Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 10:08
Behavioral task
behavioral1
Sample
NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe
-
Size
161KB
-
MD5
006e06d4cf163ed88285cd11f54c1ee0
-
SHA1
605b1a007a759fb925b25085e8b1c7c6722633f4
-
SHA256
5b3c5f42b2ed4715328ceeac690fd352873fde16dc6bf32910afad9fbcbeb2fa
-
SHA512
4729393a547c487e067deaddcac31af2dbfea98828de9842b64986beb4850548427dbac990964aa86a9c238d620be2c40b6bce5fe6e6104a6c55425344b21f82
-
SSDEEP
3072:pPaVOIrXCVGXRZsYSlRh0VWkhtIymk/VwtCJXeex7rrIRZK8K8/kv:pisrGXRKYSlRh0V9tIBk/VwtmeetrIyR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idpbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbkpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hagnihom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnbih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aegbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbilnkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqpclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfbdpabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcnmhpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndlba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddinbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amodnenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjofambd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmblhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfdcbiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgieajgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoconenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihndgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blabakle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjmeaafi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnbqjjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoiapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkfookmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldleoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdjjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgmpkfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjqkel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhibi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhnea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knipik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knipik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdiamnpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihndgmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hillnoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llgjcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiagn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iadljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpgle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmjdbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogljcokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnnoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acgfpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechfeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eljknl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilbclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emdjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikmepj32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000b000000022cde-7.dat family_berbew behavioral2/files/0x000b000000022cde-9.dat family_berbew behavioral2/files/0x000a000000022ceb-15.dat family_berbew behavioral2/files/0x000a000000022ceb-17.dat family_berbew behavioral2/files/0x0007000000022cf4-23.dat family_berbew behavioral2/files/0x0007000000022cf4-24.dat family_berbew behavioral2/files/0x0008000000022cf6-31.dat family_berbew behavioral2/files/0x0008000000022cf6-33.dat family_berbew behavioral2/files/0x0006000000022cfa-39.dat family_berbew behavioral2/files/0x0006000000022cfa-41.dat family_berbew behavioral2/files/0x0006000000022cfc-47.dat family_berbew behavioral2/files/0x0006000000022cfc-49.dat family_berbew behavioral2/files/0x0006000000022cfe-55.dat family_berbew behavioral2/files/0x0006000000022cfe-57.dat family_berbew behavioral2/files/0x0006000000022d00-58.dat family_berbew behavioral2/files/0x0006000000022d00-63.dat family_berbew behavioral2/files/0x0006000000022d00-65.dat family_berbew behavioral2/files/0x0006000000022d04-71.dat family_berbew behavioral2/files/0x0006000000022d04-73.dat family_berbew behavioral2/files/0x0006000000022d07-79.dat family_berbew behavioral2/files/0x0006000000022d07-80.dat family_berbew behavioral2/files/0x0006000000022d09-87.dat family_berbew behavioral2/files/0x0006000000022d09-89.dat family_berbew behavioral2/files/0x0007000000022d0c-96.dat family_berbew behavioral2/files/0x0007000000022d0c-99.dat family_berbew behavioral2/files/0x0006000000022d0e-105.dat family_berbew behavioral2/files/0x0006000000022d0e-108.dat family_berbew behavioral2/files/0x0006000000022d10-114.dat family_berbew behavioral2/files/0x0006000000022d10-116.dat family_berbew behavioral2/files/0x0006000000022d14-123.dat family_berbew behavioral2/files/0x0006000000022d14-126.dat family_berbew behavioral2/files/0x0006000000022d17-133.dat family_berbew behavioral2/files/0x0006000000022d17-132.dat family_berbew behavioral2/files/0x0006000000022d21-141.dat family_berbew behavioral2/files/0x0006000000022d21-142.dat family_berbew behavioral2/files/0x0006000000022d23-150.dat family_berbew behavioral2/files/0x0006000000022d23-153.dat family_berbew behavioral2/files/0x0007000000022d1a-159.dat family_berbew behavioral2/files/0x0007000000022d1a-161.dat family_berbew behavioral2/files/0x0007000000022d1c-168.dat family_berbew behavioral2/files/0x0007000000022d1c-170.dat family_berbew behavioral2/files/0x0007000000022d1e-177.dat family_berbew behavioral2/files/0x0007000000022d1e-179.dat family_berbew behavioral2/files/0x0006000000022d26-186.dat family_berbew behavioral2/files/0x0006000000022d26-188.dat family_berbew behavioral2/files/0x0006000000022d28-195.dat family_berbew behavioral2/files/0x0006000000022d28-197.dat family_berbew behavioral2/files/0x0006000000022d2a-204.dat family_berbew behavioral2/files/0x0006000000022d2a-206.dat family_berbew behavioral2/files/0x0006000000022d2c-213.dat family_berbew behavioral2/files/0x0006000000022d2c-215.dat family_berbew behavioral2/files/0x0006000000022d2e-222.dat family_berbew behavioral2/files/0x0006000000022d2e-224.dat family_berbew behavioral2/files/0x0006000000022d30-230.dat family_berbew behavioral2/files/0x0006000000022d30-231.dat family_berbew behavioral2/files/0x0006000000022d32-238.dat family_berbew behavioral2/files/0x0006000000022d32-241.dat family_berbew behavioral2/files/0x0006000000022d34-247.dat family_berbew behavioral2/files/0x0006000000022d34-248.dat family_berbew behavioral2/files/0x0006000000022d36-255.dat family_berbew behavioral2/files/0x0006000000022d36-257.dat family_berbew behavioral2/files/0x0006000000022d3a-272.dat family_berbew behavioral2/files/0x0006000000022d3a-273.dat family_berbew behavioral2/files/0x0006000000022d38-265.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3484 Emeffcid.exe 3312 Edakimoo.exe 3952 Fgfmeg32.exe 400 Fpoaom32.exe 3572 Gnjhhpgl.exe 2268 Gjcfcakn.exe 3772 Hgpibdam.exe 4028 Iqpclh32.exe 3284 Jjfdfl32.exe 2796 Kmppneal.exe 2196 Kanidd32.exe 3612 Mmebpbod.exe 4676 Mhppik32.exe 5044 Nncoaq32.exe 2464 Oacdmo32.exe 2524 Ohbfeh32.exe 4748 Ofhcdlgg.exe 3748 Poeahaib.exe 4784 Qkchna32.exe 4504 Qhghge32.exe 236 Ainnhdbp.exe 2684 Bomppneg.exe 1560 Blkgen32.exe 2024 Cifmoa32.exe 1832 Cnebmgjj.exe 4828 Dbehienn.exe 4596 Dblnid32.exe 500 Eoconenj.exe 3896 Ebcdjc32.exe 2728 Eedmlo32.exe 4188 Gccmaack.exe 4656 Gcfjfqah.exe 1280 Glnnofhi.exe 1788 Ggdbmoho.exe 1476 Hpaqqdjj.exe 2840 Hlhaee32.exe 4548 Hjlaoioh.exe 1108 Hgpbhmna.exe 1316 Hfgloiqf.exe 1416 Icpecm32.exe 3840 Jfehpg32.exe 3956 Jonlimkg.exe 4492 Jjemle32.exe 4148 Jobfdl32.exe 1696 Jflnafno.exe 2676 Jjjggede.exe 2176 Kcbkpj32.exe 4904 Kifjip32.exe 3028 Lapopm32.exe 4360 Libido32.exe 424 Mmpbkm32.exe 1612 Mpqklh32.exe 4876 Nagngjmj.exe 4984 Nibbklke.exe 3740 Nieoal32.exe 1784 Niglfl32.exe 580 Naqqmieo.exe 4404 Ogmiepcf.exe 4624 Odaiodbp.exe 4608 Omjnhiiq.exe 1828 Ohobebig.exe 4268 Okbhlm32.exe 2276 Oalpigkb.exe 4228 Pgkegn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Begcjjql.exe Bomknp32.exe File created C:\Windows\SysWOW64\Jojgkahb.dll Gaffbg32.exe File opened for modification C:\Windows\SysWOW64\Capkim32.exe Ckcbaf32.exe File opened for modification C:\Windows\SysWOW64\Ajfhhp32.exe Aclpkffa.exe File created C:\Windows\SysWOW64\Kijjldkh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qhghge32.exe Qkchna32.exe File created C:\Windows\SysWOW64\Ijgjpaao.exe Ikejbjip.exe File created C:\Windows\SysWOW64\Bahdje32.exe Bpggbm32.exe File created C:\Windows\SysWOW64\Dhqaokcd.exe Docckfai.exe File opened for modification C:\Windows\SysWOW64\Pkoldl32.exe Peddhb32.exe File opened for modification C:\Windows\SysWOW64\Hmoehojj.exe Gokdoj32.exe File created C:\Windows\SysWOW64\Qgnief32.exe Qmhdhm32.exe File created C:\Windows\SysWOW64\Jfgacigf.dll Hkckoe32.exe File opened for modification C:\Windows\SysWOW64\Fpoaom32.exe Fgfmeg32.exe File created C:\Windows\SysWOW64\Agqekeeb.exe Qqfmnk32.exe File created C:\Windows\SysWOW64\Cifmoa32.exe Blkgen32.exe File created C:\Windows\SysWOW64\Obbcmknk.dll Bbbkbbkg.exe File created C:\Windows\SysWOW64\Jfikaqme.exe Jjbjlpga.exe File created C:\Windows\SysWOW64\Kolahq32.dll Fcjimnjl.exe File created C:\Windows\SysWOW64\Opfjmg32.dll Fnjmea32.exe File created C:\Windows\SysWOW64\Fnpapfnf.dll Afeblb32.exe File opened for modification C:\Windows\SysWOW64\Fmnkdm32.exe Fkpoha32.exe File opened for modification C:\Windows\SysWOW64\Inmplh32.exe Process not Found File created C:\Windows\SysWOW64\Fpoaom32.exe Fgfmeg32.exe File created C:\Windows\SysWOW64\Jglkfmmi.exe Process not Found File created C:\Windows\SysWOW64\Clhbhc32.exe Bgkipl32.exe File created C:\Windows\SysWOW64\Djjobedk.exe Dodjemee.exe File created C:\Windows\SysWOW64\Edllihfi.dll Eobffk32.exe File opened for modification C:\Windows\SysWOW64\Jgdhab32.exe Jfbkijdo.exe File opened for modification C:\Windows\SysWOW64\Omjnhiiq.exe Odaiodbp.exe File created C:\Windows\SysWOW64\Hodgei32.exe Hijohoki.exe File created C:\Windows\SysWOW64\Fpcdji32.exe Fpagdj32.exe File created C:\Windows\SysWOW64\Afhgoj32.dll Qhghge32.exe File created C:\Windows\SysWOW64\Bdknah32.dll Eblgon32.exe File opened for modification C:\Windows\SysWOW64\Qciebg32.exe Pgbdmfnc.exe File created C:\Windows\SysWOW64\Mejijcea.exe Mkadam32.exe File created C:\Windows\SysWOW64\Iigkkjhk.dll Process not Found File created C:\Windows\SysWOW64\Deenhilj.dll Djbbhafj.exe File created C:\Windows\SysWOW64\Bdbhbf32.dll Fnhppa32.exe File opened for modification C:\Windows\SysWOW64\Kkfkod32.exe Kfhbifgq.exe File created C:\Windows\SysWOW64\Oleabh32.dll Omjhgoco.exe File created C:\Windows\SysWOW64\Oqjfniad.dll Process not Found File created C:\Windows\SysWOW64\Bidlqhgc.exe Bckddn32.exe File opened for modification C:\Windows\SysWOW64\Kabpan32.exe Kgmlde32.exe File created C:\Windows\SysWOW64\Bdcmfkde.exe Baepjpea.exe File opened for modification C:\Windows\SysWOW64\Pckfdh32.exe Pfgfkd32.exe File created C:\Windows\SysWOW64\Iogangnn.dll Dqdgop32.exe File created C:\Windows\SysWOW64\Ckghid32.exe Bdmpljlj.exe File opened for modification C:\Windows\SysWOW64\Dogfkpih.exe Dhnnoe32.exe File created C:\Windows\SysWOW64\Oldijd32.dll Joamlacj.exe File created C:\Windows\SysWOW64\Lbjeei32.exe Lbghpinc.exe File created C:\Windows\SysWOW64\Mahbck32.exe Mknjgajl.exe File created C:\Windows\SysWOW64\Kcklaa32.dll Flgfqb32.exe File created C:\Windows\SysWOW64\Ojefjd32.exe Ocknmjcf.exe File created C:\Windows\SysWOW64\Fdfmfmdo.exe Eggmqk32.exe File opened for modification C:\Windows\SysWOW64\Ahdpea32.exe Qnlkllcf.exe File created C:\Windows\SysWOW64\Blggmjbd.dll Koggehff.exe File opened for modification C:\Windows\SysWOW64\Hgliie32.exe Hfklamii.exe File created C:\Windows\SysWOW64\Ioopfa32.exe Iiehjgnp.exe File created C:\Windows\SysWOW64\Gddigk32.exe Gnkajapa.exe File created C:\Windows\SysWOW64\Opiecn32.dll Endnohdp.exe File created C:\Windows\SysWOW64\Pqkchi32.dll Iajkohmj.exe File opened for modification C:\Windows\SysWOW64\Lplpcc32.exe Libggiik.exe File created C:\Windows\SysWOW64\Komkno32.dll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpoaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidlgjgm.dll" Hgpibdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlddibq.dll" Hkaqgjme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmile32.dll" Obhlkjaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckiipa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afjemkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgbfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndbefkjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgmlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilndhie.dll" Donceaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhfenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knndpffi.dll" Peaahmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgnle32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoghk32.dll" Iempingp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkckicf.dll" Lekeajmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmoglij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficaeg32.dll" Jpojml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdlnkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlqljb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oigdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjgej32.dll" Peimcaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pengna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hejjmage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nllleapo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnbqjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpjjc32.dll" Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldnoemd.dll" Hfklamii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dffmogji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpehikja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphnld32.dll" Oendaipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilpaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfoihalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmfjodgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacgeg32.dll" Fpcdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqfbo32.dll" Mmpbkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddakdqff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amcmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnodkjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dokqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhiolfc.dll" Oacdmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekakgcih.dll" Ikejbjip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmahff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqendklg.dll" Oinkmdml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daejcd32.dll" Cjflblll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihpm32.dll" Pejdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajedjam.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgphggpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nohicdia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogljcokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibijbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkkjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bomppneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmqjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmohhoj.dll" Gjgmpkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnhmn32.dll" Femndhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnckjbfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgdjicmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghnge32.dll" Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqkmpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aacjofkp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1188 wrote to memory of 3484 1188 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 91 PID 1188 wrote to memory of 3484 1188 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 91 PID 1188 wrote to memory of 3484 1188 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 91 PID 3484 wrote to memory of 3312 3484 Emeffcid.exe 92 PID 3484 wrote to memory of 3312 3484 Emeffcid.exe 92 PID 3484 wrote to memory of 3312 3484 Emeffcid.exe 92 PID 3312 wrote to memory of 3952 3312 Edakimoo.exe 93 PID 3312 wrote to memory of 3952 3312 Edakimoo.exe 93 PID 3312 wrote to memory of 3952 3312 Edakimoo.exe 93 PID 3952 wrote to memory of 400 3952 Fgfmeg32.exe 94 PID 3952 wrote to memory of 400 3952 Fgfmeg32.exe 94 PID 3952 wrote to memory of 400 3952 Fgfmeg32.exe 94 PID 400 wrote to memory of 3572 400 Fpoaom32.exe 95 PID 400 wrote to memory of 3572 400 Fpoaom32.exe 95 PID 400 wrote to memory of 3572 400 Fpoaom32.exe 95 PID 3572 wrote to memory of 2268 3572 Gnjhhpgl.exe 96 PID 3572 wrote to memory of 2268 3572 Gnjhhpgl.exe 96 PID 3572 wrote to memory of 2268 3572 Gnjhhpgl.exe 96 PID 2268 wrote to memory of 3772 2268 Gjcfcakn.exe 97 PID 2268 wrote to memory of 3772 2268 Gjcfcakn.exe 97 PID 2268 wrote to memory of 3772 2268 Gjcfcakn.exe 97 PID 3772 wrote to memory of 4028 3772 Hgpibdam.exe 99 PID 3772 wrote to memory of 4028 3772 Hgpibdam.exe 99 PID 3772 wrote to memory of 4028 3772 Hgpibdam.exe 99 PID 4028 wrote to memory of 3284 4028 Iqpclh32.exe 101 PID 4028 wrote to memory of 3284 4028 Iqpclh32.exe 101 PID 4028 wrote to memory of 3284 4028 Iqpclh32.exe 101 PID 3284 wrote to memory of 2796 3284 Jjfdfl32.exe 102 PID 3284 wrote to memory of 2796 3284 Jjfdfl32.exe 102 PID 3284 wrote to memory of 2796 3284 Jjfdfl32.exe 102 PID 2796 wrote to memory of 2196 2796 Kmppneal.exe 103 PID 2796 wrote to memory of 2196 2796 Kmppneal.exe 103 PID 2796 wrote to memory of 2196 2796 Kmppneal.exe 103 PID 2196 wrote to memory of 3612 2196 Kanidd32.exe 104 PID 2196 wrote to memory of 3612 2196 Kanidd32.exe 104 PID 2196 wrote to memory of 3612 2196 Kanidd32.exe 104 PID 3612 wrote to memory of 4676 3612 Mmebpbod.exe 105 PID 3612 wrote to memory of 4676 3612 Mmebpbod.exe 105 PID 3612 wrote to memory of 4676 3612 Mmebpbod.exe 105 PID 4676 wrote to memory of 5044 4676 Mhppik32.exe 106 PID 4676 wrote to memory of 5044 4676 Mhppik32.exe 106 PID 4676 wrote to memory of 5044 4676 Mhppik32.exe 106 PID 5044 wrote to memory of 2464 5044 Nncoaq32.exe 107 PID 5044 wrote to memory of 2464 5044 Nncoaq32.exe 107 PID 5044 wrote to memory of 2464 5044 Nncoaq32.exe 107 PID 2464 wrote to memory of 2524 2464 Oacdmo32.exe 108 PID 2464 wrote to memory of 2524 2464 Oacdmo32.exe 108 PID 2464 wrote to memory of 2524 2464 Oacdmo32.exe 108 PID 2524 wrote to memory of 4748 2524 Ohbfeh32.exe 109 PID 2524 wrote to memory of 4748 2524 Ohbfeh32.exe 109 PID 2524 wrote to memory of 4748 2524 Ohbfeh32.exe 109 PID 4748 wrote to memory of 3748 4748 Ofhcdlgg.exe 110 PID 4748 wrote to memory of 3748 4748 Ofhcdlgg.exe 110 PID 4748 wrote to memory of 3748 4748 Ofhcdlgg.exe 110 PID 3748 wrote to memory of 4784 3748 Poeahaib.exe 111 PID 3748 wrote to memory of 4784 3748 Poeahaib.exe 111 PID 3748 wrote to memory of 4784 3748 Poeahaib.exe 111 PID 4784 wrote to memory of 4504 4784 Qkchna32.exe 112 PID 4784 wrote to memory of 4504 4784 Qkchna32.exe 112 PID 4784 wrote to memory of 4504 4784 Qkchna32.exe 112 PID 4504 wrote to memory of 236 4504 Qhghge32.exe 113 PID 4504 wrote to memory of 236 4504 Qhghge32.exe 113 PID 4504 wrote to memory of 236 4504 Qhghge32.exe 113 PID 236 wrote to memory of 2684 236 Ainnhdbp.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe25⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe26⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Dbehienn.exeC:\Windows\system32\Dbehienn.exe27⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Dblnid32.exeC:\Windows\system32\Dblnid32.exe28⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe30⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Eedmlo32.exeC:\Windows\system32\Eedmlo32.exe31⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe32⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe33⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe34⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe35⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe36⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Hlhaee32.exeC:\Windows\system32\Hlhaee32.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hjlaoioh.exeC:\Windows\system32\Hjlaoioh.exe38⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe39⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Icpecm32.exeC:\Windows\system32\Icpecm32.exe41⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Jfehpg32.exeC:\Windows\system32\Jfehpg32.exe42⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe43⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe44⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Jobfdl32.exeC:\Windows\system32\Jobfdl32.exe45⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe46⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe47⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Kcbkpj32.exeC:\Windows\system32\Kcbkpj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Kifjip32.exeC:\Windows\system32\Kifjip32.exe49⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Lapopm32.exeC:\Windows\system32\Lapopm32.exe50⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Libido32.exeC:\Windows\system32\Libido32.exe51⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:424 -
C:\Windows\SysWOW64\Mpqklh32.exeC:\Windows\system32\Mpqklh32.exe53⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe54⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe56⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe57⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe58⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe59⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4624 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe61⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe62⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe63⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe64⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe65⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe66⤵PID:3500
-
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe67⤵PID:3036
-
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe68⤵PID:1668
-
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe69⤵PID:4580
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe70⤵PID:4604
-
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe71⤵PID:1516
-
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe73⤵PID:4944
-
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe74⤵PID:2328
-
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe75⤵PID:3244
-
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe76⤵PID:1920
-
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe77⤵
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe78⤵PID:4856
-
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe79⤵PID:2744
-
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe80⤵PID:4860
-
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe81⤵PID:64
-
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe82⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe83⤵PID:4044
-
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe84⤵PID:5048
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe86⤵PID:1200
-
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe87⤵PID:3248
-
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe88⤵PID:1756
-
C:\Windows\SysWOW64\Dioiki32.exeC:\Windows\system32\Dioiki32.exe89⤵PID:2644
-
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe90⤵PID:5132
-
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe91⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Eblgon32.exeC:\Windows\system32\Eblgon32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe93⤵PID:5264
-
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe94⤵PID:5308
-
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe95⤵PID:5352
-
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe96⤵PID:5388
-
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe97⤵PID:5440
-
C:\Windows\SysWOW64\Folkjnbc.exeC:\Windows\system32\Folkjnbc.exe98⤵PID:5484
-
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe99⤵PID:5520
-
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe100⤵PID:5572
-
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe101⤵PID:5616
-
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe102⤵PID:5664
-
C:\Windows\SysWOW64\Gaffbg32.exeC:\Windows\system32\Gaffbg32.exe103⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe104⤵PID:5752
-
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe105⤵PID:5796
-
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe106⤵PID:5836
-
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe107⤵PID:5900
-
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe108⤵PID:5956
-
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe109⤵PID:6008
-
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe110⤵PID:6052
-
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe111⤵PID:6096
-
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe112⤵PID:6140
-
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe113⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Iefedcmk.exeC:\Windows\system32\Iefedcmk.exe114⤵PID:5248
-
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe115⤵PID:5320
-
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe117⤵PID:5476
-
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe118⤵PID:5540
-
C:\Windows\SysWOW64\Icooig32.exeC:\Windows\system32\Icooig32.exe119⤵PID:5600
-
C:\Windows\SysWOW64\Ihlgan32.exeC:\Windows\system32\Ihlgan32.exe120⤵PID:5692
-
C:\Windows\SysWOW64\Iadljc32.exeC:\Windows\system32\Iadljc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-