Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 05:49
Behavioral task
behavioral1
Sample
NEAS.086894871b61c20da05e64f0e8264300.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.086894871b61c20da05e64f0e8264300.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.086894871b61c20da05e64f0e8264300.exe
-
Size
1.4MB
-
MD5
086894871b61c20da05e64f0e8264300
-
SHA1
9807a2360868764b8cf3cd7067e239eddcaa440a
-
SHA256
518b570a5aa2183fbc7a9938a0527a63495a05a2d017bd4f993ef06f097e9984
-
SHA512
e557fa3622f9ce7cc9a7e12c6fca0d0d713322cc176f78d90ba743b38d8ccd6731585d74b2bfcfb3d587d0c1b110d3446fa5804c0842a01174b2b674a56df562
-
SSDEEP
24576:vf0Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWx4C2rCLoTXosUX:vubazR0vKLXZ8C2rCLo7onBZe2Iehrtr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apndloif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giddddad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglaookl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfggang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhjpjjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjnhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiigqdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeodapcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfkane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgeff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkhjim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiklmhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biigildg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhiaepfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhihkjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbeobhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcqacfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaegqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gijmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqgjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmclgghc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmbjnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galonj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnmpbec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeobhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akgjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begcjjql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggolhaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnfjjla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmliem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poeahaib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgbjkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobffk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capkim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfabok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddjofbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpaacblm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbbak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehekq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnniopcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgioah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckfaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfnmhnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggga32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022ccf-7.dat family_berbew behavioral2/files/0x0007000000022ccf-9.dat family_berbew behavioral2/files/0x0008000000022ce1-15.dat family_berbew behavioral2/files/0x0008000000022ce1-16.dat family_berbew behavioral2/files/0x0008000000022ce3-23.dat family_berbew behavioral2/files/0x0008000000022ce3-24.dat family_berbew behavioral2/files/0x0009000000022ce6-31.dat family_berbew behavioral2/files/0x0009000000022ce6-33.dat family_berbew behavioral2/files/0x0006000000022ce8-39.dat family_berbew behavioral2/files/0x0006000000022ce8-40.dat family_berbew behavioral2/files/0x0006000000022ceb-47.dat family_berbew behavioral2/files/0x0006000000022ceb-49.dat family_berbew behavioral2/files/0x0006000000022ced-55.dat family_berbew behavioral2/files/0x0006000000022ced-56.dat family_berbew behavioral2/files/0x0006000000022cef-63.dat family_berbew behavioral2/files/0x0006000000022cef-65.dat family_berbew behavioral2/files/0x0006000000022cf1-71.dat family_berbew behavioral2/files/0x0006000000022cf1-73.dat family_berbew behavioral2/files/0x0006000000022cf3-79.dat family_berbew behavioral2/files/0x0006000000022cf3-80.dat family_berbew behavioral2/files/0x000b000000022bed-88.dat family_berbew behavioral2/files/0x000b000000022bed-90.dat family_berbew behavioral2/files/0x0003000000022308-96.dat family_berbew behavioral2/files/0x0003000000022308-97.dat family_berbew behavioral2/files/0x000a000000022bec-104.dat family_berbew behavioral2/files/0x000a000000022bec-105.dat family_berbew behavioral2/files/0x0006000000022cfc-112.dat family_berbew behavioral2/files/0x0006000000022cfc-114.dat family_berbew behavioral2/files/0x0007000000022cfa-120.dat family_berbew behavioral2/files/0x0007000000022cfa-122.dat family_berbew behavioral2/files/0x0006000000022cff-128.dat family_berbew behavioral2/files/0x0006000000022cff-130.dat family_berbew behavioral2/files/0x0002000000022307-136.dat family_berbew behavioral2/files/0x0002000000022307-138.dat family_berbew behavioral2/files/0x0008000000022beb-144.dat family_berbew behavioral2/files/0x0008000000022beb-146.dat family_berbew behavioral2/files/0x0006000000022d02-152.dat family_berbew behavioral2/files/0x0006000000022d02-153.dat family_berbew behavioral2/files/0x0006000000022d04-161.dat family_berbew behavioral2/files/0x0006000000022d04-163.dat family_berbew behavioral2/files/0x0006000000022d06-169.dat family_berbew behavioral2/files/0x0006000000022d06-170.dat family_berbew behavioral2/files/0x0006000000022d08-177.dat family_berbew behavioral2/files/0x0006000000022d08-179.dat family_berbew behavioral2/files/0x0006000000022d0a-185.dat family_berbew behavioral2/files/0x0006000000022d0a-186.dat family_berbew behavioral2/files/0x0006000000022d0d-193.dat family_berbew behavioral2/files/0x0006000000022d0d-194.dat family_berbew behavioral2/files/0x0007000000022d0c-201.dat family_berbew behavioral2/files/0x0007000000022d0c-203.dat family_berbew behavioral2/files/0x0006000000022d11-209.dat family_berbew behavioral2/files/0x0006000000022d11-210.dat family_berbew behavioral2/files/0x0006000000022d13-217.dat family_berbew behavioral2/files/0x0006000000022d13-218.dat family_berbew behavioral2/files/0x0006000000022d15-225.dat family_berbew behavioral2/files/0x0006000000022d15-227.dat family_berbew behavioral2/files/0x0006000000022d17-233.dat family_berbew behavioral2/files/0x0006000000022d17-234.dat family_berbew behavioral2/files/0x0006000000022d19-241.dat family_berbew behavioral2/files/0x0006000000022d19-242.dat family_berbew behavioral2/files/0x0006000000022d1b-249.dat family_berbew behavioral2/files/0x0006000000022d1b-251.dat family_berbew behavioral2/files/0x0006000000022d1d-257.dat family_berbew behavioral2/files/0x0006000000022d1d-258.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4640 Ijbbfc32.exe 1564 Jdmcdhhe.exe 2164 Jeolckne.exe 3000 Klpjad32.exe 4648 Kdmlkfjb.exe 1464 Lkiamp32.exe 5008 Lbebilli.exe 1488 Lcjldk32.exe 4704 Mdpagc32.exe 1640 Mccokj32.exe 4984 Nfiagd32.exe 5040 Ocknbglo.exe 876 Pdngpo32.exe 400 Peempn32.exe 4220 Qfjcep32.exe 4572 Acbmjcgd.exe 848 Bmfqngcg.exe 928 Cpifeb32.exe 1704 Cboibm32.exe 2008 Cmgjee32.exe 1720 Dbhlikpf.exe 4668 Dghadidj.exe 4708 Epcbbohh.exe 1568 Ecdkdj32.exe 2596 Fdjnolfd.exe 3672 Flhoinbl.exe 4356 Gphddlfp.exe 1448 Gdhjpjjd.exe 4160 Hgpibdam.exe 4380 Hmpnqj32.exe 2360 Hdicggla.exe 1796 Iqgjmg32.exe 3172 Jgcooaah.exe 4312 Jgjeppkp.exe 4716 Jcaeea32.exe 5092 Kjmjgk32.exe 3284 Khakqo32.exe 4540 Keekjc32.exe 4860 Knmpbi32.exe 4936 Knpmhh32.exe 4800 Khhaanop.exe 892 Lelajb32.exe 908 Ljncnhhk.exe 4240 Lokldg32.exe 2192 Lkbmih32.exe 784 Mopeofjl.exe 2644 Mmebpbod.exe 1560 Moeoje32.exe 4320 Moglpedd.exe 180 Mknlef32.exe 3080 Nolekd32.exe 5116 Nncoaq32.exe 3932 Nockkcjg.exe 4476 Nhkpdi32.exe 976 Ohnljine.exe 4408 Ogcike32.exe 1200 Ohbfeh32.exe 3800 Oeffnl32.exe 1084 Oamgcm32.exe 1268 Pkhhbbck.exe 2976 Poeahaib.exe 1780 Pohnnqgo.exe 1456 Pkonbamc.exe 1652 Phbolflm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Feiglp32.dll Folkjnbc.exe File opened for modification C:\Windows\SysWOW64\Nehekq32.exe Npkmcj32.exe File created C:\Windows\SysWOW64\Olejbnna.dll Fhonpi32.exe File created C:\Windows\SysWOW64\Jpfnqc32.exe Ikifhm32.exe File created C:\Windows\SysWOW64\Fkpgjq32.dll Hcommoin.exe File created C:\Windows\SysWOW64\Imcqacfq.exe Icklhnop.exe File opened for modification C:\Windows\SysWOW64\Oinbgk32.exe Odaiodbp.exe File created C:\Windows\SysWOW64\Cgpcklpd.exe Ccajdmin.exe File created C:\Windows\SysWOW64\Lonnfg32.exe Ldiiio32.exe File created C:\Windows\SysWOW64\Foakpc32.exe Fidbgm32.exe File created C:\Windows\SysWOW64\Ljoboloa.exe Lmheph32.exe File opened for modification C:\Windows\SysWOW64\Goipae32.exe Mcmall32.exe File opened for modification C:\Windows\SysWOW64\Opgloh32.exe Ofnhfbjl.exe File created C:\Windows\SysWOW64\Pfgaelbi.dll Oekpdoll.exe File created C:\Windows\SysWOW64\Capkim32.exe Ckcbaf32.exe File opened for modification C:\Windows\SysWOW64\Mcggga32.exe Ljoboloa.exe File opened for modification C:\Windows\SysWOW64\Bcngddao.exe Bnaolm32.exe File opened for modification C:\Windows\SysWOW64\Ioeicajh.exe Idgocigi.exe File opened for modification C:\Windows\SysWOW64\Pneelmjo.exe Cooolhin.exe File created C:\Windows\SysWOW64\Jbkdoilo.dll Boanniao.exe File created C:\Windows\SysWOW64\Mnfooh32.dll Lkiamp32.exe File opened for modification C:\Windows\SysWOW64\Mknlef32.exe Moglpedd.exe File created C:\Windows\SysWOW64\Fodbhbhk.dll Hklglk32.exe File created C:\Windows\SysWOW64\Aohbbqme.exe Efccfojn.exe File created C:\Windows\SysWOW64\Hcommoin.exe Ghjhofjg.exe File opened for modification C:\Windows\SysWOW64\Eenflbll.exe Cameka32.exe File opened for modification C:\Windows\SysWOW64\Gablgk32.exe Fcnlng32.exe File created C:\Windows\SysWOW64\Cohdoh32.exe Ceppfbef.exe File created C:\Windows\SysWOW64\Ebpqjmpd.exe Ehklmd32.exe File created C:\Windows\SysWOW64\Lmheph32.exe Lpdefc32.exe File opened for modification C:\Windows\SysWOW64\Idhgkcln.exe Ihagfb32.exe File created C:\Windows\SysWOW64\Aaldngqg.exe Aefcif32.exe File created C:\Windows\SysWOW64\Ldhopqko.dll Acbmjcgd.exe File opened for modification C:\Windows\SysWOW64\Jcaeea32.exe Jgjeppkp.exe File created C:\Windows\SysWOW64\Pnoand32.dll Ofjokc32.exe File created C:\Windows\SysWOW64\Fdjnolfd.exe Ecdkdj32.exe File opened for modification C:\Windows\SysWOW64\Ghjhofjg.exe Gcmpgpkp.exe File opened for modification C:\Windows\SysWOW64\Mnndhi32.exe Miqlpbap.exe File created C:\Windows\SysWOW64\Ejbgidpn.dll Nnimia32.exe File opened for modification C:\Windows\SysWOW64\Cboibm32.exe Cpifeb32.exe File opened for modification C:\Windows\SysWOW64\Mfhgcbfo.exe Mjafoapj.exe File created C:\Windows\SysWOW64\Mcggga32.exe Ljoboloa.exe File created C:\Windows\SysWOW64\Qlomemlj.exe Pgbdmfnc.exe File opened for modification C:\Windows\SysWOW64\Dfqdid32.exe Dlkplk32.exe File opened for modification C:\Windows\SysWOW64\Oickbjmb.exe Oiqomj32.exe File created C:\Windows\SysWOW64\Hnlgemnf.dll Cqpdof32.exe File created C:\Windows\SysWOW64\Fkojdk32.dll Gechnpid.exe File created C:\Windows\SysWOW64\Mfkcec32.dll Ifmcmg32.exe File created C:\Windows\SysWOW64\Dfngcdhi.exe Deokja32.exe File created C:\Windows\SysWOW64\Hdokok32.exe Hhhkjj32.exe File created C:\Windows\SysWOW64\Bjgple32.dll Eigohp32.exe File created C:\Windows\SysWOW64\Lkiamp32.exe Kdmlkfjb.exe File opened for modification C:\Windows\SysWOW64\Djgkbp32.exe Dpnfjjla.exe File created C:\Windows\SysWOW64\Phkioc32.dll Okkidceh.exe File opened for modification C:\Windows\SysWOW64\Moglpedd.exe Moeoje32.exe File opened for modification C:\Windows\SysWOW64\Elnehifk.exe Eojeodga.exe File created C:\Windows\SysWOW64\Jnmbjnlm.exe Jddnah32.exe File created C:\Windows\SysWOW64\Begcjjql.exe Bpjkbcbe.exe File created C:\Windows\SysWOW64\Cpbgnlfo.exe Gjohnkdd.exe File created C:\Windows\SysWOW64\Hghhgh32.dll Cfjnhe32.exe File opened for modification C:\Windows\SysWOW64\Hfeoijbi.exe Hllkqdli.exe File created C:\Windows\SysWOW64\Modkhnci.dll Mjfoja32.exe File opened for modification C:\Windows\SysWOW64\Fongpm32.exe Fiaogfai.exe File created C:\Windows\SysWOW64\Bckecf32.dll Npkmcj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7296 9384 Process not Found 1137 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdkmelh.dll" Plejoode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfjhp32.dll" Cknbkpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnbnchlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgjef32.dll" Galonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glqkefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhcdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apndloif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffekom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efgehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanlcjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaegqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoilfidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajcmcok.dll" Miqlpbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjle32.dll" Ipcakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cediab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klpjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cicjokll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjdecfcc.dll" Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcboln32.dll" Nkghqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkimb32.dll" Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlggcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbfmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbjhj32.dll" Dghadidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpaffhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giddddad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijgmokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elagjihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enoddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfnmhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmmajed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckecf32.dll" Npkmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcafo32.dll" Fofigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbebilli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokldg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgjeohk.dll" Qekbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbjcd32.dll" Bnehgmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddndonph.dll" Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eobffk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocknbglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogcike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdddjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfoohmp.dll" Lnfgmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfndbnlp.dll" Kidmcqeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijbbfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjlcmdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giagjn32.dll" Hahedoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgamdnme.dll" Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfdefo32.dll" Ikjcmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opgciodi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.086894871b61c20da05e64f0e8264300.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgehobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmmmbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcnoajl.dll" Ejhkdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deokja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odaiodbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcommoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncehk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hncmfj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 656 wrote to memory of 4640 656 NEAS.086894871b61c20da05e64f0e8264300.exe 90 PID 656 wrote to memory of 4640 656 NEAS.086894871b61c20da05e64f0e8264300.exe 90 PID 656 wrote to memory of 4640 656 NEAS.086894871b61c20da05e64f0e8264300.exe 90 PID 4640 wrote to memory of 1564 4640 Ijbbfc32.exe 92 PID 4640 wrote to memory of 1564 4640 Ijbbfc32.exe 92 PID 4640 wrote to memory of 1564 4640 Ijbbfc32.exe 92 PID 1564 wrote to memory of 2164 1564 Jdmcdhhe.exe 93 PID 1564 wrote to memory of 2164 1564 Jdmcdhhe.exe 93 PID 1564 wrote to memory of 2164 1564 Jdmcdhhe.exe 93 PID 2164 wrote to memory of 3000 2164 Jeolckne.exe 94 PID 2164 wrote to memory of 3000 2164 Jeolckne.exe 94 PID 2164 wrote to memory of 3000 2164 Jeolckne.exe 94 PID 3000 wrote to memory of 4648 3000 Klpjad32.exe 95 PID 3000 wrote to memory of 4648 3000 Klpjad32.exe 95 PID 3000 wrote to memory of 4648 3000 Klpjad32.exe 95 PID 4648 wrote to memory of 1464 4648 Kdmlkfjb.exe 96 PID 4648 wrote to memory of 1464 4648 Kdmlkfjb.exe 96 PID 4648 wrote to memory of 1464 4648 Kdmlkfjb.exe 96 PID 1464 wrote to memory of 5008 1464 Lkiamp32.exe 97 PID 1464 wrote to memory of 5008 1464 Lkiamp32.exe 97 PID 1464 wrote to memory of 5008 1464 Lkiamp32.exe 97 PID 5008 wrote to memory of 1488 5008 Lbebilli.exe 98 PID 5008 wrote to memory of 1488 5008 Lbebilli.exe 98 PID 5008 wrote to memory of 1488 5008 Lbebilli.exe 98 PID 1488 wrote to memory of 4704 1488 Lcjldk32.exe 99 PID 1488 wrote to memory of 4704 1488 Lcjldk32.exe 99 PID 1488 wrote to memory of 4704 1488 Lcjldk32.exe 99 PID 4704 wrote to memory of 1640 4704 Mdpagc32.exe 100 PID 4704 wrote to memory of 1640 4704 Mdpagc32.exe 100 PID 4704 wrote to memory of 1640 4704 Mdpagc32.exe 100 PID 1640 wrote to memory of 4984 1640 Mccokj32.exe 101 PID 1640 wrote to memory of 4984 1640 Mccokj32.exe 101 PID 1640 wrote to memory of 4984 1640 Mccokj32.exe 101 PID 4984 wrote to memory of 5040 4984 Nfiagd32.exe 102 PID 4984 wrote to memory of 5040 4984 Nfiagd32.exe 102 PID 4984 wrote to memory of 5040 4984 Nfiagd32.exe 102 PID 5040 wrote to memory of 876 5040 Ocknbglo.exe 103 PID 5040 wrote to memory of 876 5040 Ocknbglo.exe 103 PID 5040 wrote to memory of 876 5040 Ocknbglo.exe 103 PID 876 wrote to memory of 400 876 Pdngpo32.exe 104 PID 876 wrote to memory of 400 876 Pdngpo32.exe 104 PID 876 wrote to memory of 400 876 Pdngpo32.exe 104 PID 400 wrote to memory of 4220 400 Peempn32.exe 105 PID 400 wrote to memory of 4220 400 Peempn32.exe 105 PID 400 wrote to memory of 4220 400 Peempn32.exe 105 PID 4220 wrote to memory of 4572 4220 Qfjcep32.exe 106 PID 4220 wrote to memory of 4572 4220 Qfjcep32.exe 106 PID 4220 wrote to memory of 4572 4220 Qfjcep32.exe 106 PID 4572 wrote to memory of 848 4572 Acbmjcgd.exe 107 PID 4572 wrote to memory of 848 4572 Acbmjcgd.exe 107 PID 4572 wrote to memory of 848 4572 Acbmjcgd.exe 107 PID 848 wrote to memory of 928 848 Bmfqngcg.exe 108 PID 848 wrote to memory of 928 848 Bmfqngcg.exe 108 PID 848 wrote to memory of 928 848 Bmfqngcg.exe 108 PID 928 wrote to memory of 1704 928 Cpifeb32.exe 109 PID 928 wrote to memory of 1704 928 Cpifeb32.exe 109 PID 928 wrote to memory of 1704 928 Cpifeb32.exe 109 PID 1704 wrote to memory of 2008 1704 Cboibm32.exe 110 PID 1704 wrote to memory of 2008 1704 Cboibm32.exe 110 PID 1704 wrote to memory of 2008 1704 Cboibm32.exe 110 PID 2008 wrote to memory of 1720 2008 Cmgjee32.exe 111 PID 2008 wrote to memory of 1720 2008 Cmgjee32.exe 111 PID 2008 wrote to memory of 1720 2008 Cmgjee32.exe 111 PID 1720 wrote to memory of 4668 1720 Dbhlikpf.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.086894871b61c20da05e64f0e8264300.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.086894871b61c20da05e64f0e8264300.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe24⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe26⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe27⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe28⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe30⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe31⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe32⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe34⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe36⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe37⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe38⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe39⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe40⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe41⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe42⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe43⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe44⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe46⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe48⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe51⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe52⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe53⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe54⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe55⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe58⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe59⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe60⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe61⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe63⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe64⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe65⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe66⤵PID:5128
-
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe67⤵PID:5168
-
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe68⤵PID:5212
-
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe69⤵PID:5252
-
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe70⤵PID:5292
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe71⤵PID:5332
-
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe72⤵PID:5368
-
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe74⤵PID:5456
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe75⤵PID:5496
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5540 -
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe77⤵PID:5584
-
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe78⤵PID:5636
-
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe79⤵PID:5688
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe80⤵PID:5748
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe81⤵PID:5796
-
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Deokja32.exeC:\Windows\system32\Deokja32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6008 -
C:\Windows\SysWOW64\Dlkplk32.exeC:\Windows\system32\Dlkplk32.exe86⤵
- Drops file in System32 directory
PID:6060 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe87⤵PID:6104
-
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe88⤵PID:3664
-
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe89⤵PID:5176
-
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe90⤵PID:5236
-
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe91⤵PID:5340
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe92⤵PID:5396
-
C:\Windows\SysWOW64\Eihcln32.exeC:\Windows\system32\Eihcln32.exe93⤵PID:5448
-
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe94⤵PID:5536
-
C:\Windows\SysWOW64\Eojeodga.exeC:\Windows\system32\Eojeodga.exe95⤵
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe96⤵PID:5680
-
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe97⤵PID:5832
-
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe98⤵
- Drops file in System32 directory
PID:5860 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe99⤵PID:5964
-
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe100⤵PID:6040
-
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe101⤵PID:6112
-
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe102⤵PID:5180
-
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe103⤵PID:5324
-
C:\Windows\SysWOW64\Ghqeihbb.exeC:\Windows\system32\Ghqeihbb.exe104⤵PID:5344
-
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe105⤵PID:5488
-
C:\Windows\SysWOW64\Ghcbohpp.exeC:\Windows\system32\Ghcbohpp.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe107⤵PID:5760
-
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe108⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe109⤵PID:6004
-
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe110⤵PID:5152
-
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe111⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe112⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Hpcmfchg.exeC:\Windows\system32\Hpcmfchg.exe114⤵PID:5980
-
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe115⤵PID:6136
-
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe116⤵PID:5472
-
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe117⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe118⤵PID:5148
-
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe119⤵PID:5776
-
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe120⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-