Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:55
Behavioral task
behavioral1
Sample
NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe
-
Size
256KB
-
MD5
e915f6678b1006ce996e69cf041ff9d3
-
SHA1
9e58c865049c643039ce501532bc0456205124fb
-
SHA256
c3159200e217c2a79ed9c0777ad6a5490fe56e2f475f78f5b61ae42e14fbf898
-
SHA512
eb57274d56e3db42306084dfaa824ce0ad6ed849d8d824095e9359d08cd9c22c9cf5958fb0b276ccf50f6297009a63eb7d7a08c7876285336928189823730ffe
-
SSDEEP
6144:Uc2FUqTrWCjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:qFUuSMlpJxifbWGRdA6sQhPbWGRdA6s5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlchdkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaglma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coegih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cboilbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmmmbll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchickeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdngljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omniiclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biqkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eniokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onifpodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphnbfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehnnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfcegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkapnbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biqkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgihppgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganppk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neadfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goepgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iholhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koljaeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcmpind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdohbmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Helfbqeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heegjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgndikgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcebf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebcdcigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olqqdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnlelfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqngekl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdjccol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafhap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olqqdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgbhbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncjffbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbnlkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkencn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfcegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbcphph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfbcjca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdpefnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaiocjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkabefqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkkmaalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfppl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pploli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkppmnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beqljn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmnmjl.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4024-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4024-1-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d09-7.dat family_berbew behavioral2/files/0x0007000000022d09-9.dat family_berbew behavioral2/memory/3884-8-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d0b-15.dat family_berbew behavioral2/memory/5104-16-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d0b-17.dat family_berbew behavioral2/memory/2928-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022d0d-23.dat family_berbew behavioral2/files/0x0007000000022d0d-25.dat family_berbew behavioral2/files/0x0006000000022d11-26.dat family_berbew behavioral2/files/0x0006000000022d11-31.dat family_berbew behavioral2/files/0x0006000000022d11-33.dat family_berbew behavioral2/memory/3760-32-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d13-39.dat family_berbew behavioral2/memory/392-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d13-41.dat family_berbew behavioral2/files/0x0006000000022d16-47.dat family_berbew behavioral2/memory/3008-48-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-49.dat family_berbew behavioral2/files/0x0006000000022d18-55.dat family_berbew behavioral2/memory/1528-57-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d18-56.dat family_berbew behavioral2/files/0x0006000000022d1a-63.dat family_berbew behavioral2/memory/5044-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1a-65.dat family_berbew behavioral2/files/0x0006000000022d1c-71.dat family_berbew behavioral2/memory/4024-72-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1c-73.dat family_berbew behavioral2/memory/3584-74-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1e-80.dat family_berbew behavioral2/memory/1324-81-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1e-82.dat family_berbew behavioral2/files/0x0006000000022d20-88.dat family_berbew behavioral2/files/0x0006000000022d20-90.dat family_berbew behavioral2/memory/1840-89-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d22-96.dat family_berbew behavioral2/files/0x0006000000022d22-98.dat family_berbew behavioral2/memory/3284-97-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d24-104.dat family_berbew behavioral2/files/0x0006000000022d24-106.dat family_berbew behavioral2/memory/4340-105-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d26-112.dat family_berbew behavioral2/memory/4848-114-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d26-113.dat family_berbew behavioral2/files/0x0006000000022d28-115.dat family_berbew behavioral2/files/0x0006000000022d28-120.dat family_berbew behavioral2/memory/3952-122-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d28-121.dat family_berbew behavioral2/files/0x0006000000022d2a-128.dat family_berbew behavioral2/files/0x0006000000022d2a-130.dat family_berbew behavioral2/memory/4708-129-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d2c-136.dat family_berbew behavioral2/files/0x0006000000022d2c-138.dat family_berbew behavioral2/memory/3168-137-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d2e-144.dat family_berbew behavioral2/memory/456-146-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d2e-145.dat family_berbew behavioral2/files/0x0006000000022d30-152.dat family_berbew behavioral2/files/0x0006000000022d30-154.dat family_berbew behavioral2/memory/3644-153-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022d32-155.dat family_berbew behavioral2/files/0x0006000000022d32-160.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3884 Glinjqhb.exe 5104 Jjnqap32.exe 2928 Joaojf32.exe 3760 Kkabefqp.exe 392 Lkflpe32.exe 3008 Mjaodkmo.exe 1528 Mcnmhpoj.exe 5044 Nmmgae32.exe 3584 Nfjeej32.exe 1324 Obccpj32.exe 1840 Olqqdo32.exe 3284 Pdchakoo.exe 4340 Akbjidbf.exe 4848 Bdhkchlg.exe 3952 Ccgjjc32.exe 4708 Debfpd32.exe 3168 Emdaee32.exe 456 Eglbhnkp.exe 3644 Fagcfc32.exe 676 Fjbddh32.exe 2324 Gaglma32.exe 1756 Hdmojkjg.exe 2464 Heohinog.exe 3524 Hecadm32.exe 4012 Ioclnblj.exe 3872 Jndhkmfe.exe 816 Lbdgmh32.exe 1548 Onlipd32.exe 1056 Pikqcl32.exe 3208 Qefkcl32.exe 1388 Aochga32.exe 2220 Cpcnhbjj.exe 3960 Dcpffk32.exe 4640 Dgnolj32.exe 1836 Dfclmfhl.exe 2428 Efjbne32.exe 4980 Fjcjpb32.exe 4444 Hcjkje32.exe 2568 Hfajlp32.exe 2052 Ihagfb32.exe 2956 Impldi32.exe 972 Ikdlmmbh.exe 3812 Iobecl32.exe 3276 Jdajabdc.exe 996 Jmnheggo.exe 4064 Jondojna.exe 4700 Jncapf32.exe 3432 Kobnji32.exe 4432 Kgnbol32.exe 4456 Kdbchp32.exe 408 Mnmmmbll.exe 2096 Nofmndkd.exe 4908 Onifpodl.exe 4484 Onkbenbi.exe 764 Picchg32.exe 4836 Pblhalfm.exe 2864 Pihmcflg.exe 3816 Pijiif32.exe 1192 Qniogl32.exe 4864 Qhbcpb32.exe 4236 Ahdpea32.exe 4424 Aehpof32.exe 3160 Ablahjhj.exe 1792 Appaangd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ifgbhbbh.exe Immaimnj.exe File created C:\Windows\SysWOW64\Peobeh32.exe Olgnlb32.exe File opened for modification C:\Windows\SysWOW64\Eilomd32.exe Clgbfe32.exe File created C:\Windows\SysWOW64\Bdkbgj32.exe Bdhfaj32.exe File created C:\Windows\SysWOW64\Cbqlpabf.exe Chkhbh32.exe File created C:\Windows\SysWOW64\Appaangd.exe Ablahjhj.exe File created C:\Windows\SysWOW64\Dmdogpmq.exe Dcgackke.exe File opened for modification C:\Windows\SysWOW64\Pohngfml.exe Oolnkhgj.exe File created C:\Windows\SysWOW64\Impldi32.exe Ihagfb32.exe File opened for modification C:\Windows\SysWOW64\Jpffgp32.exe Jeqbjgoo.exe File created C:\Windows\SysWOW64\Aepklffh.exe Qkjgomgb.exe File created C:\Windows\SysWOW64\Conkhh32.dll Cajqng32.exe File opened for modification C:\Windows\SysWOW64\Nhffcpjj.exe Nonajj32.exe File created C:\Windows\SysWOW64\Nejglc32.exe Nhffcpjj.exe File created C:\Windows\SysWOW64\Mobbnl32.exe Manaegon.exe File opened for modification C:\Windows\SysWOW64\Kobnji32.exe Jncapf32.exe File opened for modification C:\Windows\SysWOW64\Chjaha32.exe Bchogd32.exe File created C:\Windows\SysWOW64\Glehhk32.dll Pagbklae.exe File opened for modification C:\Windows\SysWOW64\Qcijmjel.exe Piaijbgi.exe File created C:\Windows\SysWOW64\Jmnheggo.exe Jdajabdc.exe File created C:\Windows\SysWOW64\Denlgq32.exe Dcjfpfnh.exe File created C:\Windows\SysWOW64\Ffpdbfpg.dll Fdegkdim.exe File created C:\Windows\SysWOW64\Bdkmeh32.dll Jgdhab32.exe File opened for modification C:\Windows\SysWOW64\Gpnfak32.exe Gehbcb32.exe File created C:\Windows\SysWOW64\Pcagjndj.exe Pndoagfc.exe File created C:\Windows\SysWOW64\Liaqlcep.exe Lpilcnoo.exe File created C:\Windows\SysWOW64\Mjnmmcel.dll Gdbkcf32.exe File created C:\Windows\SysWOW64\Dmgbgf32.exe Cjmgomjc.exe File created C:\Windows\SysWOW64\Cajqng32.exe Boenam32.exe File opened for modification C:\Windows\SysWOW64\Debfpd32.exe Ccgjjc32.exe File created C:\Windows\SysWOW64\Keekab32.dll Lbddpclj.exe File opened for modification C:\Windows\SysWOW64\Pamikh32.exe Phddbbnf.exe File opened for modification C:\Windows\SysWOW64\Efpofi32.exe Eilomd32.exe File created C:\Windows\SysWOW64\Iifmfh32.exe Hnphio32.exe File opened for modification C:\Windows\SysWOW64\Bocoqj32.exe Bcmolimg.exe File created C:\Windows\SysWOW64\Fllkjd32.exe Fdqffaql.exe File created C:\Windows\SysWOW64\Njkklk32.exe Nabfcegi.exe File created C:\Windows\SysWOW64\Aeaagoaj.exe Pehnaqid.exe File created C:\Windows\SysWOW64\Cbglam32.exe Cnicko32.exe File created C:\Windows\SysWOW64\Pikqcl32.exe Onlipd32.exe File created C:\Windows\SysWOW64\Mihppm32.dll Fipkch32.exe File created C:\Windows\SysWOW64\Kabgoifk.dll Omalii32.exe File opened for modification C:\Windows\SysWOW64\Gfpcki32.exe Ffngfi32.exe File created C:\Windows\SysWOW64\Lkjlhf32.dll Ehnpfphe.exe File opened for modification C:\Windows\SysWOW64\Lkflpe32.exe Kkabefqp.exe File created C:\Windows\SysWOW64\Kddnpj32.exe Jgnqafgk.exe File created C:\Windows\SysWOW64\Knlbipjb.exe Kddnpj32.exe File opened for modification C:\Windows\SysWOW64\Nejglc32.exe Nhffcpjj.exe File opened for modification C:\Windows\SysWOW64\Bdhkchlg.exe Akbjidbf.exe File created C:\Windows\SysWOW64\Nakhkl32.exe Nkapnbqo.exe File created C:\Windows\SysWOW64\Nfiaajob.exe Nakhkl32.exe File created C:\Windows\SysWOW64\Bgeqnlmk.dll Pdqelh32.exe File created C:\Windows\SysWOW64\Ljbnpbkl.exe Lohqgj32.exe File created C:\Windows\SysWOW64\Ojonjp32.dll Ggcceagf.exe File opened for modification C:\Windows\SysWOW64\Peobeh32.exe Olgnlb32.exe File created C:\Windows\SysWOW64\Pochllfo.dll Moofhiid.exe File opened for modification C:\Windows\SysWOW64\Ohncnegn.exe Oofoeo32.exe File created C:\Windows\SysWOW64\Fdegkdim.exe Flgfqb32.exe File created C:\Windows\SysWOW64\Omqghjnh.dll Ngmpmd32.exe File opened for modification C:\Windows\SysWOW64\Leplndhk.exe Lhlkep32.exe File created C:\Windows\SysWOW64\Mcabopgi.exe Mhknaghc.exe File opened for modification C:\Windows\SysWOW64\Pdchakoo.exe Olqqdo32.exe File opened for modification C:\Windows\SysWOW64\Kddnpj32.exe Jgnqafgk.exe File opened for modification C:\Windows\SysWOW64\Kgipmdmn.exe Knaldo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onnmmipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mackpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgackke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdikpjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmojkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcnef32.dll" Lbcembci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobbap32.dll" Kfdkeaap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhjcifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagkpl32.dll" Hkhblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbenh32.dll" Hgpiligj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbopnqa.dll" Dofpqfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqkmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngefkh32.dll" Oolnkhgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aofjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkgpamj.dll" Pndoagfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hagodlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkkmaalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegjm32.dll" Hiefmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfmalli.dll" Hkkgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbkfl32.dll" Qkonlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfckhkep.dll" Lhlkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngcdkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnlkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgone32.dll" Goepgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moofhiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpekn32.dll" Ibdpefnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmgomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajqng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpomoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpbkj32.dll" Ogeklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbbohid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddgghfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafhap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjckppa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbbpg32.dll" Hckeikcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicpqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffngfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdiobd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpilcnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filicodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liaqlcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikdlmmbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgihppgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poggnnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oceepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogljcokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmdohbb.dll" Aalndaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlgpgbf.dll" Ejoogm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eniokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgkmhn32.dll" Jbilnkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdgkjknl.dll" Hcedfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkmeh32.dll" Jgdhab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlglpkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neadfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfekma32.dll" Aemjjeek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Impldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoneml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpjp32.dll" Ljaooodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnmcop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilhkcmib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 3884 4024 NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe 93 PID 4024 wrote to memory of 3884 4024 NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe 93 PID 4024 wrote to memory of 3884 4024 NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe 93 PID 3884 wrote to memory of 5104 3884 Glinjqhb.exe 94 PID 3884 wrote to memory of 5104 3884 Glinjqhb.exe 94 PID 3884 wrote to memory of 5104 3884 Glinjqhb.exe 94 PID 5104 wrote to memory of 2928 5104 Jjnqap32.exe 95 PID 5104 wrote to memory of 2928 5104 Jjnqap32.exe 95 PID 5104 wrote to memory of 2928 5104 Jjnqap32.exe 95 PID 2928 wrote to memory of 3760 2928 Joaojf32.exe 96 PID 2928 wrote to memory of 3760 2928 Joaojf32.exe 96 PID 2928 wrote to memory of 3760 2928 Joaojf32.exe 96 PID 3760 wrote to memory of 392 3760 Kkabefqp.exe 97 PID 3760 wrote to memory of 392 3760 Kkabefqp.exe 97 PID 3760 wrote to memory of 392 3760 Kkabefqp.exe 97 PID 392 wrote to memory of 3008 392 Lkflpe32.exe 98 PID 392 wrote to memory of 3008 392 Lkflpe32.exe 98 PID 392 wrote to memory of 3008 392 Lkflpe32.exe 98 PID 3008 wrote to memory of 1528 3008 Mjaodkmo.exe 99 PID 3008 wrote to memory of 1528 3008 Mjaodkmo.exe 99 PID 3008 wrote to memory of 1528 3008 Mjaodkmo.exe 99 PID 1528 wrote to memory of 5044 1528 Mcnmhpoj.exe 100 PID 1528 wrote to memory of 5044 1528 Mcnmhpoj.exe 100 PID 1528 wrote to memory of 5044 1528 Mcnmhpoj.exe 100 PID 5044 wrote to memory of 3584 5044 Nmmgae32.exe 101 PID 5044 wrote to memory of 3584 5044 Nmmgae32.exe 101 PID 5044 wrote to memory of 3584 5044 Nmmgae32.exe 101 PID 3584 wrote to memory of 1324 3584 Nfjeej32.exe 102 PID 3584 wrote to memory of 1324 3584 Nfjeej32.exe 102 PID 3584 wrote to memory of 1324 3584 Nfjeej32.exe 102 PID 1324 wrote to memory of 1840 1324 Obccpj32.exe 103 PID 1324 wrote to memory of 1840 1324 Obccpj32.exe 103 PID 1324 wrote to memory of 1840 1324 Obccpj32.exe 103 PID 1840 wrote to memory of 3284 1840 Olqqdo32.exe 104 PID 1840 wrote to memory of 3284 1840 Olqqdo32.exe 104 PID 1840 wrote to memory of 3284 1840 Olqqdo32.exe 104 PID 3284 wrote to memory of 4340 3284 Pdchakoo.exe 105 PID 3284 wrote to memory of 4340 3284 Pdchakoo.exe 105 PID 3284 wrote to memory of 4340 3284 Pdchakoo.exe 105 PID 4340 wrote to memory of 4848 4340 Akbjidbf.exe 106 PID 4340 wrote to memory of 4848 4340 Akbjidbf.exe 106 PID 4340 wrote to memory of 4848 4340 Akbjidbf.exe 106 PID 4848 wrote to memory of 3952 4848 Bdhkchlg.exe 107 PID 4848 wrote to memory of 3952 4848 Bdhkchlg.exe 107 PID 4848 wrote to memory of 3952 4848 Bdhkchlg.exe 107 PID 3952 wrote to memory of 4708 3952 Ccgjjc32.exe 108 PID 3952 wrote to memory of 4708 3952 Ccgjjc32.exe 108 PID 3952 wrote to memory of 4708 3952 Ccgjjc32.exe 108 PID 4708 wrote to memory of 3168 4708 Debfpd32.exe 109 PID 4708 wrote to memory of 3168 4708 Debfpd32.exe 109 PID 4708 wrote to memory of 3168 4708 Debfpd32.exe 109 PID 3168 wrote to memory of 456 3168 Emdaee32.exe 110 PID 3168 wrote to memory of 456 3168 Emdaee32.exe 110 PID 3168 wrote to memory of 456 3168 Emdaee32.exe 110 PID 456 wrote to memory of 3644 456 Eglbhnkp.exe 111 PID 456 wrote to memory of 3644 456 Eglbhnkp.exe 111 PID 456 wrote to memory of 3644 456 Eglbhnkp.exe 111 PID 3644 wrote to memory of 676 3644 Fagcfc32.exe 112 PID 3644 wrote to memory of 676 3644 Fagcfc32.exe 112 PID 3644 wrote to memory of 676 3644 Fagcfc32.exe 112 PID 676 wrote to memory of 2324 676 Fjbddh32.exe 113 PID 676 wrote to memory of 2324 676 Fjbddh32.exe 113 PID 676 wrote to memory of 2324 676 Fjbddh32.exe 113 PID 2324 wrote to memory of 1756 2324 Gaglma32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e915f6678b1006ce996e69cf041ff9d3_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Jjnqap32.exeC:\Windows\system32\Jjnqap32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Nfjeej32.exeC:\Windows\system32\Nfjeej32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Bdhkchlg.exeC:\Windows\system32\Bdhkchlg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Ccgjjc32.exeC:\Windows\system32\Ccgjjc32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Eglbhnkp.exeC:\Windows\system32\Eglbhnkp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Fagcfc32.exeC:\Windows\system32\Fagcfc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Fjbddh32.exeC:\Windows\system32\Fjbddh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Hdmojkjg.exeC:\Windows\system32\Hdmojkjg.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe24⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Hecadm32.exeC:\Windows\system32\Hecadm32.exe25⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe26⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Jndhkmfe.exeC:\Windows\system32\Jndhkmfe.exe27⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Lbdgmh32.exeC:\Windows\system32\Lbdgmh32.exe28⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Onlipd32.exeC:\Windows\system32\Onlipd32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Pikqcl32.exeC:\Windows\system32\Pikqcl32.exe30⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe31⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Aochga32.exeC:\Windows\system32\Aochga32.exe32⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Cpcnhbjj.exeC:\Windows\system32\Cpcnhbjj.exe33⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe34⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe35⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Dfclmfhl.exeC:\Windows\system32\Dfclmfhl.exe36⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Efjbne32.exeC:\Windows\system32\Efjbne32.exe37⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Fjcjpb32.exeC:\Windows\system32\Fjcjpb32.exe38⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe39⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Hfajlp32.exeC:\Windows\system32\Hfajlp32.exe40⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ihagfb32.exeC:\Windows\system32\Ihagfb32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Impldi32.exeC:\Windows\system32\Impldi32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ikdlmmbh.exeC:\Windows\system32\Ikdlmmbh.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Iobecl32.exeC:\Windows\system32\Iobecl32.exe44⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Jdajabdc.exeC:\Windows\system32\Jdajabdc.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Jmnheggo.exeC:\Windows\system32\Jmnheggo.exe46⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Jondojna.exeC:\Windows\system32\Jondojna.exe47⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4700 -
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe49⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Kgnbol32.exeC:\Windows\system32\Kgnbol32.exe50⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Kdbchp32.exeC:\Windows\system32\Kdbchp32.exe51⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Mnmmmbll.exeC:\Windows\system32\Mnmmmbll.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Nofmndkd.exeC:\Windows\system32\Nofmndkd.exe53⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe55⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Picchg32.exeC:\Windows\system32\Picchg32.exe56⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Pblhalfm.exeC:\Windows\system32\Pblhalfm.exe57⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe58⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe59⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Qniogl32.exeC:\Windows\system32\Qniogl32.exe60⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Qhbcpb32.exeC:\Windows\system32\Qhbcpb32.exe61⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe62⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Aehpof32.exeC:\Windows\system32\Aehpof32.exe63⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ablahjhj.exeC:\Windows\system32\Ablahjhj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Aemjjeek.exeC:\Windows\system32\Aemjjeek.exe66⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Abqjci32.exeC:\Windows\system32\Abqjci32.exe67⤵PID:4540
-
C:\Windows\SysWOW64\Coegih32.exeC:\Windows\system32\Coegih32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Clihcm32.exeC:\Windows\system32\Clihcm32.exe69⤵PID:1580
-
C:\Windows\SysWOW64\Cibagpgg.exeC:\Windows\system32\Cibagpgg.exe70⤵PID:4284
-
C:\Windows\SysWOW64\Dcjfpfnh.exeC:\Windows\system32\Dcjfpfnh.exe71⤵
- Drops file in System32 directory
PID:3856 -
C:\Windows\SysWOW64\Denlgq32.exeC:\Windows\system32\Denlgq32.exe72⤵PID:3560
-
C:\Windows\SysWOW64\Dofpqfof.exeC:\Windows\system32\Dofpqfof.exe73⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Dohmff32.exeC:\Windows\system32\Dohmff32.exe74⤵PID:4696
-
C:\Windows\SysWOW64\Iidiidgj.exeC:\Windows\system32\Iidiidgj.exe75⤵PID:3564
-
C:\Windows\SysWOW64\Ldjodh32.exeC:\Windows\system32\Ldjodh32.exe76⤵PID:4564
-
C:\Windows\SysWOW64\Mkkmaalo.exeC:\Windows\system32\Mkkmaalo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Nkqpcnig.exeC:\Windows\system32\Nkqpcnig.exe78⤵PID:3224
-
C:\Windows\SysWOW64\Ogljcokf.exeC:\Windows\system32\Ogljcokf.exe79⤵
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Ojmcej32.exeC:\Windows\system32\Ojmcej32.exe80⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ojopki32.exeC:\Windows\system32\Ojopki32.exe81⤵PID:3688
-
C:\Windows\SysWOW64\Pkoldl32.exeC:\Windows\system32\Pkoldl32.exe82⤵PID:2480
-
C:\Windows\SysWOW64\Pegqmbch.exeC:\Windows\system32\Pegqmbch.exe83⤵PID:3828
-
C:\Windows\SysWOW64\Pbkagfba.exeC:\Windows\system32\Pbkagfba.exe84⤵PID:4536
-
C:\Windows\SysWOW64\Pkcepl32.exeC:\Windows\system32\Pkcepl32.exe85⤵PID:3056
-
C:\Windows\SysWOW64\Peljha32.exeC:\Windows\system32\Peljha32.exe86⤵PID:392
-
C:\Windows\SysWOW64\Pndoagfc.exeC:\Windows\system32\Pndoagfc.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Pcagjndj.exeC:\Windows\system32\Pcagjndj.exe88⤵PID:872
-
C:\Windows\SysWOW64\Qbbggeli.exeC:\Windows\system32\Qbbggeli.exe89⤵PID:2928
-
C:\Windows\SysWOW64\Qbddmejf.exeC:\Windows\system32\Qbddmejf.exe90⤵PID:2076
-
C:\Windows\SysWOW64\Ajphagha.exeC:\Windows\system32\Ajphagha.exe91⤵PID:1204
-
C:\Windows\SysWOW64\Achmjmnb.exeC:\Windows\system32\Achmjmnb.exe92⤵PID:768
-
C:\Windows\SysWOW64\Aalndaml.exeC:\Windows\system32\Aalndaml.exe93⤵
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Ajdbmf32.exeC:\Windows\system32\Ajdbmf32.exe94⤵PID:4300
-
C:\Windows\SysWOW64\Aaqgop32.exeC:\Windows\system32\Aaqgop32.exe95⤵PID:1840
-
C:\Windows\SysWOW64\Ajikhfpg.exeC:\Windows\system32\Ajikhfpg.exe96⤵PID:5164
-
C:\Windows\SysWOW64\Ahmlaj32.exeC:\Windows\system32\Ahmlaj32.exe97⤵PID:5204
-
C:\Windows\SysWOW64\Beqljn32.exeC:\Windows\system32\Beqljn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Bbemdb32.exeC:\Windows\system32\Bbemdb32.exe99⤵PID:5300
-
C:\Windows\SysWOW64\Boknic32.exeC:\Windows\system32\Boknic32.exe100⤵PID:5344
-
C:\Windows\SysWOW64\Bdhfaj32.exeC:\Windows\system32\Bdhfaj32.exe101⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Bdkbgj32.exeC:\Windows\system32\Bdkbgj32.exe102⤵PID:5432
-
C:\Windows\SysWOW64\Baocpnmf.exeC:\Windows\system32\Baocpnmf.exe103⤵PID:5476
-
C:\Windows\SysWOW64\Cobciblp.exeC:\Windows\system32\Cobciblp.exe104⤵PID:5516
-
C:\Windows\SysWOW64\Chkhbh32.exeC:\Windows\system32\Chkhbh32.exe105⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Cbqlpabf.exeC:\Windows\system32\Cbqlpabf.exe106⤵PID:5604
-
C:\Windows\SysWOW64\Daolgl32.exeC:\Windows\system32\Daolgl32.exe107⤵PID:5648
-
C:\Windows\SysWOW64\Ednajepe.exeC:\Windows\system32\Ednajepe.exe108⤵PID:5692
-
C:\Windows\SysWOW64\Flgfqb32.exeC:\Windows\system32\Flgfqb32.exe109⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Fdegkdim.exeC:\Windows\system32\Fdegkdim.exe110⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Ghjfaa32.exeC:\Windows\system32\Ghjfaa32.exe111⤵PID:5824
-
C:\Windows\SysWOW64\Hdgmga32.exeC:\Windows\system32\Hdgmga32.exe112⤵PID:5856
-
C:\Windows\SysWOW64\Hcimei32.exeC:\Windows\system32\Hcimei32.exe113⤵PID:5900
-
C:\Windows\SysWOW64\Hiefmp32.exeC:\Windows\system32\Hiefmp32.exe114⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Helfbqeb.exeC:\Windows\system32\Helfbqeb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Immaimnj.exeC:\Windows\system32\Immaimnj.exe116⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Ifgbhbbh.exeC:\Windows\system32\Ifgbhbbh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Ilfhfh32.exeC:\Windows\system32\Ilfhfh32.exe118⤵PID:6132
-
C:\Windows\SysWOW64\Jeaidn32.exeC:\Windows\system32\Jeaidn32.exe119⤵PID:5160
-
C:\Windows\SysWOW64\Jcbibeki.exeC:\Windows\system32\Jcbibeki.exe120⤵PID:1632
-
C:\Windows\SysWOW64\Kdiobd32.exeC:\Windows\system32\Kdiobd32.exe121⤵
- Modifies registry class
PID:5332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-