmnj.exe File created C:\Windows\SysWOW64\Qmkanmel.exe Qgnief32.exe File created C:\Windows\SysWOW64\Abcaho32.dll Kmlgcf32.exe File created C:\Windows\SysWOW64\Odhhbgqb.dll Jbmfig32.exe File created C:\Windows\SysWOW64\Olgbff32.dll Eedkniob.exe File opened for modification C:\Windows\SysWOW64\Ojemig32.exe Ookoaokf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10424 10328 Process not Found 1364 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhdpkoii.dll" Ghmbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnnfa32.dll" Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnndbecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilndhie.dll" Dkbgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakaofpm.dll" Anncek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkeakl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibkpmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndejcemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgcoaock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjbddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbmfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbibfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibagmiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbemgh32.dll" Bcngddao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqmjhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgfljqia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pimkkfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahnld32.dll" Cnebmgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbnjh32.dll" Ljmmcbdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhammfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidjgo32.dll" Najjmjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikaeb32.dll" Kfmejopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njploeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcjea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qckbggad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgplai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaddpppa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gciagdlp.dll" Alaaajmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjnece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeokad32.dll" Ekahhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adjjgp32.dll" Lbgcch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpchdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fomhnmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkieab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecnbgian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfncejn.dll" Ppmleagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cipppc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epokojbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fibocnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omnqhbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnch32.dll" Mcdepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cofndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjagh32.dll" Cfiiggpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clldhljp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckpjob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekqcfpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbpgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcgql32.dll" Lfcdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjikeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjohnkdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogfkpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiofe32.dll" Gahcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhaae32.dll" Giddddad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jomeoggk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcjkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmjlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjjnkkh.dll" Inmplh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihbdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namjlqjg.dll" Lkbmih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 348 1656 NEAS.0e157da268aff6160ba929f319b51bd0.exe 93 PID 1656 wrote to memory of 348 1656 NEAS.0e157da268aff6160ba929f319b51bd0.exe 93 PID 1656 wrote to memory of 348 1656 NEAS.0e157da268aff6160ba929f319b51bd0.exe 93 PID 348 wrote to memory of 3148 348 Gpdennml.exe 94 PID 348 wrote to memory of 3148 348 Gpdennml.exe 94 PID 348 wrote to memory of 3148 348 Gpdennml.exe 94 PID 3148 wrote to memory of 5068 3148 Hpkknmgd.exe 95 PID 3148 wrote to memory of 5068 3148 Hpkknmgd.exe 95 PID 3148 wrote to memory of 5068 3148 Hpkknmgd.exe 95 PID 5068 wrote to memory of 4660 5068 Hihibbjo.exe 96 PID 5068 wrote to memory of 4660 5068 Hihibbjo.exe 96 PID 5068 wrote to memory of 4660 5068 Hihibbjo.exe 96 PID 4660 wrote to memory of 2840 4660 Iogopi32.exe 97 PID 4660 wrote to memory of 2840 4660 Iogopi32.exe 97 PID 4660 wrote to memory of 2840 4660 Iogopi32.exe 97 PID 2840 wrote to memory of 2736 2840 Ipihpkkd.exe 98 PID 2840 wrote to memory of 2736 2840 Ipihpkkd.exe 98 PID 2840 wrote to memory of 2736 2840 Ipihpkkd.exe 98 PID 2736 wrote to memory of 3244 2736 Jblmgf32.exe 99 PID 2736 wrote to memory of 3244 2736 Jblmgf32.exe 99 PID 2736 wrote to memory of 3244 2736 Jblmgf32.exe 99 PID 3244 wrote to memory of 2600 3244 Jocnlg32.exe 100 PID 3244 wrote to memory of 2600 3244 Jocnlg32.exe 100 PID 3244 wrote to memory of 2600 3244 Jocnlg32.exe 100 PID 2600 wrote to memory of 5116 2600 Jlikkkhn.exe 101 PID 2600 wrote to memory of 5116 2600 Jlikkkhn.exe 101 PID 2600 wrote to memory of 5116 2600 Jlikkkhn.exe 101 PID 5116 wrote to memory of 3976 5116 Jbepme32.exe 102 PID 5116 wrote to memory of 3976 5116 Jbepme32.exe 102 PID 5116 wrote to memory of 3976 5116 Jbepme32.exe 102 PID 3976 wrote to memory of 432 3976 Kefiopki.exe 103 PID 3976 wrote to memory of 432 3976 Kefiopki.exe 103 PID 3976 wrote to memory of 432 3976 Kefiopki.exe 103 PID 432 wrote to memory of 2876 432 Kamjda32.exe 104 PID 432 wrote to memory of 2876 432 Kamjda32.exe 104 PID 432 wrote to memory of 2876 432 Kamjda32.exe 104 PID 2876 wrote to memory of 4552 2876 Khiofk32.exe 105 PID 2876 wrote to memory of 4552 2876 Khiofk32.exe 105 PID 2876 wrote to memory of 4552 2876 Khiofk32.exe 105 PID 4552 wrote to memory of 3388 4552 Mapppn32.exe 106 PID 4552 wrote to memory of 3388 4552 Mapppn32.exe 106 PID 4552 wrote to memory of 3388 4552 Mapppn32.exe 106 PID 3388 wrote to memory of 2856 3388 Mofmobmo.exe 107 PID 3388 wrote to memory of 2856 3388 Mofmobmo.exe 107 PID 3388 wrote to memory of 2856 3388 Mofmobmo.exe 107 PID 2856 wrote to memory of 2176 2856 Mbibfm32.exe 108 PID 2856 wrote to memory of 2176 2856 Mbibfm32.exe 108 PID 2856 wrote to memory of 2176 2856 Mbibfm32.exe 108 PID 2176 wrote to memory of 3760 2176 Nimmifgo.exe 109 PID 2176 wrote to memory of 3760 2176 Nimmifgo.exe 109 PID 2176 wrote to memory of 3760 2176 Nimmifgo.exe 109 PID 3760 wrote to memory of 4532 3760 Niojoeel.exe 110 PID 3760 wrote to memory of 4532 3760 Niojoeel.exe 110 PID 3760 wrote to memory of 4532 3760 Niojoeel.exe 110 PID 4532 wrote to memory of 1840 4532 Ookoaokf.exe 111 PID 4532 wrote to memory of 1840 4532 Ookoaokf.exe 111 PID 4532 wrote to memory of 1840 4532 Ookoaokf.exe 111 PID 1840 wrote to memory of 4864 1840 Ojemig32.exe 112 PID 1840 wrote to memory of 4864 1840 Ojemig32.exe 112 PID 1840 wrote to memory of 4864 1840 Ojemig32.exe 112 PID 4864 wrote to memory of 4004 4864 Omfekbdh.exe 113 PID 4864 wrote to memory of 4004 4864 Omfekbdh.exe 113 PID 4864 wrote to memory of 4004 4864 Omfekbdh.exe 113 PID 4004 wrote to memory of 532 4004 Aiplmq32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0e157da268aff6160ba929f319b51bd0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0e157da268aff6160ba929f319b51bd0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Mbibfm32.exeC:\Windows\system32\Mbibfm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe23⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe24⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe25⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe27⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe28⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe29⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe30⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe31⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe32⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe34⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe35⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe36⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe37⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe38⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe40⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe42⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe43⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe44⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe45⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe46⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe47⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe48⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe49⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe50⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe51⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe53⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe54⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe55⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe58⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe59⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe60⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe61⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe62⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe63⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe64⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe65⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe66⤵PID:4824
-
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe67⤵PID:812
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe68⤵PID:3456
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe69⤵PID:2216
-
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe70⤵PID:984
-
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe71⤵PID:4364
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe72⤵PID:2172
-
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe73⤵PID:3420
-
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe74⤵PID:4784
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe75⤵PID:4284
-
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe76⤵PID:3088
-
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe77⤵PID:4228
-
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe78⤵PID:5056
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe79⤵PID:2348
-
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe80⤵PID:4936
-
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe81⤵PID:4064
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe82⤵PID:1096
-
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe83⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe84⤵PID:4204
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe85⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe86⤵PID:5176
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe87⤵PID:5228
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe88⤵PID:5276
-
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe89⤵PID:5320
-
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe90⤵PID:5356
-
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe91⤵PID:5396
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe92⤵PID:5436
-
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe93⤵PID:5476
-
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe94⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe95⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe96⤵PID:5612
-
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe97⤵PID:5660
-
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe98⤵PID:5708
-
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe99⤵PID:5756
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe100⤵PID:5796
-
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe101⤵PID:5836
-
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe102⤵PID:5884
-
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe103⤵PID:5920
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe104⤵PID:5968
-
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe105⤵PID:6004
-
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe106⤵PID:6048
-
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe107⤵PID:6100
-
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe108⤵PID:6140
-
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe109⤵PID:5184
-
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe110⤵PID:3516
-
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe111⤵PID:5292
-
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe112⤵PID:5384
-
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe113⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe114⤵PID:5512
-
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe115⤵PID:5584
-
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe116⤵PID:5648
-
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4248 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe119⤵PID:5788
-
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe120⤵PID:5848
-
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe121⤵
- Drops file in System32 directory
PID:5900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-