Analysis
-
max time kernel
140s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 03:14
Behavioral task
behavioral1
Sample
589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe
-
Size
1024KB
-
MD5
589a2b3ae92eb9e43a27f420868bdb30
-
SHA1
641ec8c1530aed0e7ba0d575b545d3f04b162e78
-
SHA256
0ceefda3615308a8a12488b097a8eb7b6446f8ef30f94a7287ab4960c0c0ef35
-
SHA512
ac0b62eade08125ecf5d5e0bf5c384002461926759b2492726e196c4198deb185d5bfb9e898890fba76ac4fbb32c807ffa1ec6156d7de804e96774b5ae29c22b
-
SSDEEP
24576:HtaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:NaSHFaZRBEYyqmS2DiHPKQgmN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdncmghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olckbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jafdcbge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmgne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilidbbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Menjdbgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olijhmgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maohkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekpmbddq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohmkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgegae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdbacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpfqcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhafeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldanqkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdaepai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafdkmap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjcfabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkgkapm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfaigm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023305-7.dat family_berbew behavioral2/files/0x000700000002346b-33.dat family_berbew behavioral2/files/0x000700000002346d-40.dat family_berbew behavioral2/files/0x0007000000023469-24.dat family_berbew behavioral2/files/0x0007000000023467-16.dat family_berbew behavioral2/files/0x0007000000023473-65.dat family_berbew behavioral2/files/0x0007000000023479-89.dat family_berbew behavioral2/files/0x0008000000023463-103.dat family_berbew behavioral2/files/0x0007000000023480-120.dat family_berbew behavioral2/files/0x0007000000023482-127.dat family_berbew behavioral2/files/0x0007000000023484-136.dat family_berbew behavioral2/files/0x0007000000023486-144.dat family_berbew behavioral2/files/0x000700000002348a-159.dat family_berbew behavioral2/files/0x0007000000023488-152.dat family_berbew behavioral2/files/0x000700000002348c-167.dat family_berbew behavioral2/files/0x000700000002349b-223.dat family_berbew behavioral2/files/0x00070000000234a1-249.dat family_berbew behavioral2/files/0x00070000000234a3-256.dat family_berbew behavioral2/files/0x00070000000234a9-270.dat family_berbew behavioral2/files/0x00070000000234af-288.dat family_berbew behavioral2/files/0x00070000000234b3-299.dat family_berbew behavioral2/files/0x00070000000234b5-307.dat family_berbew behavioral2/files/0x00070000000234c3-349.dat family_berbew behavioral2/files/0x00070000000234c9-366.dat family_berbew behavioral2/files/0x00070000000234d3-396.dat family_berbew behavioral2/files/0x00070000000234e1-438.dat family_berbew behavioral2/files/0x00070000000234f1-486.dat family_berbew behavioral2/files/0x000700000002351a-617.dat family_berbew behavioral2/files/0x0007000000023520-637.dat family_berbew behavioral2/files/0x0007000000023522-645.dat family_berbew behavioral2/files/0x000700000002352a-673.dat family_berbew behavioral2/files/0x0007000000023526-658.dat family_berbew behavioral2/files/0x0007000000023560-858.dat family_berbew behavioral2/files/0x000700000002359c-1062.dat family_berbew behavioral2/files/0x000700000002359e-1071.dat family_berbew behavioral2/files/0x00070000000235b7-1150.dat family_berbew behavioral2/files/0x00070000000235bb-1163.dat family_berbew behavioral2/files/0x00070000000235cf-1233.dat family_berbew behavioral2/files/0x00070000000235d5-1252.dat family_berbew behavioral2/files/0x00070000000235db-1272.dat family_berbew behavioral2/files/0x00070000000235eb-1326.dat family_berbew behavioral2/files/0x00070000000235e5-1307.dat family_berbew behavioral2/files/0x0007000000023629-1550.dat family_berbew behavioral2/files/0x0007000000023625-1538.dat family_berbew behavioral2/files/0x0007000000023635-1594.dat family_berbew behavioral2/files/0x000700000002363f-1629.dat family_berbew behavioral2/files/0x0007000000023658-1713.dat family_berbew behavioral2/files/0x0007000000023664-1755.dat family_berbew behavioral2/files/0x0007000000023672-1805.dat family_berbew behavioral2/files/0x0007000000023674-1815.dat family_berbew behavioral2/files/0x00070000000236a2-1974.dat family_berbew behavioral2/files/0x00070000000236a0-1966.dat family_berbew behavioral2/files/0x00070000000236aa-1999.dat family_berbew behavioral2/files/0x00070000000236c2-2081.dat family_berbew behavioral2/files/0x00070000000236da-2161.dat family_berbew behavioral2/files/0x00070000000236e2-2188.dat family_berbew behavioral2/files/0x00070000000236d4-2141.dat family_berbew behavioral2/files/0x000700000002372b-2410.dat family_berbew behavioral2/files/0x000700000002372f-2424.dat family_berbew behavioral2/files/0x0007000000023727-2396.dat family_berbew behavioral2/files/0x0007000000023753-2544.dat family_berbew behavioral2/files/0x0007000000023763-2598.dat family_berbew behavioral2/files/0x000700000002376d-2632.dat family_berbew behavioral2/files/0x0007000000023773-2651.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3248 Lkdggmlj.exe 3452 Laopdgcg.exe 4588 Lpappc32.exe 5044 Lcpllo32.exe 3668 Lkgdml32.exe 4688 Lcgblncm.exe 4068 Mjqjih32.exe 1148 Mahbje32.exe 4216 Mkpgck32.exe 2016 Mnapdf32.exe 4692 Mkepnjng.exe 1012 Maohkd32.exe 644 Mglack32.exe 180 Mjjmog32.exe 5096 Mdpalp32.exe 1188 Nnhfee32.exe 2592 Ngpjnkpf.exe 1500 Njogjfoj.exe 3080 Nqiogp32.exe 2184 Nkqpjidj.exe 2864 Ojmcld32.exe 5072 Onklabip.exe 5004 Ojalgcnd.exe 1488 Obidhaog.exe 548 Pcjapi32.exe 1872 Pjdilcla.exe 960 Pqnaim32.exe 3504 Pclneicb.exe 4964 Pjffbc32.exe 4368 Peljol32.exe 3736 Pkfblfab.exe 4704 Pbpjhp32.exe 4080 Pengdk32.exe 2032 Pkhoae32.exe 1480 Qgallfcq.exe 376 Qeemej32.exe 4720 Qgciaf32.exe 2880 Qnnanphk.exe 4740 Ajdbcano.exe 3384 Aanjpk32.exe 3220 Abngjnmo.exe 1744 Acocaf32.exe 828 Andgoobc.exe 2436 Adapgfqj.exe 1928 Ahoimd32.exe 628 Ajneip32.exe 4464 Abemjmgg.exe 4876 Bdfibe32.exe 1228 Beeflhdh.exe 1592 Bdhfhe32.exe 2712 Bnnjen32.exe 4100 Bdkcmdhp.exe 3564 Blbknaib.exe 4952 Bjdkjo32.exe 2200 Baocghgi.exe 4940 Bhikcb32.exe 3236 Baaplhef.exe 1508 Bkidenlg.exe 2220 Cacmah32.exe 4512 Cliaoq32.exe 1796 Cafigg32.exe 4016 Chpada32.exe 1328 Conclk32.exe 3676 Camphf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ifjodl32.exe Ibnccmbo.exe File created C:\Windows\SysWOW64\Dfdjmlhn.dll Ognpebpj.exe File created C:\Windows\SysWOW64\Ppdbgncl.exe Process not Found File created C:\Windows\SysWOW64\Phbhcmjl.exe Pahpfc32.exe File created C:\Windows\SysWOW64\Kaadlo32.dll Process not Found File created C:\Windows\SysWOW64\Kmmfbg32.dll Ldoaklml.exe File opened for modification C:\Windows\SysWOW64\Jenmcggo.exe Jekqmhia.exe File created C:\Windows\SysWOW64\Aeodmbol.dll Process not Found File created C:\Windows\SysWOW64\Oeheqm32.exe Omqmop32.exe File created C:\Windows\SysWOW64\Bgehcmmm.exe Beglgani.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Ldipha32.exe File created C:\Windows\SysWOW64\Fklenm32.dll Phdnngdn.exe File created C:\Windows\SysWOW64\Bdkcmdhp.exe Bnnjen32.exe File opened for modification C:\Windows\SysWOW64\Liimncmf.exe Lpqiemge.exe File created C:\Windows\SysWOW64\Ikbnacmd.exe Iehfdi32.exe File opened for modification C:\Windows\SysWOW64\Knkekn32.exe Kkmioc32.exe File created C:\Windows\SysWOW64\Lefioe32.dll Qikgco32.exe File created C:\Windows\SysWOW64\Ogajpp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bgehcmmm.exe Beglgani.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File created C:\Windows\SysWOW64\Hhnbpb32.exe Hbdjchgn.exe File created C:\Windows\SysWOW64\Plbmokop.exe Peieba32.exe File opened for modification C:\Windows\SysWOW64\Cjjlkk32.exe Codhnb32.exe File created C:\Windows\SysWOW64\Iocmhlca.dll Process not Found File created C:\Windows\SysWOW64\Ogjembbd.dll Lqkqhm32.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bclhhnca.exe File opened for modification C:\Windows\SysWOW64\Hoadkn32.exe Hgjljpkm.exe File created C:\Windows\SysWOW64\Cocjiehd.exe Coqncejg.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Pkhoae32.exe File created C:\Windows\SysWOW64\Gbbkaako.exe Gcojed32.exe File opened for modification C:\Windows\SysWOW64\Ifgbnlmj.exe Icifbang.exe File created C:\Windows\SysWOW64\Nqcejcha.exe Process not Found File created C:\Windows\SysWOW64\Allebf32.dll Lekehdgp.exe File opened for modification C:\Windows\SysWOW64\Hglipp32.exe Hfklhhcl.exe File created C:\Windows\SysWOW64\Pmlfqh32.exe Pccahbmn.exe File created C:\Windows\SysWOW64\Kpjcpkfo.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Laahglpp.dll Ghkeio32.exe File created C:\Windows\SysWOW64\Jjgkan32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gipdap32.exe Gdcliikj.exe File created C:\Windows\SysWOW64\Clncadfb.dll Ofcmfodb.exe File created C:\Windows\SysWOW64\Kmfiloih.dll Aminee32.exe File opened for modification C:\Windows\SysWOW64\Efccmidp.exe Elnoopdj.exe File opened for modification C:\Windows\SysWOW64\Haaaaeim.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Nkqpjidj.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Qghlmgij.dll Ghaliknf.exe File opened for modification C:\Windows\SysWOW64\Mnebeogl.exe Menjdbgj.exe File opened for modification C:\Windows\SysWOW64\Nckndeni.exe Ndhmhh32.exe File opened for modification C:\Windows\SysWOW64\Pgefeajb.exe Pdfjifjo.exe File created C:\Windows\SysWOW64\Jgkhgb32.dll Pofjpl32.exe File created C:\Windows\SysWOW64\Cnffoibg.dll Onapdl32.exe File opened for modification C:\Windows\SysWOW64\Egohdegl.exe Enfckp32.exe File created C:\Windows\SysWOW64\Cmbgdl32.exe Process not Found File created C:\Windows\SysWOW64\Chmhoe32.dll Oneklm32.exe File opened for modification C:\Windows\SysWOW64\Plcdiabk.exe Pjehmfch.exe File opened for modification C:\Windows\SysWOW64\Lfjfecno.exe Lcimdh32.exe File created C:\Windows\SysWOW64\Cjnffjkl.exe Ckmehb32.exe File opened for modification C:\Windows\SysWOW64\Onhhamgg.exe Ojllan32.exe File created C:\Windows\SysWOW64\Obncjbkf.dll Ggpbjkpl.exe File created C:\Windows\SysWOW64\Hqomopfd.dll Nojjcj32.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Pemomqcn.exe File created C:\Windows\SysWOW64\Pakdbp32.exe Process not Found File created C:\Windows\SysWOW64\Jcjpfk32.dll Lepncd32.exe File created C:\Windows\SysWOW64\Ngmgne32.exe Ncbknfed.exe File created C:\Windows\SysWOW64\Okahepfa.dll Lfjjga32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13656 14092 Process not Found 1208 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll" Mgfqmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfendmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpoihnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibjjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkfijp.dll" Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfmb32.dll" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbaipkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcoakfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkaqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgibng32.dll" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inpccihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbndfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffchaq32.dll" Alpbecod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfhc32.dll" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhlpqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll" Lekehdgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkelgcfo.dll" Goljqnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmahidnb.dll" Fkcboack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oogpjbbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlncan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkddkljd.dll" Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll" Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbpne32.dll" Majjng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidafj32.dll" Emhldnkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomnmjjb.dll" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeemej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpf32.dll" Jibmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll" Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinbbnpa.dll" Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clgbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbmpm32.dll" Ednaqo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 3248 3112 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 83 PID 3112 wrote to memory of 3248 3112 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 83 PID 3112 wrote to memory of 3248 3112 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 83 PID 3248 wrote to memory of 3452 3248 Lkdggmlj.exe 84 PID 3248 wrote to memory of 3452 3248 Lkdggmlj.exe 84 PID 3248 wrote to memory of 3452 3248 Lkdggmlj.exe 84 PID 3452 wrote to memory of 4588 3452 Laopdgcg.exe 85 PID 3452 wrote to memory of 4588 3452 Laopdgcg.exe 85 PID 3452 wrote to memory of 4588 3452 Laopdgcg.exe 85 PID 4588 wrote to memory of 5044 4588 Lpappc32.exe 86 PID 4588 wrote to memory of 5044 4588 Lpappc32.exe 86 PID 4588 wrote to memory of 5044 4588 Lpappc32.exe 86 PID 5044 wrote to memory of 3668 5044 Lcpllo32.exe 87 PID 5044 wrote to memory of 3668 5044 Lcpllo32.exe 87 PID 5044 wrote to memory of 3668 5044 Lcpllo32.exe 87 PID 3668 wrote to memory of 4688 3668 Lkgdml32.exe 88 PID 3668 wrote to memory of 4688 3668 Lkgdml32.exe 88 PID 3668 wrote to memory of 4688 3668 Lkgdml32.exe 88 PID 4688 wrote to memory of 4068 4688 Lcgblncm.exe 90 PID 4688 wrote to memory of 4068 4688 Lcgblncm.exe 90 PID 4688 wrote to memory of 4068 4688 Lcgblncm.exe 90 PID 4068 wrote to memory of 1148 4068 Mjqjih32.exe 91 PID 4068 wrote to memory of 1148 4068 Mjqjih32.exe 91 PID 4068 wrote to memory of 1148 4068 Mjqjih32.exe 91 PID 1148 wrote to memory of 4216 1148 Mahbje32.exe 93 PID 1148 wrote to memory of 4216 1148 Mahbje32.exe 93 PID 1148 wrote to memory of 4216 1148 Mahbje32.exe 93 PID 4216 wrote to memory of 2016 4216 Mkpgck32.exe 95 PID 4216 wrote to memory of 2016 4216 Mkpgck32.exe 95 PID 4216 wrote to memory of 2016 4216 Mkpgck32.exe 95 PID 2016 wrote to memory of 4692 2016 Mnapdf32.exe 96 PID 2016 wrote to memory of 4692 2016 Mnapdf32.exe 96 PID 2016 wrote to memory of 4692 2016 Mnapdf32.exe 96 PID 4692 wrote to memory of 1012 4692 Mkepnjng.exe 97 PID 4692 wrote to memory of 1012 4692 Mkepnjng.exe 97 PID 4692 wrote to memory of 1012 4692 Mkepnjng.exe 97 PID 1012 wrote to memory of 644 1012 Maohkd32.exe 98 PID 1012 wrote to memory of 644 1012 Maohkd32.exe 98 PID 1012 wrote to memory of 644 1012 Maohkd32.exe 98 PID 644 wrote to memory of 180 644 Mglack32.exe 99 PID 644 wrote to memory of 180 644 Mglack32.exe 99 PID 644 wrote to memory of 180 644 Mglack32.exe 99 PID 180 wrote to memory of 5096 180 Mjjmog32.exe 100 PID 180 wrote to memory of 5096 180 Mjjmog32.exe 100 PID 180 wrote to memory of 5096 180 Mjjmog32.exe 100 PID 5096 wrote to memory of 1188 5096 Mdpalp32.exe 101 PID 5096 wrote to memory of 1188 5096 Mdpalp32.exe 101 PID 5096 wrote to memory of 1188 5096 Mdpalp32.exe 101 PID 1188 wrote to memory of 2592 1188 Nnhfee32.exe 102 PID 1188 wrote to memory of 2592 1188 Nnhfee32.exe 102 PID 1188 wrote to memory of 2592 1188 Nnhfee32.exe 102 PID 2592 wrote to memory of 1500 2592 Ngpjnkpf.exe 103 PID 2592 wrote to memory of 1500 2592 Ngpjnkpf.exe 103 PID 2592 wrote to memory of 1500 2592 Ngpjnkpf.exe 103 PID 1500 wrote to memory of 3080 1500 Njogjfoj.exe 104 PID 1500 wrote to memory of 3080 1500 Njogjfoj.exe 104 PID 1500 wrote to memory of 3080 1500 Njogjfoj.exe 104 PID 3080 wrote to memory of 2184 3080 Nqiogp32.exe 105 PID 3080 wrote to memory of 2184 3080 Nqiogp32.exe 105 PID 3080 wrote to memory of 2184 3080 Nqiogp32.exe 105 PID 2184 wrote to memory of 2864 2184 Nkqpjidj.exe 106 PID 2184 wrote to memory of 2864 2184 Nkqpjidj.exe 106 PID 2184 wrote to memory of 2864 2184 Nkqpjidj.exe 106 PID 2864 wrote to memory of 5072 2864 Ojmcld32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe23⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe24⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe25⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe26⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe27⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe28⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe29⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe30⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe31⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe32⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe33⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe34⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe36⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe38⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe39⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe40⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe41⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe42⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe43⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe44⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe45⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe46⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe48⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe49⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe50⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe51⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe53⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe54⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe55⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe56⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe57⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe58⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe59⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe60⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe61⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe62⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe63⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe65⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe66⤵PID:4388
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe67⤵PID:2076
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe68⤵PID:2036
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe69⤵PID:2764
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe70⤵
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe71⤵PID:3892
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe72⤵PID:5016
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe73⤵PID:4716
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe74⤵PID:1656
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe75⤵PID:4956
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe76⤵PID:4376
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe77⤵PID:4824
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe78⤵PID:5108
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe79⤵PID:3436
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe80⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe81⤵PID:2572
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe82⤵PID:1568
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe83⤵PID:4264
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe84⤵
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe85⤵PID:4484
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe86⤵PID:4592
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe87⤵PID:5140
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe88⤵PID:5220
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe90⤵PID:5300
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe91⤵PID:5352
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe92⤵PID:5404
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe93⤵PID:5452
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe94⤵PID:5508
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe95⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe96⤵PID:5604
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe97⤵PID:5648
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe98⤵PID:5692
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe99⤵PID:5736
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe100⤵PID:5780
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe101⤵PID:5824
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe102⤵PID:5868
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe103⤵PID:5912
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe104⤵PID:5952
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe105⤵PID:6004
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe106⤵
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe107⤵PID:6084
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe108⤵PID:6136
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe109⤵PID:1848
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe110⤵PID:5284
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe111⤵PID:5360
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe112⤵PID:5428
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe113⤵PID:4340
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe115⤵PID:5624
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe117⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe118⤵PID:5832
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe119⤵PID:5896
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe120⤵PID:5960
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe121⤵PID:6036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-