Analysis
-
max time kernel
59s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2023 00:13
Behavioral task
behavioral1
Sample
NEAS.0ab231c668824513e97113bae8345450.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0ab231c668824513e97113bae8345450.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.0ab231c668824513e97113bae8345450.exe
-
Size
336KB
-
MD5
0ab231c668824513e97113bae8345450
-
SHA1
ccf25a7fb281f732b4d331bd528d1be6ab3cab6c
-
SHA256
c4516ac22a99aeb0793b4c2e6c59d0f4fdee5044df605ec9cb748020da988285
-
SHA512
4b797eabfed5997b89cbba0870731f844098a2a043cf3d57e59a32d95b247ef808ca9f410d37b54262a393f3c815aedb3e5bc376f12d5fb399bd1e298602baa2
-
SSDEEP
6144:zmVaooFBsRyH7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOE:zmVa157aOlxzr3cOK3Taj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmdec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbdbjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnjqhcno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomcopk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpfjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaqejcep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhpaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gplbcgbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhglopl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifcnjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjoeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nipffmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollgiplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onjebpml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjfjhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ononmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofjoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqpika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkobkod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhhodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioafchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piolkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofpqfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nahdapae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhppap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjokd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchqbkkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejlbgek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcofbifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjokd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgbii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgocgjgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhpaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbmnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppobi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnhkdd32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022cef-7.dat family_berbew behavioral2/files/0x0006000000022cef-6.dat family_berbew behavioral2/files/0x0006000000022cf1-15.dat family_berbew behavioral2/files/0x0006000000022cf1-14.dat family_berbew behavioral2/files/0x0006000000022cf5-22.dat family_berbew behavioral2/files/0x0006000000022cf5-24.dat family_berbew behavioral2/files/0x0006000000022cf8-30.dat family_berbew behavioral2/files/0x0006000000022cf8-31.dat family_berbew behavioral2/files/0x0006000000022cfa-38.dat family_berbew behavioral2/files/0x0006000000022cfa-40.dat family_berbew behavioral2/files/0x0006000000022cfc-46.dat family_berbew behavioral2/files/0x0006000000022cfc-47.dat family_berbew behavioral2/files/0x0006000000022cfe-54.dat family_berbew behavioral2/files/0x0006000000022cfe-55.dat family_berbew behavioral2/files/0x0006000000022d02-62.dat family_berbew behavioral2/files/0x0006000000022d02-64.dat family_berbew behavioral2/files/0x0006000000022d04-70.dat family_berbew behavioral2/files/0x0006000000022d07-78.dat family_berbew behavioral2/files/0x0006000000022d04-71.dat family_berbew behavioral2/files/0x0006000000022d07-79.dat family_berbew behavioral2/files/0x0006000000022d09-86.dat family_berbew behavioral2/files/0x0006000000022d09-87.dat family_berbew behavioral2/files/0x0006000000022d0b-95.dat family_berbew behavioral2/files/0x0006000000022d0b-94.dat family_berbew behavioral2/files/0x0006000000022d0e-103.dat family_berbew behavioral2/files/0x0006000000022d0e-102.dat family_berbew behavioral2/files/0x0006000000022d14-110.dat family_berbew behavioral2/files/0x0006000000022d14-112.dat family_berbew behavioral2/files/0x0006000000022d17-118.dat family_berbew behavioral2/files/0x0006000000022d17-119.dat family_berbew behavioral2/files/0x0006000000022d1b-126.dat family_berbew behavioral2/files/0x0006000000022d1b-128.dat family_berbew behavioral2/files/0x0007000000022d0f-136.dat family_berbew behavioral2/files/0x0007000000022d0f-134.dat family_berbew behavioral2/files/0x0007000000022d11-142.dat family_berbew behavioral2/files/0x0007000000022d11-143.dat family_berbew behavioral2/files/0x0008000000022d15-150.dat family_berbew behavioral2/files/0x0008000000022d15-152.dat family_berbew behavioral2/files/0x0008000000022d1d-153.dat family_berbew behavioral2/files/0x0008000000022d1d-158.dat family_berbew behavioral2/files/0x0008000000022d1d-159.dat family_berbew behavioral2/files/0x0006000000022d20-167.dat family_berbew behavioral2/files/0x0006000000022d20-166.dat family_berbew behavioral2/files/0x0006000000022d22-174.dat family_berbew behavioral2/files/0x0006000000022d22-175.dat family_berbew behavioral2/files/0x0006000000022d24-183.dat family_berbew behavioral2/files/0x0006000000022d24-182.dat family_berbew behavioral2/files/0x0006000000022d26-190.dat family_berbew behavioral2/files/0x0006000000022d26-191.dat family_berbew behavioral2/files/0x0006000000022d28-198.dat family_berbew behavioral2/files/0x0006000000022d28-200.dat family_berbew behavioral2/files/0x0006000000022d2a-207.dat family_berbew behavioral2/files/0x0006000000022d2a-206.dat family_berbew behavioral2/files/0x0006000000022d2e-222.dat family_berbew behavioral2/files/0x0006000000022d2e-223.dat family_berbew behavioral2/files/0x0006000000022d30-230.dat family_berbew behavioral2/files/0x0006000000022d2c-215.dat family_berbew behavioral2/files/0x0006000000022d2c-214.dat family_berbew behavioral2/files/0x0006000000022d30-232.dat family_berbew behavioral2/files/0x0006000000022d32-233.dat family_berbew behavioral2/files/0x0006000000022d32-238.dat family_berbew behavioral2/files/0x0006000000022d34-246.dat family_berbew behavioral2/files/0x0006000000022d34-248.dat family_berbew behavioral2/files/0x0006000000022d36-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4496 Bllbaa32.exe 2940 Coohhlpe.exe 4388 Clchbqoo.exe 2032 Cleegp32.exe 3484 Chlflabp.exe 2768 Cfbcke32.exe 4724 Dfdpad32.exe 2684 Gpbpbecj.exe 2596 Hfcnpn32.exe 2056 Hbjoeojc.exe 2820 Hpnoncim.exe 3256 Hmbphg32.exe 4572 Iikmbh32.exe 1144 Igajal32.exe 2452 Ickglm32.exe 3772 Impliekg.exe 4788 Jpaekqhh.exe 1632 Jmeede32.exe 4688 Jpenfp32.exe 1508 Jllokajf.exe 4892 Kegpifod.exe 3444 Kckqbj32.exe 540 Kpoalo32.exe 4860 Kodnmkap.exe 3860 Knenkbio.exe 3696 Lpfgmnfp.exe 3024 Lfeljd32.exe 4148 Lcimdh32.exe 4484 Ljeafb32.exe 972 Lflbkcll.exe 4340 Mcpcdg32.exe 3288 Mfqlfb32.exe 4628 Moipoh32.exe 4508 Njfkmphe.exe 3888 Nncccnol.exe 4404 Nmipdk32.exe 3008 Ojomcopk.exe 4620 Oakbehfe.exe 1488 Ojdgnn32.exe 3980 Opqofe32.exe 3276 Oaplqh32.exe 316 Ondljl32.exe 3812 Ohlqcagj.exe 2844 Pmiikh32.exe 3908 Pagbaglh.exe 3500 Pjpfjl32.exe 3716 Phcgcqab.exe 4896 Ppolhcnm.exe 4728 Panhbfep.exe 3228 Qpeahb32.exe 1988 Afbgkl32.exe 3984 Ahaceo32.exe 2240 Adhdjpjf.exe 4384 Amqhbe32.exe 1356 Akdilipp.exe 1792 Bhhiemoj.exe 5028 Bhmbqm32.exe 3564 Bgbpaipl.exe 3748 Bdfpkm32.exe 4528 Cpmapodj.exe 5116 Ckbemgcp.exe 3496 Cgifbhid.exe 2688 Cdmfllhn.exe 4100 Chkobkod.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ijfkpnji.exe Nbepdfnc.exe File created C:\Windows\SysWOW64\Jkkdccim.dll Nahdapae.exe File created C:\Windows\SysWOW64\Elngne32.dll Nnoefagj.exe File opened for modification C:\Windows\SysWOW64\Gedfblql.exe Gpgnjebd.exe File opened for modification C:\Windows\SysWOW64\Kmobii32.exe Kokbpe32.exe File created C:\Windows\SysWOW64\Cgogbi32.dll Ljbnfleo.exe File opened for modification C:\Windows\SysWOW64\Nhhdnf32.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Ifkqol32.dll Jeaiij32.exe File created C:\Windows\SysWOW64\Pmhegoin.dll Nhbciqln.exe File created C:\Windows\SysWOW64\Hhnkppbf.exe Process not Found File created C:\Windows\SysWOW64\Bgbpaipl.exe Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Philfgdh.exe Paocim32.exe File created C:\Windows\SysWOW64\Bpncbp32.dll Lpjelibg.exe File created C:\Windows\SysWOW64\Fejlbgek.exe Fkehdnee.exe File opened for modification C:\Windows\SysWOW64\Hfcnpn32.exe Gpbpbecj.exe File opened for modification C:\Windows\SysWOW64\Lfmghdpl.exe Lapopm32.exe File opened for modification C:\Windows\SysWOW64\Infqklol.exe Ienlbf32.exe File opened for modification C:\Windows\SysWOW64\Bglgdi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmbegqjk.exe Pfhmjf32.exe File opened for modification C:\Windows\SysWOW64\Ibdplaho.exe Ibbcfa32.exe File created C:\Windows\SysWOW64\Oljoen32.exe Nbdkhe32.exe File created C:\Windows\SysWOW64\Fpqifh32.dll Ollljmhg.exe File created C:\Windows\SysWOW64\Jpehef32.dll Geanfelc.exe File opened for modification C:\Windows\SysWOW64\Koimbpbc.exe Jeaiij32.exe File opened for modification C:\Windows\SysWOW64\Pklkbl32.exe Pdbbfadn.exe File created C:\Windows\SysWOW64\Cegnol32.exe Cnmebblf.exe File created C:\Windows\SysWOW64\Hhhdjbno.dll NEAS.0ab231c668824513e97113bae8345450.exe File created C:\Windows\SysWOW64\Phcgcqab.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Hnhkdd32.exe Hgocgjgk.exe File opened for modification C:\Windows\SysWOW64\Apddce32.exe Gaglma32.exe File opened for modification C:\Windows\SysWOW64\Ilkoim32.exe Ilibdmgp.exe File created C:\Windows\SysWOW64\Kmfpdfnd.dll Fndpmndl.exe File created C:\Windows\SysWOW64\Mofmobmo.exe Mhldbh32.exe File opened for modification C:\Windows\SysWOW64\Mjlalkmd.exe Mofmobmo.exe File created C:\Windows\SysWOW64\Bgjjoi32.exe Bnaffdfc.exe File opened for modification C:\Windows\SysWOW64\Pnmjomlg.exe Pgcbbc32.exe File opened for modification C:\Windows\SysWOW64\Cbglgg32.exe Beaohcmf.exe File opened for modification C:\Windows\SysWOW64\Bbpolb32.exe Bgjjoi32.exe File created C:\Windows\SysWOW64\Effjdd32.dll Hedhoc32.exe File created C:\Windows\SysWOW64\Nnoefagj.exe Nhbmnj32.exe File created C:\Windows\SysWOW64\Ipqigjkp.dll Dfemdcba.exe File opened for modification C:\Windows\SysWOW64\Lihpdj32.exe Lckglc32.exe File created C:\Windows\SysWOW64\Aagdnn32.exe Ajmladbl.exe File created C:\Windows\SysWOW64\Dlnlak32.exe Decdeama.exe File created C:\Windows\SysWOW64\Kenognbk.dll Decdeama.exe File created C:\Windows\SysWOW64\Jfgnka32.exe Process not Found File created C:\Windows\SysWOW64\Bifkcioc.exe Bcicjbal.exe File opened for modification C:\Windows\SysWOW64\Fkgejncb.exe Fejlbgek.exe File created C:\Windows\SysWOW64\Dkndie32.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Kabcopmg.exe Kpqggh32.exe File created C:\Windows\SysWOW64\Hghfnioq.exe Hjdedepg.exe File opened for modification C:\Windows\SysWOW64\Inkaqb32.exe Kiomnk32.exe File created C:\Windows\SysWOW64\Eacaej32.exe Process not Found File created C:\Windows\SysWOW64\Nphnbpql.dll Kpqggh32.exe File created C:\Windows\SysWOW64\Knifging.exe Khonkogj.exe File created C:\Windows\SysWOW64\Cefked32.dll Pgeogb32.exe File created C:\Windows\SysWOW64\Nieoal32.exe Aoqegk32.exe File created C:\Windows\SysWOW64\Hldiinke.exe Hnphoj32.exe File opened for modification C:\Windows\SysWOW64\Jmffnq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eacaej32.exe Process not Found File created C:\Windows\SysWOW64\Elekoe32.dll Bjfogbjb.exe File created C:\Windows\SysWOW64\Dmjmekgn.exe Cacmpj32.exe File created C:\Windows\SysWOW64\Dagajlal.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljglnmdi.exe Lihpdj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7472 8220 Process not Found 1238 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomcopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpdfpmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfgefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlfniafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehhom32.dll" Nipffmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfpdfnd.dll" Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgokhco.dll" Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpigao32.dll" Hmkeekag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mknlef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakofc32.dll" Pklkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heffebak.dll" Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpochfji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll" Cmmbmiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhekaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjcmpdk.dll" Bpomem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feifgnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmghklif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqombb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpogkhnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnoacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cameci32.dll" Bbklli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijfkpnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgepcpk.dll" Kcikfcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikdm32.dll" Lckglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdbbfadn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciqmjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpfgmnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egknji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncbha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlipbfgc.dll" Dbckcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edplhjhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapppn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll" Nbbeml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opcjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll" Ojhiogdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbhpajlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effjdd32.dll" Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjaleemj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfmghdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhhcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cebdcmhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqogkic.dll" Ciqmjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlmegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fchlhnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnaef32.dll" Mphamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkobdqqa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiimcij.dll" Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll" Dgdncplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll" Mclhjkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll" Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgonpaol.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 4496 2388 NEAS.0ab231c668824513e97113bae8345450.exe 89 PID 2388 wrote to memory of 4496 2388 NEAS.0ab231c668824513e97113bae8345450.exe 89 PID 2388 wrote to memory of 4496 2388 NEAS.0ab231c668824513e97113bae8345450.exe 89 PID 4496 wrote to memory of 2940 4496 Bllbaa32.exe 90 PID 4496 wrote to memory of 2940 4496 Bllbaa32.exe 90 PID 4496 wrote to memory of 2940 4496 Bllbaa32.exe 90 PID 2940 wrote to memory of 4388 2940 Coohhlpe.exe 91 PID 2940 wrote to memory of 4388 2940 Coohhlpe.exe 91 PID 2940 wrote to memory of 4388 2940 Coohhlpe.exe 91 PID 4388 wrote to memory of 2032 4388 Clchbqoo.exe 93 PID 4388 wrote to memory of 2032 4388 Clchbqoo.exe 93 PID 4388 wrote to memory of 2032 4388 Clchbqoo.exe 93 PID 2032 wrote to memory of 3484 2032 Cleegp32.exe 94 PID 2032 wrote to memory of 3484 2032 Cleegp32.exe 94 PID 2032 wrote to memory of 3484 2032 Cleegp32.exe 94 PID 3484 wrote to memory of 2768 3484 Chlflabp.exe 96 PID 3484 wrote to memory of 2768 3484 Chlflabp.exe 96 PID 3484 wrote to memory of 2768 3484 Chlflabp.exe 96 PID 2768 wrote to memory of 4724 2768 Cfbcke32.exe 97 PID 2768 wrote to memory of 4724 2768 Cfbcke32.exe 97 PID 2768 wrote to memory of 4724 2768 Cfbcke32.exe 97 PID 4724 wrote to memory of 2684 4724 Dfdpad32.exe 98 PID 4724 wrote to memory of 2684 4724 Dfdpad32.exe 98 PID 4724 wrote to memory of 2684 4724 Dfdpad32.exe 98 PID 2684 wrote to memory of 2596 2684 Gpbpbecj.exe 99 PID 2684 wrote to memory of 2596 2684 Gpbpbecj.exe 99 PID 2684 wrote to memory of 2596 2684 Gpbpbecj.exe 99 PID 2596 wrote to memory of 2056 2596 Hfcnpn32.exe 100 PID 2596 wrote to memory of 2056 2596 Hfcnpn32.exe 100 PID 2596 wrote to memory of 2056 2596 Hfcnpn32.exe 100 PID 2056 wrote to memory of 2820 2056 Hbjoeojc.exe 101 PID 2056 wrote to memory of 2820 2056 Hbjoeojc.exe 101 PID 2056 wrote to memory of 2820 2056 Hbjoeojc.exe 101 PID 2820 wrote to memory of 3256 2820 Hpnoncim.exe 102 PID 2820 wrote to memory of 3256 2820 Hpnoncim.exe 102 PID 2820 wrote to memory of 3256 2820 Hpnoncim.exe 102 PID 3256 wrote to memory of 4572 3256 Hmbphg32.exe 103 PID 3256 wrote to memory of 4572 3256 Hmbphg32.exe 103 PID 3256 wrote to memory of 4572 3256 Hmbphg32.exe 103 PID 4572 wrote to memory of 1144 4572 Iikmbh32.exe 105 PID 4572 wrote to memory of 1144 4572 Iikmbh32.exe 105 PID 4572 wrote to memory of 1144 4572 Iikmbh32.exe 105 PID 1144 wrote to memory of 2452 1144 Igajal32.exe 107 PID 1144 wrote to memory of 2452 1144 Igajal32.exe 107 PID 1144 wrote to memory of 2452 1144 Igajal32.exe 107 PID 2452 wrote to memory of 3772 2452 Ickglm32.exe 108 PID 2452 wrote to memory of 3772 2452 Ickglm32.exe 108 PID 2452 wrote to memory of 3772 2452 Ickglm32.exe 108 PID 3772 wrote to memory of 4788 3772 Impliekg.exe 109 PID 3772 wrote to memory of 4788 3772 Impliekg.exe 109 PID 3772 wrote to memory of 4788 3772 Impliekg.exe 109 PID 4788 wrote to memory of 1632 4788 Jpaekqhh.exe 110 PID 4788 wrote to memory of 1632 4788 Jpaekqhh.exe 110 PID 4788 wrote to memory of 1632 4788 Jpaekqhh.exe 110 PID 1632 wrote to memory of 4688 1632 Jmeede32.exe 111 PID 1632 wrote to memory of 4688 1632 Jmeede32.exe 111 PID 1632 wrote to memory of 4688 1632 Jmeede32.exe 111 PID 4688 wrote to memory of 1508 4688 Jpenfp32.exe 112 PID 4688 wrote to memory of 1508 4688 Jpenfp32.exe 112 PID 4688 wrote to memory of 1508 4688 Jpenfp32.exe 112 PID 1508 wrote to memory of 4892 1508 Jllokajf.exe 113 PID 1508 wrote to memory of 4892 1508 Jllokajf.exe 113 PID 1508 wrote to memory of 4892 1508 Jllokajf.exe 113 PID 4892 wrote to memory of 3444 4892 Kegpifod.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0ab231c668824513e97113bae8345450.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0ab231c668824513e97113bae8345450.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe23⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe24⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe25⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe28⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe29⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe30⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe31⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe32⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe33⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe34⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe35⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe37⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe39⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe41⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe42⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe43⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe44⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe45⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe46⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe48⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe49⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe50⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe53⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe54⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe57⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe59⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe60⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe61⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe62⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe63⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe64⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:936 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe67⤵PID:4596
-
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe68⤵
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe69⤵PID:4176
-
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe70⤵PID:920
-
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe71⤵PID:4796
-
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe72⤵PID:5124
-
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe73⤵PID:5188
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe74⤵PID:5232
-
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe76⤵PID:5316
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe77⤵PID:5388
-
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe80⤵PID:5560
-
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe83⤵PID:5684
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe84⤵PID:5732
-
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe85⤵PID:5772
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe86⤵PID:5820
-
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe87⤵PID:5868
-
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe88⤵PID:5916
-
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe89⤵PID:5972
-
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe90⤵PID:6016
-
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe92⤵PID:6104
-
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe93⤵PID:1900
-
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe94⤵PID:5216
-
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe95⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe96⤵PID:5400
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe97⤵PID:5528
-
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe98⤵PID:5632
-
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe99⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe101⤵PID:5804
-
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe102⤵PID:5892
-
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe103⤵PID:5980
-
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4924 -
C:\Windows\SysWOW64\Iahgad32.exeC:\Windows\system32\Iahgad32.exe106⤵PID:5220
-
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe107⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe108⤵PID:5596
-
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe109⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe110⤵PID:5896
-
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe111⤵PID:6048
-
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe112⤵PID:6136
-
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe113⤵PID:5304
-
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe114⤵PID:5672
-
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe115⤵PID:5876
-
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe116⤵PID:6112
-
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe117⤵PID:5280
-
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe118⤵PID:5676
-
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe119⤵PID:6128
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe120⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe121⤵
- Modifies registry class
PID:6012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-