Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2023, 19:47
Behavioral task
behavioral1
Sample
NEAS.07b281de7f0088f2d04e523043aaebe0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.07b281de7f0088f2d04e523043aaebe0.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
NEAS.07b281de7f0088f2d04e523043aaebe0.exe
-
Size
109KB
-
MD5
07b281de7f0088f2d04e523043aaebe0
-
SHA1
d23d3c04dad84fda8e366bd522c77cf77ed365f0
-
SHA256
e4efdb10953f697e76e224a0bdaa14fb662312c25fe31b8a4604dd7a06dae480
-
SHA512
34458cd4f3530637748b8dbf7e519ec799b08b15732d188e0f2ef3b4a8a2926f9d9021546b04eb0de934530906f055d65e39d074051cc40bf643212a3c5df26a
-
SSDEEP
3072:pN5gxZMaOWIe7wIu9uspYD8VJ9PLCqwzBu1DjHLMVDqqkSpR:pNUZJpwHQD8VJ9jwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodfajaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnblnlhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggnadib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmglcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmannhhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejflhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hginecde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pofjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caojpaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmchoan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koodbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnibokbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomqcjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcgiefen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbpajgmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnphoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbocfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pchlpfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifigpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckboblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfedm32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4356-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e07-6.dat family_berbew behavioral2/files/0x0006000000022e07-7.dat family_berbew behavioral2/memory/4796-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e09-15.dat family_berbew behavioral2/files/0x0006000000022e0b-22.dat family_berbew behavioral2/memory/3048-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/884-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0b-23.dat family_berbew behavioral2/files/0x0006000000022e09-14.dat family_berbew behavioral2/files/0x0006000000022e0d-30.dat family_berbew behavioral2/files/0x0006000000022e0d-32.dat family_berbew behavioral2/memory/4544-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4624-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0f-39.dat family_berbew behavioral2/files/0x0006000000022e0f-38.dat family_berbew behavioral2/files/0x0006000000022e12-46.dat family_berbew behavioral2/memory/4636-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e12-47.dat family_berbew behavioral2/memory/3216-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e14-54.dat family_berbew behavioral2/files/0x0006000000022e14-56.dat family_berbew behavioral2/files/0x0006000000022e16-62.dat family_berbew behavioral2/memory/464-63-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e16-64.dat family_berbew behavioral2/files/0x0006000000022e18-65.dat family_berbew behavioral2/files/0x0006000000022e18-70.dat family_berbew behavioral2/files/0x0006000000022e18-71.dat family_berbew behavioral2/memory/3284-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2376-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1a-78.dat family_berbew behavioral2/files/0x0006000000022e1a-79.dat family_berbew behavioral2/files/0x0006000000022e1c-86.dat family_berbew behavioral2/memory/4540-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1c-88.dat family_berbew behavioral2/memory/2304-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-95.dat family_berbew behavioral2/files/0x0006000000022e1f-94.dat family_berbew behavioral2/files/0x0006000000022e21-102.dat family_berbew behavioral2/files/0x0006000000022e21-104.dat family_berbew behavioral2/memory/1368-103-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022df8-111.dat family_berbew behavioral2/files/0x0008000000022df8-112.dat family_berbew behavioral2/files/0x0006000000022e25-119.dat family_berbew behavioral2/memory/4412-117-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/636-121-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e25-120.dat family_berbew behavioral2/files/0x0006000000022e27-128.dat family_berbew behavioral2/memory/3524-129-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e27-127.dat family_berbew behavioral2/files/0x0006000000022e29-135.dat family_berbew behavioral2/memory/1920-137-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e29-136.dat family_berbew behavioral2/files/0x0006000000022e2b-143.dat family_berbew behavioral2/memory/4220-145-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2d-151.dat family_berbew behavioral2/files/0x0006000000022e2d-152.dat family_berbew behavioral2/files/0x0006000000022e2f-159.dat family_berbew behavioral2/memory/3004-161-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2f-160.dat family_berbew behavioral2/memory/3236-157-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2b-144.dat family_berbew behavioral2/files/0x0006000000022e31-167.dat family_berbew behavioral2/memory/2632-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4796 Ocdqjceo.exe 3048 Olmeci32.exe 884 Ogbipa32.exe 4544 Pnlaml32.exe 4624 Pfhfan32.exe 4636 Pmannhhj.exe 3216 Pclgkb32.exe 464 Pmdkch32.exe 3284 Pgioqq32.exe 2376 Pncgmkmj.exe 4540 Pcppfaka.exe 2304 Pqdqof32.exe 1368 Pgnilpah.exe 4412 Qqfmde32.exe 636 Qfcfml32.exe 3524 Qddfkd32.exe 1920 Anmjcieo.exe 4220 Aqkgpedc.exe 3236 Afhohlbj.exe 3004 Aqncedbp.exe 2632 Aclpap32.exe 3540 Acqimo32.exe 4368 Aadifclh.exe 4024 Bfabnjjp.exe 4868 Bganhm32.exe 1640 Bjokdipf.exe 4252 Bffkij32.exe 2708 Bcjlcn32.exe 3140 Beihma32.exe 4192 Bmemac32.exe 484 Cmgjgcgo.exe 4196 Caebma32.exe 4104 Cfbkeh32.exe 2336 Cnicfe32.exe 2348 Ceckcp32.exe 1152 Cjpckf32.exe 3280 Cffdpghg.exe 2684 Cmqmma32.exe 1068 Dhfajjoj.exe 3264 Ddmaok32.exe 3484 Dfknkg32.exe 1608 Daqbip32.exe 656 Dfnjafap.exe 4256 Deokon32.exe 1280 Dhmgki32.exe 4236 Deagdn32.exe 1988 Dgbdlf32.exe 1912 Eefaomcg.exe 4560 Fkeodaai.exe 1296 Gaogak32.exe 2232 Ghipne32.exe 2704 Gochjpho.exe 4016 Gempgj32.exe 4660 Ggnlobej.exe 536 Gepmlimi.exe 4172 Ghniielm.exe 4912 Gohaeo32.exe 4408 Gfbibikg.exe 3872 Gkobjpin.exe 924 Gnmnfkia.exe 4428 Gdgfce32.exe 632 Gkaopp32.exe 2236 Hakgmjoh.exe 4188 Hheoid32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Gohaeo32.exe Ghniielm.exe File opened for modification C:\Windows\SysWOW64\Nhdlao32.exe Nlnkmnah.exe File created C:\Windows\SysWOW64\Jmbhoeid.exe Jekqmhia.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Mehjol32.exe Moobbb32.exe File created C:\Windows\SysWOW64\Cgdgna32.dll Iojbpo32.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Khbiello.exe File created C:\Windows\SysWOW64\Fggdpnkf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdilnojp.exe Hajpbckl.exe File opened for modification C:\Windows\SysWOW64\Cofnik32.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Caojpaij.exe Cgifbhid.exe File created C:\Windows\SysWOW64\Okjpkd32.dll Fganqbgg.exe File created C:\Windows\SysWOW64\Lcjkqlam.dll Oihagaji.exe File created C:\Windows\SysWOW64\Gbnoiqdq.exe Gppcmeem.exe File created C:\Windows\SysWOW64\Hehkajig.exe Hbjoeojc.exe File created C:\Windows\SysWOW64\Qckcba32.dll Process not Found File created C:\Windows\SysWOW64\Igfclkdj.exe Ioolkncg.exe File created C:\Windows\SysWOW64\Ekimjn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Igjngh32.exe Idkbkl32.exe File opened for modification C:\Windows\SysWOW64\Bfolacnc.exe Process not Found File created C:\Windows\SysWOW64\Dpinoh32.dll Ppjgoaoj.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kjgeedch.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lggejg32.exe File opened for modification C:\Windows\SysWOW64\Fganqbgg.exe Finnef32.exe File opened for modification C:\Windows\SysWOW64\Gnblnlhl.exe Gkdpbpih.exe File created C:\Windows\SysWOW64\Cnnjancb.dll Gpdennml.exe File opened for modification C:\Windows\SysWOW64\Mnlnbl32.exe Mhafeb32.exe File opened for modification C:\Windows\SysWOW64\Oimkbaed.exe Oafcqcea.exe File created C:\Windows\SysWOW64\Cfigpm32.exe Bckkca32.exe File created C:\Windows\SysWOW64\Fmpbqoqg.dll Ciafbg32.exe File created C:\Windows\SysWOW64\Jlikkkhn.exe Jikoopij.exe File created C:\Windows\SysWOW64\Meickkqm.dll Ijadbdoj.exe File created C:\Windows\SysWOW64\Oihagaji.exe Oaajed32.exe File opened for modification C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File created C:\Windows\SysWOW64\Amcmpodi.exe Ajeadd32.exe File created C:\Windows\SysWOW64\Gefchq32.dll Hplicjok.exe File opened for modification C:\Windows\SysWOW64\Mgeakekd.exe Monjjgkb.exe File opened for modification C:\Windows\SysWOW64\Fdkdibjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aqkpeopg.exe Ahchda32.exe File created C:\Windows\SysWOW64\Ljgpkonp.exe Lieccf32.exe File created C:\Windows\SysWOW64\Obnbpa32.dll Mkhapk32.exe File created C:\Windows\SysWOW64\Nhokljge.exe Ncabfkqo.exe File opened for modification C:\Windows\SysWOW64\Eahobg32.exe Process not Found File created C:\Windows\SysWOW64\Ehaaclak.dll Pmdkch32.exe File created C:\Windows\SysWOW64\Bcdkfq32.dll Edopabqn.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dhphmj32.exe File opened for modification C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Cgpfqchb.dll Jbagbebm.exe File created C:\Windows\SysWOW64\Llgdkbfj.dll Process not Found File created C:\Windows\SysWOW64\Gpaqbbld.exe Gaopfe32.exe File opened for modification C:\Windows\SysWOW64\Hiipmhmk.exe Hbohpn32.exe File opened for modification C:\Windows\SysWOW64\Pclgkb32.exe Pmannhhj.exe File opened for modification C:\Windows\SysWOW64\Llmhaold.exe Ljnlecmp.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File created C:\Windows\SysWOW64\Fbgbnkfm.exe Fohfbpgi.exe File opened for modification C:\Windows\SysWOW64\Agdhbi32.exe Aqkpeopg.exe File opened for modification C:\Windows\SysWOW64\Dpbdopck.exe Dihlbf32.exe File created C:\Windows\SysWOW64\Dnbbhnma.dll Jdmgfedl.exe File created C:\Windows\SysWOW64\Mkiongah.dll Fqeioiam.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Aaiimadl.exe File created C:\Windows\SysWOW64\Ackekpfe.dll Ahgcjddh.exe File created C:\Windows\SysWOW64\Nondlbmd.dll Blhpqhlh.exe File created C:\Windows\SysWOW64\Epffbd32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12192 11460 Process not Found 1247 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll" Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankcfdg.dll" Gdobnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll" Lgdidgjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idebdcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojmqe32.dll" Cdbfab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbplbf32.dll" Mehjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbgmepl.dll" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokcklid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieced32.dll" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbaokim.dll" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll" Jifecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khgbqkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefplh32.dll" Lfhnaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Bheplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkokcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfpbmfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leenhhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqihllh.dll" Jbgoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nognnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhgcipb.dll" Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onocomdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaajhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpgodhkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipejo32.dll" Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnknc32.dll" Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgfkbgm.dll" Ohnohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicfkknk.dll" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpplna32.dll" Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhjmdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinlh32.dll" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhnikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll" Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll" Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 10344 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4356 wrote to memory of 4796 4356 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 86 PID 4356 wrote to memory of 4796 4356 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 86 PID 4356 wrote to memory of 4796 4356 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 86 PID 4796 wrote to memory of 3048 4796 Ocdqjceo.exe 87 PID 4796 wrote to memory of 3048 4796 Ocdqjceo.exe 87 PID 4796 wrote to memory of 3048 4796 Ocdqjceo.exe 87 PID 3048 wrote to memory of 884 3048 Olmeci32.exe 89 PID 3048 wrote to memory of 884 3048 Olmeci32.exe 89 PID 3048 wrote to memory of 884 3048 Olmeci32.exe 89 PID 884 wrote to memory of 4544 884 Ogbipa32.exe 88 PID 884 wrote to memory of 4544 884 Ogbipa32.exe 88 PID 884 wrote to memory of 4544 884 Ogbipa32.exe 88 PID 4544 wrote to memory of 4624 4544 Pnlaml32.exe 90 PID 4544 wrote to memory of 4624 4544 Pnlaml32.exe 90 PID 4544 wrote to memory of 4624 4544 Pnlaml32.exe 90 PID 4624 wrote to memory of 4636 4624 Pfhfan32.exe 91 PID 4624 wrote to memory of 4636 4624 Pfhfan32.exe 91 PID 4624 wrote to memory of 4636 4624 Pfhfan32.exe 91 PID 4636 wrote to memory of 3216 4636 Pmannhhj.exe 92 PID 4636 wrote to memory of 3216 4636 Pmannhhj.exe 92 PID 4636 wrote to memory of 3216 4636 Pmannhhj.exe 92 PID 3216 wrote to memory of 464 3216 Pclgkb32.exe 93 PID 3216 wrote to memory of 464 3216 Pclgkb32.exe 93 PID 3216 wrote to memory of 464 3216 Pclgkb32.exe 93 PID 464 wrote to memory of 3284 464 Pmdkch32.exe 94 PID 464 wrote to memory of 3284 464 Pmdkch32.exe 94 PID 464 wrote to memory of 3284 464 Pmdkch32.exe 94 PID 3284 wrote to memory of 2376 3284 Pgioqq32.exe 95 PID 3284 wrote to memory of 2376 3284 Pgioqq32.exe 95 PID 3284 wrote to memory of 2376 3284 Pgioqq32.exe 95 PID 2376 wrote to memory of 4540 2376 Pncgmkmj.exe 96 PID 2376 wrote to memory of 4540 2376 Pncgmkmj.exe 96 PID 2376 wrote to memory of 4540 2376 Pncgmkmj.exe 96 PID 4540 wrote to memory of 2304 4540 Pcppfaka.exe 97 PID 4540 wrote to memory of 2304 4540 Pcppfaka.exe 97 PID 4540 wrote to memory of 2304 4540 Pcppfaka.exe 97 PID 2304 wrote to memory of 1368 2304 Pqdqof32.exe 98 PID 2304 wrote to memory of 1368 2304 Pqdqof32.exe 98 PID 2304 wrote to memory of 1368 2304 Pqdqof32.exe 98 PID 1368 wrote to memory of 4412 1368 Pgnilpah.exe 99 PID 1368 wrote to memory of 4412 1368 Pgnilpah.exe 99 PID 1368 wrote to memory of 4412 1368 Pgnilpah.exe 99 PID 4412 wrote to memory of 636 4412 Qqfmde32.exe 100 PID 4412 wrote to memory of 636 4412 Qqfmde32.exe 100 PID 4412 wrote to memory of 636 4412 Qqfmde32.exe 100 PID 636 wrote to memory of 3524 636 Qfcfml32.exe 101 PID 636 wrote to memory of 3524 636 Qfcfml32.exe 101 PID 636 wrote to memory of 3524 636 Qfcfml32.exe 101 PID 3524 wrote to memory of 1920 3524 Qddfkd32.exe 103 PID 3524 wrote to memory of 1920 3524 Qddfkd32.exe 103 PID 3524 wrote to memory of 1920 3524 Qddfkd32.exe 103 PID 1920 wrote to memory of 4220 1920 Anmjcieo.exe 104 PID 1920 wrote to memory of 4220 1920 Anmjcieo.exe 104 PID 1920 wrote to memory of 4220 1920 Anmjcieo.exe 104 PID 4220 wrote to memory of 3236 4220 Aqkgpedc.exe 105 PID 4220 wrote to memory of 3236 4220 Aqkgpedc.exe 105 PID 4220 wrote to memory of 3236 4220 Aqkgpedc.exe 105 PID 3236 wrote to memory of 3004 3236 Afhohlbj.exe 106 PID 3236 wrote to memory of 3004 3236 Afhohlbj.exe 106 PID 3236 wrote to memory of 3004 3236 Afhohlbj.exe 106 PID 3004 wrote to memory of 2632 3004 Aqncedbp.exe 107 PID 3004 wrote to memory of 2632 3004 Aqncedbp.exe 107 PID 3004 wrote to memory of 2632 3004 Aqncedbp.exe 107 PID 2632 wrote to memory of 3540 2632 Aclpap32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.07b281de7f0088f2d04e523043aaebe0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.07b281de7f0088f2d04e523043aaebe0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884
-
-
-
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe19⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe20⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe21⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe22⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe23⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe24⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe25⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe26⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe27⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe28⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe29⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe30⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe32⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe33⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe34⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe36⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe40⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe41⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe42⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe43⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe44⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe45⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe46⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe47⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe48⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe49⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe50⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe51⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe52⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4172 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe54⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe55⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe56⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe57⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe58⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe60⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe61⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe62⤵PID:2888
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe63⤵PID:3900
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe64⤵PID:5148
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe65⤵PID:5200
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe66⤵PID:5240
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe67⤵PID:5280
-
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe68⤵PID:5320
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe69⤵PID:5360
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe70⤵PID:5400
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe71⤵PID:5440
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe72⤵PID:5480
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe73⤵
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe74⤵PID:5580
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe75⤵PID:5620
-
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe76⤵PID:5660
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe77⤵PID:5708
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe78⤵PID:5756
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe79⤵PID:5796
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe80⤵PID:5836
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe81⤵PID:5880
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe82⤵PID:5928
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe83⤵PID:5976
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe84⤵PID:6020
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe85⤵PID:6064
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe86⤵PID:6100
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe87⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe89⤵PID:5268
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe90⤵PID:5352
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe91⤵PID:5412
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe92⤵PID:5488
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe93⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe94⤵PID:5644
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe95⤵PID:5720
-
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe96⤵PID:5784
-
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe97⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe98⤵PID:5908
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe99⤵PID:6004
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe100⤵PID:6048
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe101⤵PID:6140
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe102⤵PID:5232
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe103⤵PID:5332
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe104⤵PID:5460
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe105⤵PID:5568
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe106⤵PID:5552
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe107⤵PID:1284
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe108⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe109⤵PID:5888
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe110⤵PID:6072
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe111⤵PID:6136
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe112⤵PID:5316
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe113⤵PID:5532
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe114⤵PID:60
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe115⤵PID:5924
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe116⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe117⤵PID:5396
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe118⤵PID:5688
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe119⤵PID:6016
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe120⤵PID:5224
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe121⤵PID:5740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-