Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 02:49
Behavioral task
behavioral1
Sample
NEAS.23f261a9de3d34a035d5786c63a511a0.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.23f261a9de3d34a035d5786c63a511a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.23f261a9de3d34a035d5786c63a511a0.exe
-
Size
125KB
-
MD5
23f261a9de3d34a035d5786c63a511a0
-
SHA1
c66717cad317bdcf991b1a04a079a347d3c30da8
-
SHA256
ea53c53680df7d38224517f0b50208525d4c7e88bd58769ff5e30dd7be20f40d
-
SHA512
1496789361c2569a840acb124d9f9c701a5673eb251104988caba104346654b764c9c8d16ab008e2bfb9ade79badf3333031cfa43daf532e607f84ace087a6a7
-
SSDEEP
3072:uUtatPFpKUcQcq1WdTCn93OGey/ZhJakrPF:u88P3Ksc5TCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedjkkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhfknjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklomnmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koceep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlckik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnhncjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apfhajjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbaoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egoomnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgfbbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdllffpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkajnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flodilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceppfbef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblcfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poeahaib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laacmbkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mejnlpai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkajnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelonkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmkeekag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejdhcjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niohap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pohilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdiobod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdggb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppchfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eemgkpef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkeipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdbpjmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfikaqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcaeige.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epcbbohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhqqlmba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfniikha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfncia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhennm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpenmadn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkfbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbljkca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkojheoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bemlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaepgacn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppchile.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbfeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkpiled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impldi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afceko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmpkg32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1924-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000c000000022bf4-6.dat family_berbew behavioral2/memory/2188-7-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000c000000022bf4-8.dat family_berbew behavioral2/files/0x0006000000022ce0-14.dat family_berbew behavioral2/files/0x0006000000022ce0-16.dat family_berbew behavioral2/memory/3444-15-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce2-22.dat family_berbew behavioral2/memory/544-23-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce2-24.dat family_berbew behavioral2/files/0x0006000000022ce4-30.dat family_berbew behavioral2/memory/4164-31-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce4-32.dat family_berbew behavioral2/files/0x0006000000022ce6-38.dat family_berbew behavioral2/files/0x0006000000022ce6-40.dat family_berbew behavioral2/memory/2008-39-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-47.dat family_berbew behavioral2/memory/4404-48-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-46.dat family_berbew behavioral2/memory/3024-55-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cef-56.dat family_berbew behavioral2/files/0x0006000000022cef-54.dat family_berbew behavioral2/files/0x0006000000022cf1-62.dat family_berbew behavioral2/memory/2072-64-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf1-63.dat family_berbew behavioral2/memory/1928-71-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-72.dat family_berbew behavioral2/files/0x0006000000022cf5-70.dat family_berbew behavioral2/files/0x0009000000022cd9-78.dat family_berbew behavioral2/memory/516-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd9-80.dat family_berbew behavioral2/files/0x0008000000022ce9-86.dat family_berbew behavioral2/memory/5040-87-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce9-88.dat family_berbew behavioral2/files/0x0007000000022cdb-93.dat family_berbew behavioral2/memory/4700-95-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdb-96.dat family_berbew behavioral2/files/0x0008000000022cee-97.dat family_berbew behavioral2/files/0x0008000000022cee-102.dat family_berbew behavioral2/files/0x0008000000022cee-103.dat family_berbew behavioral2/memory/1548-104-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf6-110.dat family_berbew behavioral2/files/0x0008000000022cf6-112.dat family_berbew behavioral2/memory/3996-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-113.dat family_berbew behavioral2/files/0x0006000000022cf8-118.dat family_berbew behavioral2/memory/3184-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-120.dat family_berbew behavioral2/files/0x0006000000022cfa-125.dat family_berbew behavioral2/memory/4436-128-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfa-127.dat family_berbew behavioral2/files/0x0006000000022cfc-134.dat family_berbew behavioral2/files/0x0006000000022cfc-136.dat family_berbew behavioral2/memory/820-135-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-142.dat family_berbew behavioral2/files/0x0006000000022cfe-144.dat family_berbew behavioral2/memory/676-143-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-150.dat family_berbew behavioral2/memory/4024-152-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-151.dat family_berbew behavioral2/files/0x0006000000022d02-158.dat family_berbew behavioral2/memory/3816-160-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d02-159.dat family_berbew behavioral2/files/0x0006000000022d04-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2188 Geanfelc.exe 3444 Hnphoj32.exe 544 Hppeim32.exe 4164 Ieojgc32.exe 2008 Ieccbbkn.exe 4404 Ihdldn32.exe 3024 Iehmmb32.exe 2072 Jemfhacc.exe 1928 Jlikkkhn.exe 516 Kakmna32.exe 5040 Kidben32.exe 4700 Kiikpnmj.exe 1548 Lplfcf32.exe 3996 Mledmg32.exe 3184 Mpeiie32.exe 4436 Njgqhicg.exe 820 Obgohklm.exe 676 Objkmkjj.exe 4024 Obnehj32.exe 3816 Pimfpc32.exe 372 Qmdblp32.exe 4684 Qfmfefni.exe 2892 Acccdj32.exe 4160 Apnndj32.exe 1196 Biiobo32.exe 4092 Bfolacnc.exe 4984 Bphqji32.exe 1816 Bkmeha32.exe 2876 Cgfbbb32.exe 3376 Ccblbb32.exe 3108 Dmjmekgn.exe 2180 Dpmcmf32.exe 4712 Ekljpm32.exe 1616 Ecgodpgb.exe 3868 Ecikjoep.exe 3948 Fncibg32.exe 4132 Gjhfif32.exe 4280 Hqghqpnl.exe 2020 Hnkhjdle.exe 3232 Hnmeodjc.exe 2400 Hegmlnbp.exe 1892 Hjfbjdnd.exe 2608 Ielfgmnj.exe 3972 Ijkled32.exe 940 Ijmhkchl.exe 3048 Ihceigec.exe 3104 Jjdokb32.exe 2712 Jhhodg32.exe 2412 Jelonkph.exe 3532 Jdalog32.exe 3960 Jaemilci.exe 1504 Keceoj32.exe 4896 Kkpnga32.exe 2204 Kopcbo32.exe 4500 Llimgb32.exe 2624 Leabphmp.exe 4116 Lhbkac32.exe 2824 Lhdggb32.exe 4616 Ldkhlcnb.exe 2064 Mclhjkfa.exe 5032 Mcoepkdo.exe 2164 Mccokj32.exe 3780 Nooikj32.exe 2864 Nkeipk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bemlhj32.exe Bmagch32.exe File created C:\Windows\SysWOW64\Anmfaf32.dll Jjhjae32.exe File opened for modification C:\Windows\SysWOW64\Obnbjdfi.exe Nejbaqgo.exe File created C:\Windows\SysWOW64\Gmhklj32.dll Khakqo32.exe File created C:\Windows\SysWOW64\Kkmijf32.exe Kiomnk32.exe File created C:\Windows\SysWOW64\Dbghhd32.dll Dfqogfjo.exe File created C:\Windows\SysWOW64\Aaiemjgf.dll Nicjaino.exe File created C:\Windows\SysWOW64\Kakmna32.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Pcdqhecd.exe Pofhbgmn.exe File created C:\Windows\SysWOW64\Djipbbne.exe Cbnknpqj.exe File created C:\Windows\SysWOW64\Iameid32.exe Iibaeb32.exe File created C:\Windows\SysWOW64\Kqfcbkif.dll Miflehaf.exe File opened for modification C:\Windows\SysWOW64\Ldqfddml.exe Ldlmieaa.exe File created C:\Windows\SysWOW64\Objkmkjj.exe Obgohklm.exe File created C:\Windows\SysWOW64\Fdgipm32.dll Egbdjhlp.exe File opened for modification C:\Windows\SysWOW64\Oileakbj.exe Nmedmj32.exe File created C:\Windows\SysWOW64\Pafcofcg.exe Pdbbfadn.exe File opened for modification C:\Windows\SysWOW64\Pafcofcg.exe Pdbbfadn.exe File created C:\Windows\SysWOW64\Albkieqj.exe Afeban32.exe File created C:\Windows\SysWOW64\Dhbqalle.exe Dpglmjoj.exe File opened for modification C:\Windows\SysWOW64\Fiilblom.exe Fhiphi32.exe File created C:\Windows\SysWOW64\Maommm32.dll Gkeakl32.exe File opened for modification C:\Windows\SysWOW64\Ofdhlh32.exe Opjponbf.exe File created C:\Windows\SysWOW64\Ojmpkc32.dll Hcjkje32.exe File opened for modification C:\Windows\SysWOW64\Hegmlnbp.exe Hnmeodjc.exe File created C:\Windows\SysWOW64\Lhbkac32.exe Leabphmp.exe File opened for modification C:\Windows\SysWOW64\Cbaehl32.exe Cifdjg32.exe File created C:\Windows\SysWOW64\Ekekpd32.dll Midmcgif.exe File opened for modification C:\Windows\SysWOW64\Oecego32.exe Process not Found File created C:\Windows\SysWOW64\Qifbll32.exe Pkabbgol.exe File created C:\Windows\SysWOW64\Nnigmj32.dll Nmlhaa32.exe File created C:\Windows\SysWOW64\Lpgalc32.exe Lfnmcnjn.exe File created C:\Windows\SysWOW64\Oegbgf32.dll Npgjbabk.exe File opened for modification C:\Windows\SysWOW64\Agfnhf32.exe Qpmfklbq.exe File opened for modification C:\Windows\SysWOW64\Pemhmn32.exe Pifghmae.exe File created C:\Windows\SysWOW64\Egpofhkf.dll Apeagd32.exe File opened for modification C:\Windows\SysWOW64\Knldfe32.exe Kgbljkca.exe File opened for modification C:\Windows\SysWOW64\Acccdj32.exe Qfmfefni.exe File created C:\Windows\SysWOW64\Mbnjicfj.dll Ahngmnnd.exe File created C:\Windows\SysWOW64\Mjnnjedj.dll Lnkgbibj.exe File opened for modification C:\Windows\SysWOW64\Pohilc32.exe Cdoegcfl.exe File opened for modification C:\Windows\SysWOW64\Ecgodpgb.exe Ekljpm32.exe File created C:\Windows\SysWOW64\Leqkeajd.exe Lacbpccn.exe File created C:\Windows\SysWOW64\Qdllffpo.exe Qnbdjl32.exe File opened for modification C:\Windows\SysWOW64\Chkjpm32.exe Cfjnhe32.exe File created C:\Windows\SysWOW64\Kldphm32.dll Agnkck32.exe File opened for modification C:\Windows\SysWOW64\Kbinlp32.exe Kmmedi32.exe File created C:\Windows\SysWOW64\Jlapiaeg.dll Eegpkcbd.exe File opened for modification C:\Windows\SysWOW64\Fndgfffm.exe Fjfnphpf.exe File created C:\Windows\SysWOW64\Eepbdodb.dll Ihceigec.exe File created C:\Windows\SysWOW64\Almanf32.exe Alkeifga.exe File created C:\Windows\SysWOW64\Cbfema32.exe Ckmmpg32.exe File created C:\Windows\SysWOW64\Pgbdmfnc.exe Pindcboi.exe File created C:\Windows\SysWOW64\Enmnohha.dll Emlgedge.exe File opened for modification C:\Windows\SysWOW64\Eflocepa.exe Process not Found File created C:\Windows\SysWOW64\Hnhdom32.dll Gfaaebnj.exe File created C:\Windows\SysWOW64\Pimfpc32.exe Obnehj32.exe File created C:\Windows\SysWOW64\Oqlbphhk.dll Mclhjkfa.exe File created C:\Windows\SysWOW64\Pcaoahio.exe Plhgdn32.exe File opened for modification C:\Windows\SysWOW64\Ikbfbdgf.exe Idinej32.exe File created C:\Windows\SysWOW64\Khcjhnoh.dll Cdoegcfl.exe File opened for modification C:\Windows\SysWOW64\Hpchdf32.exe Hjfplo32.exe File opened for modification C:\Windows\SysWOW64\Ijedehgm.exe Hladlc32.exe File opened for modification C:\Windows\SysWOW64\Iabodcnj.exe Iocchhof.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Didqkeeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihlgan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfoebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbeggmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqbcqnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkofofgo.dll" Ofdhlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldogjib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnkhjdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckfjnkb.dll" Iiokacgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcang32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbada32.dll" Poeahaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcolikbl.dll" Lnikmjdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gooqfkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioafchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegbgf32.dll" Npgjbabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flqigq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjddb32.dll" Hjimaole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akopoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijgjpaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jamhflqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndphpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkmmelm.dll" Oagbljcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhopgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjiloqjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npadcfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohobebig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppgmlhk.dll" Bkjpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apfhajjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oildaf32.dll" Ponfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdfpjee.dll" Cfeplh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafgdfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afceko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijedehgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljldk32.dll" Ppamjcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmfnbao.dll" Kiomnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldogjib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdoegcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmodc32.dll" Bgimjmfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gndpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llimgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjfmminc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adeimibe.dll" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknidbhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppamjcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohedncd.dll" Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbljohcp.dll" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deiblamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihpdhgg.dll" Kjfmminc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eldbbjof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2188 1924 NEAS.23f261a9de3d34a035d5786c63a511a0.exe 90 PID 1924 wrote to memory of 2188 1924 NEAS.23f261a9de3d34a035d5786c63a511a0.exe 90 PID 1924 wrote to memory of 2188 1924 NEAS.23f261a9de3d34a035d5786c63a511a0.exe 90 PID 2188 wrote to memory of 3444 2188 Geanfelc.exe 91 PID 2188 wrote to memory of 3444 2188 Geanfelc.exe 91 PID 2188 wrote to memory of 3444 2188 Geanfelc.exe 91 PID 3444 wrote to memory of 544 3444 Hnphoj32.exe 92 PID 3444 wrote to memory of 544 3444 Hnphoj32.exe 92 PID 3444 wrote to memory of 544 3444 Hnphoj32.exe 92 PID 544 wrote to memory of 4164 544 Hppeim32.exe 93 PID 544 wrote to memory of 4164 544 Hppeim32.exe 93 PID 544 wrote to memory of 4164 544 Hppeim32.exe 93 PID 4164 wrote to memory of 2008 4164 Ieojgc32.exe 94 PID 4164 wrote to memory of 2008 4164 Ieojgc32.exe 94 PID 4164 wrote to memory of 2008 4164 Ieojgc32.exe 94 PID 2008 wrote to memory of 4404 2008 Ieccbbkn.exe 95 PID 2008 wrote to memory of 4404 2008 Ieccbbkn.exe 95 PID 2008 wrote to memory of 4404 2008 Ieccbbkn.exe 95 PID 4404 wrote to memory of 3024 4404 Ihdldn32.exe 97 PID 4404 wrote to memory of 3024 4404 Ihdldn32.exe 97 PID 4404 wrote to memory of 3024 4404 Ihdldn32.exe 97 PID 3024 wrote to memory of 2072 3024 Iehmmb32.exe 98 PID 3024 wrote to memory of 2072 3024 Iehmmb32.exe 98 PID 3024 wrote to memory of 2072 3024 Iehmmb32.exe 98 PID 2072 wrote to memory of 1928 2072 Jemfhacc.exe 99 PID 2072 wrote to memory of 1928 2072 Jemfhacc.exe 99 PID 2072 wrote to memory of 1928 2072 Jemfhacc.exe 99 PID 1928 wrote to memory of 516 1928 Jlikkkhn.exe 100 PID 1928 wrote to memory of 516 1928 Jlikkkhn.exe 100 PID 1928 wrote to memory of 516 1928 Jlikkkhn.exe 100 PID 516 wrote to memory of 5040 516 Kakmna32.exe 101 PID 516 wrote to memory of 5040 516 Kakmna32.exe 101 PID 516 wrote to memory of 5040 516 Kakmna32.exe 101 PID 5040 wrote to memory of 4700 5040 Kidben32.exe 102 PID 5040 wrote to memory of 4700 5040 Kidben32.exe 102 PID 5040 wrote to memory of 4700 5040 Kidben32.exe 102 PID 4700 wrote to memory of 1548 4700 Kiikpnmj.exe 103 PID 4700 wrote to memory of 1548 4700 Kiikpnmj.exe 103 PID 4700 wrote to memory of 1548 4700 Kiikpnmj.exe 103 PID 1548 wrote to memory of 3996 1548 Lplfcf32.exe 104 PID 1548 wrote to memory of 3996 1548 Lplfcf32.exe 104 PID 1548 wrote to memory of 3996 1548 Lplfcf32.exe 104 PID 3996 wrote to memory of 3184 3996 Mledmg32.exe 105 PID 3996 wrote to memory of 3184 3996 Mledmg32.exe 105 PID 3996 wrote to memory of 3184 3996 Mledmg32.exe 105 PID 3184 wrote to memory of 4436 3184 Mpeiie32.exe 106 PID 3184 wrote to memory of 4436 3184 Mpeiie32.exe 106 PID 3184 wrote to memory of 4436 3184 Mpeiie32.exe 106 PID 4436 wrote to memory of 820 4436 Njgqhicg.exe 107 PID 4436 wrote to memory of 820 4436 Njgqhicg.exe 107 PID 4436 wrote to memory of 820 4436 Njgqhicg.exe 107 PID 820 wrote to memory of 676 820 Obgohklm.exe 108 PID 820 wrote to memory of 676 820 Obgohklm.exe 108 PID 820 wrote to memory of 676 820 Obgohklm.exe 108 PID 676 wrote to memory of 4024 676 Objkmkjj.exe 109 PID 676 wrote to memory of 4024 676 Objkmkjj.exe 109 PID 676 wrote to memory of 4024 676 Objkmkjj.exe 109 PID 4024 wrote to memory of 3816 4024 Obnehj32.exe 110 PID 4024 wrote to memory of 3816 4024 Obnehj32.exe 110 PID 4024 wrote to memory of 3816 4024 Obnehj32.exe 110 PID 3816 wrote to memory of 372 3816 Pimfpc32.exe 111 PID 3816 wrote to memory of 372 3816 Pimfpc32.exe 111 PID 3816 wrote to memory of 372 3816 Pimfpc32.exe 111 PID 372 wrote to memory of 4684 372 Qmdblp32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.23f261a9de3d34a035d5786c63a511a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.23f261a9de3d34a035d5786c63a511a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Ieojgc32.exeC:\Windows\system32\Ieojgc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Qmdblp32.exeC:\Windows\system32\Qmdblp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe24⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe25⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe26⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe27⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe28⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe29⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe32⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe33⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe35⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe36⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe37⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe38⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe39⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe42⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe43⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe44⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe45⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe46⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe48⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe49⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe51⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe52⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe53⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe54⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Lhbkac32.exeC:\Windows\system32\Lhbkac32.exe58⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe60⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe62⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe63⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe64⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe66⤵
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe67⤵PID:4200
-
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4208 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe69⤵PID:4980
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:464 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe71⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe73⤵PID:4664
-
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe74⤵PID:1836
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe75⤵
- Drops file in System32 directory
PID:4196 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe76⤵PID:3924
-
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe77⤵PID:2908
-
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe78⤵PID:4156
-
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe79⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe80⤵PID:656
-
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe82⤵
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe83⤵PID:5160
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe85⤵
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe87⤵PID:5344
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe88⤵PID:5392
-
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe89⤵PID:5432
-
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe90⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe91⤵PID:5524
-
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe92⤵PID:5572
-
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe93⤵PID:5616
-
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe94⤵PID:5712
-
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe95⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe96⤵PID:5800
-
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe97⤵PID:5844
-
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe99⤵PID:5932
-
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe100⤵PID:5976
-
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe101⤵PID:6020
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe102⤵
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe103⤵PID:6108
-
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe104⤵PID:5128
-
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe105⤵PID:5196
-
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe106⤵PID:5284
-
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe107⤵PID:5376
-
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe108⤵PID:5456
-
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe109⤵PID:5532
-
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe110⤵PID:5612
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe112⤵PID:5796
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe113⤵PID:6008
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe114⤵PID:6076
-
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe115⤵PID:6132
-
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe116⤵PID:5268
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe117⤵PID:4412
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe118⤵PID:5568
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe119⤵PID:5680
-
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe120⤵PID:5784
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe121⤵PID:6052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-