Analysis
-
max time kernel
101s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 08:52
Behavioral task
behavioral1
Sample
NEAS.c275fb2842770543ad99b9d120c09150.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c275fb2842770543ad99b9d120c09150.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c275fb2842770543ad99b9d120c09150.exe
-
Size
378KB
-
MD5
c275fb2842770543ad99b9d120c09150
-
SHA1
e032c58a75ffe931ee4421f9df770c9e8bac568b
-
SHA256
f0af4949adab8437228a0018ea930b599b3c3df703f430a9410fe238039a3c93
-
SHA512
fa4c876356c5d7e48673430c61f7c019b7c2cda95289b290cec5c9478f0cb480a367dadb29cd15f9e5bc470c474bce5fbb14713a52f537a49697ba96f861a4bd
-
SSDEEP
6144:XFlj2JuI1muhdnTEIeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UKL:7c6IeYr75lTefkY660fIaDZkY660f2lO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apnndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgjll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnnimbaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdjblf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofhbgmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmahknh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeffcid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgqgfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmifkecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dghadidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djbbhafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eleimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgeogb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpemkcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knifging.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqdbdbna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhkflnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmlghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbhapha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqombb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmghklif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekljpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollljmhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnocakfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binhnomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oileakbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goadfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnedgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgbfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okneldkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkegn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmhkflnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdoel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peempn32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022d74-6.dat family_berbew behavioral2/files/0x0008000000022d74-8.dat family_berbew behavioral2/files/0x0007000000022d7a-14.dat family_berbew behavioral2/files/0x0007000000022d7a-16.dat family_berbew behavioral2/files/0x0007000000022d87-22.dat family_berbew behavioral2/files/0x0007000000022d87-24.dat family_berbew behavioral2/files/0x0006000000022d9a-30.dat family_berbew behavioral2/files/0x0006000000022d9a-32.dat family_berbew behavioral2/files/0x0006000000022d9d-38.dat family_berbew behavioral2/files/0x0006000000022d9d-40.dat family_berbew behavioral2/files/0x0006000000022d9f-46.dat family_berbew behavioral2/files/0x0006000000022d9f-48.dat family_berbew behavioral2/files/0x0006000000022da2-54.dat family_berbew behavioral2/files/0x0006000000022da2-56.dat family_berbew behavioral2/files/0x0006000000022da4-57.dat family_berbew behavioral2/files/0x0006000000022da4-62.dat family_berbew behavioral2/files/0x0006000000022da4-63.dat family_berbew behavioral2/files/0x0006000000022da6-70.dat family_berbew behavioral2/files/0x0006000000022da6-72.dat family_berbew behavioral2/files/0x0006000000022da8-78.dat family_berbew behavioral2/files/0x0006000000022da8-79.dat family_berbew behavioral2/files/0x0006000000022daa-87.dat family_berbew behavioral2/files/0x0006000000022daa-86.dat family_berbew behavioral2/files/0x0006000000022dac-95.dat family_berbew behavioral2/files/0x0006000000022dac-94.dat family_berbew behavioral2/files/0x0006000000022dae-103.dat family_berbew behavioral2/files/0x0006000000022dae-102.dat family_berbew behavioral2/files/0x0006000000022db0-110.dat family_berbew behavioral2/files/0x0006000000022db0-111.dat family_berbew behavioral2/files/0x0006000000022db2-118.dat family_berbew behavioral2/files/0x0006000000022db2-120.dat family_berbew behavioral2/files/0x0006000000022db4-126.dat family_berbew behavioral2/files/0x0006000000022db4-128.dat family_berbew behavioral2/files/0x0006000000022db6-134.dat family_berbew behavioral2/files/0x0006000000022db6-136.dat family_berbew behavioral2/files/0x0006000000022db8-137.dat family_berbew behavioral2/files/0x0006000000022db8-142.dat family_berbew behavioral2/files/0x0006000000022db8-144.dat family_berbew behavioral2/files/0x0006000000022dba-150.dat family_berbew behavioral2/files/0x0006000000022dba-151.dat family_berbew behavioral2/files/0x0006000000022dbc-159.dat family_berbew behavioral2/files/0x0006000000022dbc-158.dat family_berbew behavioral2/files/0x0006000000022dbe-167.dat family_berbew behavioral2/files/0x0006000000022dbe-166.dat family_berbew behavioral2/files/0x0006000000022dc0-174.dat family_berbew behavioral2/files/0x0006000000022dc2-183.dat family_berbew behavioral2/files/0x0006000000022dc2-182.dat family_berbew behavioral2/files/0x0006000000022dc0-176.dat family_berbew behavioral2/files/0x0006000000022dc4-190.dat family_berbew behavioral2/files/0x0006000000022dc8-207.dat family_berbew behavioral2/files/0x0006000000022dc8-206.dat family_berbew behavioral2/files/0x0006000000022dc6-199.dat family_berbew behavioral2/files/0x0006000000022dc6-198.dat family_berbew behavioral2/files/0x0006000000022dc4-192.dat family_berbew behavioral2/files/0x0006000000022dca-215.dat family_berbew behavioral2/files/0x0006000000022dca-214.dat family_berbew behavioral2/files/0x0006000000022dcc-222.dat family_berbew behavioral2/files/0x0006000000022dcc-224.dat family_berbew behavioral2/files/0x0006000000022dce-225.dat family_berbew behavioral2/files/0x0006000000022dce-230.dat family_berbew behavioral2/files/0x0006000000022dd2-239.dat family_berbew behavioral2/files/0x0006000000022dd2-238.dat family_berbew behavioral2/files/0x0006000000022dd4-247.dat family_berbew behavioral2/files/0x0006000000022dd4-246.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3628 Chlflabp.exe 4976 Cljobphg.exe 5104 Chqogq32.exe 220 Dfdpad32.exe 3256 Dbbffdlq.exe 4500 Efpomccg.exe 4784 Ekmhejao.exe 3608 Ennqfenp.exe 4912 Epmmqheb.exe 4348 Hblkjo32.exe 2184 Hlepcdoa.exe 4960 Hpchib32.exe 4356 Imgicgca.exe 2188 Ipjoja32.exe 1644 Ioolkncg.exe 4872 Jghpbk32.exe 2916 Jleijb32.exe 1400 Jepjhg32.exe 3540 Jebfng32.exe 3992 Jjpode32.exe 944 Kcidmkpq.exe 2248 Kpmdfonj.exe 3004 Kpoalo32.exe 3604 Kflide32.exe 1708 Kfnfjehl.exe 4236 Klhnfo32.exe 4388 Kfpcoefj.exe 1560 Lnjgfb32.exe 4240 Lqmmmmph.exe 3652 Lncjlq32.exe 1656 Mgloefco.exe 4900 Mqdcnl32.exe 2476 Mmmqhl32.exe 2108 Mmpmnl32.exe 1580 Mcifkf32.exe 5020 Nopfpgip.exe 4496 Njfkmphe.exe 416 Nflkbanj.exe 3068 Npepkf32.exe 4720 Njjdho32.exe 3076 Npgmpf32.exe 856 Nfaemp32.exe 4536 Npiiffqe.exe 3280 Omnjojpo.exe 3872 Oakbehfe.exe 3440 Ofhknodl.exe 4400 Opqofe32.exe 212 Ojfcdnjc.exe 2888 Ojhpimhp.exe 1500 Oabhfg32.exe 3780 Pmiikh32.exe 2292 Pccahbmn.exe 4736 Pmlfqh32.exe 4524 Phajna32.exe 1068 Pmnbfhal.exe 2324 Pjbcplpe.exe 2772 Ppolhcnm.exe 3612 Pnplfj32.exe 228 Pdmdnadc.exe 4544 Qjfmkk32.exe 3132 Qhjmdp32.exe 4704 Akkffkhk.exe 464 Aagkhd32.exe 4648 Aokkahlo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Epdime32.exe Ekgqennl.exe File created C:\Windows\SysWOW64\Ehofco32.dll Mhppik32.exe File created C:\Windows\SysWOW64\Hofmaq32.exe Hhleefhe.exe File created C:\Windows\SysWOW64\Lagepl32.exe Lfaqcclf.exe File opened for modification C:\Windows\SysWOW64\Kdmlkfjb.exe Kehojiej.exe File created C:\Windows\SysWOW64\Eilcln32.dll Ebeapc32.exe File created C:\Windows\SysWOW64\Djkjkdck.dll Jjcqffkm.exe File created C:\Windows\SysWOW64\Oileakbj.exe Ohkijc32.exe File opened for modification C:\Windows\SysWOW64\Pnhjig32.exe Pgnblm32.exe File opened for modification C:\Windows\SysWOW64\Jebfng32.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Eegcnaoo.dll Eqiibjlj.exe File created C:\Windows\SysWOW64\Ffcpgcfj.exe Fdadpk32.exe File opened for modification C:\Windows\SysWOW64\Hdicggla.exe Hnokjm32.exe File opened for modification C:\Windows\SysWOW64\Pknghk32.exe Pddokabk.exe File created C:\Windows\SysWOW64\Iogkekkb.dll NEAS.c275fb2842770543ad99b9d120c09150.exe File created C:\Windows\SysWOW64\Kajimagp.dll Aokkahlo.exe File created C:\Windows\SysWOW64\Bgkiaj32.exe Aopemh32.exe File created C:\Windows\SysWOW64\Bdepoj32.dll Eojiqb32.exe File created C:\Windows\SysWOW64\Bkjbah32.dll Kdmlkfjb.exe File created C:\Windows\SysWOW64\Cemeoh32.exe Cdlhgpag.exe File created C:\Windows\SysWOW64\Fgcpfdbd.dll Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Piocecgj.exe Pcbkml32.exe File created C:\Windows\SysWOW64\Mhiabbdi.exe Lkcccn32.exe File opened for modification C:\Windows\SysWOW64\Egpgehnb.exe Epeohn32.exe File opened for modification C:\Windows\SysWOW64\Gnoacp32.exe Ggdigekj.exe File created C:\Windows\SysWOW64\Leahbp32.dll Ogjpld32.exe File opened for modification C:\Windows\SysWOW64\Dgpeha32.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Cojaijla.dll Pomncfge.exe File opened for modification C:\Windows\SysWOW64\Ifnbph32.exe Iodjcnca.exe File opened for modification C:\Windows\SysWOW64\Kmhccpci.exe Jfokff32.exe File created C:\Windows\SysWOW64\Icgdelol.dll Lcnkli32.exe File created C:\Windows\SysWOW64\Hpfohk32.dll Njjmni32.exe File created C:\Windows\SysWOW64\Bpjmph32.exe Bkmeha32.exe File created C:\Windows\SysWOW64\Ndfchkio.dll Cplckbmc.exe File opened for modification C:\Windows\SysWOW64\Gdhjpjjd.exe Gnoacp32.exe File created C:\Windows\SysWOW64\Ifjoop32.exe Hdicggla.exe File created C:\Windows\SysWOW64\Fpcdof32.exe Fiilblom.exe File created C:\Windows\SysWOW64\Epjhcnbp.exe Eippgckc.exe File created C:\Windows\SysWOW64\Gmhklj32.dll Kfdklllb.exe File created C:\Windows\SysWOW64\Oacdmo32.exe Nkjlqd32.exe File created C:\Windows\SysWOW64\Pdbbfadn.exe Pnhjig32.exe File created C:\Windows\SysWOW64\Dknnoofg.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Hgnfpc32.dll Jbbmmo32.exe File created C:\Windows\SysWOW64\Kdjenh32.dll Mhmcck32.exe File opened for modification C:\Windows\SysWOW64\Ancjef32.exe Agiahlkf.exe File opened for modification C:\Windows\SysWOW64\Modpib32.exe Mjggal32.exe File created C:\Windows\SysWOW64\Gnhekleo.dll Apnndj32.exe File created C:\Windows\SysWOW64\Bibokqno.dll Jldkeeig.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Qhjmdp32.exe File opened for modification C:\Windows\SysWOW64\Obpkcc32.exe Ooangh32.exe File opened for modification C:\Windows\SysWOW64\Fiilblom.exe Fcodfa32.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Kcidmkpq.exe File created C:\Windows\SysWOW64\Geanfelc.exe Gpdennml.exe File created C:\Windows\SysWOW64\Conkjj32.dll Ndnnianm.exe File created C:\Windows\SysWOW64\Cbmlmmjd.exe Clbdpc32.exe File created C:\Windows\SysWOW64\Beobcdoi.exe Bnbmqjjo.exe File opened for modification C:\Windows\SysWOW64\Ceeaim32.exe Cnkilbni.exe File created C:\Windows\SysWOW64\Dgpeha32.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Gdknpp32.exe Gnaecedp.exe File created C:\Windows\SysWOW64\Bmeandma.exe Bgkiaj32.exe File created C:\Windows\SysWOW64\Aadafn32.dll Nqcejcha.exe File created C:\Windows\SysWOW64\Hqghqpnl.exe Hjmodffo.exe File created C:\Windows\SysWOW64\Clbdpc32.exe Cehlcikj.exe File opened for modification C:\Windows\SysWOW64\Hlogfd32.exe Hjpkjh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11756 11632 WerFault.exe 782 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbbgicnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glmhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcalgbgh.dll" Anfmeldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpacqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmjlkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll" Mbgeqmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnalmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ollljmhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqkefo32.dll" Hcipcnac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll" Cpbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imdgljil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhppik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiilblom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiimcij.dll" Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfcojj.dll" Fnnimbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll" Cgfbbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll" Nbebbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjlcmdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" Jbbmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll" Ipjoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" Apnndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmpgghoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbqpa32.dll" Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkenikai.dll" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fneoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnglcqio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijipia32.dll" Ihjafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnhpf32.dll" Gheodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjcjmclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Jghpbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebkbbmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkekkccb.dll" Mhnjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phneqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfghlhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpfmlghd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpjompqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igghilhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhfbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmeiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppamjcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgfep32.dll" Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haclqq32.dll" Gihpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhikgob.dll" Dhgjll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3628 4972 NEAS.c275fb2842770543ad99b9d120c09150.exe 85 PID 4972 wrote to memory of 3628 4972 NEAS.c275fb2842770543ad99b9d120c09150.exe 85 PID 4972 wrote to memory of 3628 4972 NEAS.c275fb2842770543ad99b9d120c09150.exe 85 PID 3628 wrote to memory of 4976 3628 Chlflabp.exe 86 PID 3628 wrote to memory of 4976 3628 Chlflabp.exe 86 PID 3628 wrote to memory of 4976 3628 Chlflabp.exe 86 PID 4976 wrote to memory of 5104 4976 Cljobphg.exe 87 PID 4976 wrote to memory of 5104 4976 Cljobphg.exe 87 PID 4976 wrote to memory of 5104 4976 Cljobphg.exe 87 PID 5104 wrote to memory of 220 5104 Chqogq32.exe 88 PID 5104 wrote to memory of 220 5104 Chqogq32.exe 88 PID 5104 wrote to memory of 220 5104 Chqogq32.exe 88 PID 220 wrote to memory of 3256 220 Dfdpad32.exe 89 PID 220 wrote to memory of 3256 220 Dfdpad32.exe 89 PID 220 wrote to memory of 3256 220 Dfdpad32.exe 89 PID 3256 wrote to memory of 4500 3256 Dbbffdlq.exe 91 PID 3256 wrote to memory of 4500 3256 Dbbffdlq.exe 91 PID 3256 wrote to memory of 4500 3256 Dbbffdlq.exe 91 PID 4500 wrote to memory of 4784 4500 Efpomccg.exe 92 PID 4500 wrote to memory of 4784 4500 Efpomccg.exe 92 PID 4500 wrote to memory of 4784 4500 Efpomccg.exe 92 PID 4784 wrote to memory of 3608 4784 Ekmhejao.exe 93 PID 4784 wrote to memory of 3608 4784 Ekmhejao.exe 93 PID 4784 wrote to memory of 3608 4784 Ekmhejao.exe 93 PID 3608 wrote to memory of 4912 3608 Ennqfenp.exe 94 PID 3608 wrote to memory of 4912 3608 Ennqfenp.exe 94 PID 3608 wrote to memory of 4912 3608 Ennqfenp.exe 94 PID 4912 wrote to memory of 4348 4912 Epmmqheb.exe 95 PID 4912 wrote to memory of 4348 4912 Epmmqheb.exe 95 PID 4912 wrote to memory of 4348 4912 Epmmqheb.exe 95 PID 4348 wrote to memory of 2184 4348 Hblkjo32.exe 96 PID 4348 wrote to memory of 2184 4348 Hblkjo32.exe 96 PID 4348 wrote to memory of 2184 4348 Hblkjo32.exe 96 PID 2184 wrote to memory of 4960 2184 Hlepcdoa.exe 98 PID 2184 wrote to memory of 4960 2184 Hlepcdoa.exe 98 PID 2184 wrote to memory of 4960 2184 Hlepcdoa.exe 98 PID 4960 wrote to memory of 4356 4960 Hpchib32.exe 97 PID 4960 wrote to memory of 4356 4960 Hpchib32.exe 97 PID 4960 wrote to memory of 4356 4960 Hpchib32.exe 97 PID 4356 wrote to memory of 2188 4356 Imgicgca.exe 99 PID 4356 wrote to memory of 2188 4356 Imgicgca.exe 99 PID 4356 wrote to memory of 2188 4356 Imgicgca.exe 99 PID 2188 wrote to memory of 1644 2188 Ipjoja32.exe 101 PID 2188 wrote to memory of 1644 2188 Ipjoja32.exe 101 PID 2188 wrote to memory of 1644 2188 Ipjoja32.exe 101 PID 1644 wrote to memory of 4872 1644 Ioolkncg.exe 102 PID 1644 wrote to memory of 4872 1644 Ioolkncg.exe 102 PID 1644 wrote to memory of 4872 1644 Ioolkncg.exe 102 PID 4872 wrote to memory of 2916 4872 Jghpbk32.exe 103 PID 4872 wrote to memory of 2916 4872 Jghpbk32.exe 103 PID 4872 wrote to memory of 2916 4872 Jghpbk32.exe 103 PID 2916 wrote to memory of 1400 2916 Jleijb32.exe 104 PID 2916 wrote to memory of 1400 2916 Jleijb32.exe 104 PID 2916 wrote to memory of 1400 2916 Jleijb32.exe 104 PID 1400 wrote to memory of 3540 1400 Jepjhg32.exe 105 PID 1400 wrote to memory of 3540 1400 Jepjhg32.exe 105 PID 1400 wrote to memory of 3540 1400 Jepjhg32.exe 105 PID 3540 wrote to memory of 3992 3540 Jebfng32.exe 106 PID 3540 wrote to memory of 3992 3540 Jebfng32.exe 106 PID 3540 wrote to memory of 3992 3540 Jebfng32.exe 106 PID 3992 wrote to memory of 944 3992 Jjpode32.exe 107 PID 3992 wrote to memory of 944 3992 Jjpode32.exe 107 PID 3992 wrote to memory of 944 3992 Jjpode32.exe 107 PID 944 wrote to memory of 2248 944 Kcidmkpq.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c275fb2842770543ad99b9d120c09150.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c275fb2842770543ad99b9d120c09150.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe10⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe11⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe12⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe13⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe14⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe15⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe16⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe17⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe18⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe19⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe20⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe21⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe23⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe24⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe25⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe27⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe28⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe29⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe31⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe32⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe33⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe34⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe35⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe36⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe37⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe39⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe40⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe42⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe43⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe44⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe46⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe47⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe48⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe49⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe51⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe52⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe54⤵PID:2200
-
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe55⤵PID:1704
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe56⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe58⤵PID:1096
-
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe59⤵PID:3704
-
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe60⤵PID:4656
-
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe62⤵PID:1764
-
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe63⤵PID:1184
-
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe64⤵PID:1240
-
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe65⤵PID:752
-
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:532 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe67⤵PID:5136
-
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe68⤵PID:5172
-
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe69⤵PID:5216
-
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe70⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe71⤵PID:5308
-
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe72⤵PID:5356
-
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe73⤵PID:5400
-
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe74⤵PID:5452
-
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe75⤵PID:5504
-
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe76⤵PID:5556
-
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe77⤵PID:5604
-
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe78⤵PID:5652
-
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe79⤵PID:5696
-
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe80⤵PID:5740
-
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe81⤵PID:5772
-
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe82⤵PID:5816
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe83⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe84⤵PID:5912
-
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe85⤵PID:5956
-
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe86⤵PID:5996
-
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe87⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe89⤵PID:6128
-
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe90⤵
- Drops file in System32 directory
PID:5160 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe91⤵
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe92⤵PID:5292
-
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe93⤵PID:5388
-
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe94⤵PID:5424
-
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe95⤵PID:5540
-
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe96⤵PID:5596
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe97⤵PID:5664
-
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe98⤵PID:5732
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe99⤵PID:5812
-
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe100⤵PID:5880
-
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe101⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe102⤵PID:6012
-
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe103⤵PID:6080
-
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe104⤵PID:5124
-
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe105⤵PID:5204
-
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe106⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe107⤵PID:3260
-
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe108⤵PID:5588
-
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe109⤵
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe110⤵PID:5804
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe111⤵PID:5904
-
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe112⤵PID:5984
-
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe113⤵PID:6116
-
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe114⤵PID:5268
-
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe116⤵PID:5612
-
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe117⤵PID:5796
-
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe118⤵PID:5992
-
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe119⤵PID:5208
-
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe120⤵PID:5528
-
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe121⤵PID:5860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-