Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 03:28
Behavioral task
behavioral1
Sample
NEAS.055abb3b4da1780e637bf46c2aff1a50.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.055abb3b4da1780e637bf46c2aff1a50.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.055abb3b4da1780e637bf46c2aff1a50.exe
-
Size
88KB
-
MD5
055abb3b4da1780e637bf46c2aff1a50
-
SHA1
aea2c372b990c608de907e3fa20cd2ceca6f20de
-
SHA256
96a73dff679af6c45b4e009e271a73c1a87bb20bdb858a6dd93495824b481fd8
-
SHA512
418f2345480fef00c09f882766c4742ab6aaf67496d67948605cfff00a3b513869ce1d9692650d78645686b4f83174fcb9f31dfcf5d6aaebe9d21a141294f4f2
-
SSDEEP
1536:HtFyndIMoigAKZ4wFL8QOVXtE1ukVd71rFZO7+90vT:HvEqieZTLi9EIIJ15ZO7Vr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjednmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofncde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noijmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgblhmag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihfmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpjjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cameka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejklfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhpmigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjmob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcplkoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgndedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpapiipo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klceeejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iepihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jckeokan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgckgcem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgokknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjqjqao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihbpalh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipaeedpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iioicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiilmofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napjnfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knifging.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbjgcnll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcbqecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnelha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmijf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbaabom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehocjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiqfoie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbahcfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkanbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momqblgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfiffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckfdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiagn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikkga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbomoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijliej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caojigoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccacjgfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homadjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoneah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpnppap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijgjpip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olqqdo32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4796-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022cbf-6.dat family_berbew behavioral2/files/0x0008000000022cbf-7.dat family_berbew behavioral2/memory/372-8-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc2-14.dat family_berbew behavioral2/memory/4700-16-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc2-15.dat family_berbew behavioral2/files/0x0008000000022cc4-17.dat family_berbew behavioral2/files/0x0008000000022cc4-22.dat family_berbew behavioral2/files/0x0008000000022cc4-24.dat family_berbew behavioral2/memory/3628-23-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022cc7-30.dat family_berbew behavioral2/files/0x0008000000022cc7-32.dat family_berbew behavioral2/memory/4536-31-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cc9-33.dat family_berbew behavioral2/files/0x0006000000022cc9-38.dat family_berbew behavioral2/files/0x0006000000022cc9-40.dat family_berbew behavioral2/memory/3992-39-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ccb-46.dat family_berbew behavioral2/files/0x0006000000022ccb-48.dat family_berbew behavioral2/memory/1532-47-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ccd-54.dat family_berbew behavioral2/files/0x0006000000022ccd-55.dat family_berbew behavioral2/memory/1344-56-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ccf-64.dat family_berbew behavioral2/memory/1372-63-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ccf-62.dat family_berbew behavioral2/files/0x0006000000022cd1-69.dat family_berbew behavioral2/memory/2816-71-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd1-72.dat family_berbew behavioral2/files/0x0006000000022cd3-73.dat family_berbew behavioral2/files/0x0006000000022cd3-77.dat family_berbew behavioral2/files/0x0006000000022cd3-80.dat family_berbew behavioral2/memory/1504-79-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd5-86.dat family_berbew behavioral2/memory/760-87-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd5-88.dat family_berbew behavioral2/files/0x0006000000022cd7-94.dat family_berbew behavioral2/memory/2452-95-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd7-96.dat family_berbew behavioral2/files/0x0006000000022cd9-101.dat family_berbew behavioral2/memory/3120-104-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd9-103.dat family_berbew behavioral2/files/0x0006000000022cdb-105.dat family_berbew behavioral2/files/0x0006000000022cdb-110.dat family_berbew behavioral2/files/0x0006000000022cdb-111.dat family_berbew behavioral2/memory/5104-112-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdd-118.dat family_berbew behavioral2/memory/2168-119-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdd-120.dat family_berbew behavioral2/files/0x0006000000022cdf-126.dat family_berbew behavioral2/memory/1832-127-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdf-128.dat family_berbew behavioral2/files/0x0006000000022ce1-129.dat family_berbew behavioral2/files/0x0006000000022ce1-134.dat family_berbew behavioral2/memory/648-135-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-136.dat family_berbew behavioral2/files/0x0006000000022ce3-142.dat family_berbew behavioral2/files/0x0006000000022ce3-144.dat family_berbew behavioral2/memory/3760-143-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce5-150.dat family_berbew behavioral2/memory/2200-152-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce5-151.dat family_berbew behavioral2/files/0x0006000000022ce7-153.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 372 Hcgjhega.exe 4700 Iepihf32.exe 3628 Iqgjmg32.exe 4536 Japmcfcc.exe 3992 Knifging.exe 1532 Kmncif32.exe 1344 Kjdqhjpf.exe 1372 Kfkamk32.exe 2816 Laeoec32.exe 1504 Laglkb32.exe 760 Mehafq32.exe 2452 Maoakaip.exe 3120 Mdokmm32.exe 5104 Namnmp32.exe 2168 Ngnppfgb.exe 1832 Oogdfc32.exe 648 Pdeffgff.exe 3760 Afkipi32.exe 2200 Aofjoo32.exe 3416 Aeeomegd.exe 652 Bngfli32.exe 4316 Dijgjpip.exe 2444 Dhpdkm32.exe 3764 Dfcqod32.exe 1828 Dpkehi32.exe 1420 Ehkcgkdj.exe 4012 Epgdch32.exe 864 Efampahd.exe 776 Fbjjkble.exe 3920 Fhnichde.exe 4516 Gpjjpe32.exe 2380 Hgdlcm32.exe 3556 Iqaiga32.exe 1756 Ijjnpg32.exe 1944 Ifqoehhl.exe 2172 Jckeokan.exe 4668 Kqdodo32.exe 1652 Kpilekqj.exe 3848 Kjopbd32.exe 3916 Kplijk32.exe 2192 Liifnp32.exe 4300 Lmiljn32.exe 2700 Lagepl32.exe 4908 Mhefhf32.exe 208 Miipencp.exe 2532 Mhjpceko.exe 4296 Mfomda32.exe 4776 Nipffmmg.exe 1540 Nmnnlk32.exe 5080 Nhfoocaa.exe 2744 Ogpfko32.exe 3660 Qdflaa32.exe 2236 Aklciimh.exe 1080 Bhennm32.exe 2316 Bndblcdq.exe 4620 Bqdlmo32.exe 424 Cgaqphgl.exe 3972 Ceeaim32.exe 4420 Canocm32.exe 3068 Dndlba32.exe 4032 Djklgb32.exe 4652 Dilmeida.exe 4860 Dgaiffii.exe 4884 Dnnoip32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mdokmm32.exe Maoakaip.exe File opened for modification C:\Windows\SysWOW64\Fhkcfmbp.exe Egkgljkm.exe File created C:\Windows\SysWOW64\Hnmnpano.exe Ghpehjph.exe File created C:\Windows\SysWOW64\Cmbobi32.dll Ahakhg32.exe File created C:\Windows\SysWOW64\Mglfibmh.exe Menimfnd.exe File created C:\Windows\SysWOW64\Pojkjo32.dll Offnae32.exe File created C:\Windows\SysWOW64\Lkpjfi32.dll Anmjmojl.exe File created C:\Windows\SysWOW64\Bjddinbn.exe Balpph32.exe File opened for modification C:\Windows\SysWOW64\Jdbheajp.exe Jjmcghjj.exe File created C:\Windows\SysWOW64\Necphcfk.dll Mecjbl32.exe File created C:\Windows\SysWOW64\Dcmjpl32.exe Bgdcom32.exe File created C:\Windows\SysWOW64\Hidkhm32.dll Ibicgmhe.exe File created C:\Windows\SysWOW64\Kengqo32.exe Kjhccf32.exe File created C:\Windows\SysWOW64\Pneakj32.dll Epgndedc.exe File created C:\Windows\SysWOW64\Djgbgjdl.dll Oloaamqf.exe File created C:\Windows\SysWOW64\Hmmffnai.exe Hbhbie32.exe File created C:\Windows\SysWOW64\Bmcpfocg.dll Qnlkllcf.exe File opened for modification C:\Windows\SysWOW64\Kmiqfoie.exe Kcdmifip.exe File created C:\Windows\SysWOW64\Ekejap32.dll Nlbkjf32.exe File created C:\Windows\SysWOW64\Gkhkdjli.exe Glgjfb32.exe File created C:\Windows\SysWOW64\Lqikfi32.exe Lgqfmcge.exe File created C:\Windows\SysWOW64\Hmnlgn32.dll Obgofmjb.exe File created C:\Windows\SysWOW64\Maohdj32.exe Mkepgp32.exe File opened for modification C:\Windows\SysWOW64\Qjjhla32.exe Pqbdclak.exe File opened for modification C:\Windows\SysWOW64\Bjaqih32.exe Bcghlnih.exe File created C:\Windows\SysWOW64\Ebpjjk32.exe Dkfanqmd.exe File opened for modification C:\Windows\SysWOW64\Mcdlil32.exe Mfqlph32.exe File created C:\Windows\SysWOW64\Bnobfn32.exe Aphegjhc.exe File opened for modification C:\Windows\SysWOW64\Dhkjooqb.exe Dmefafql.exe File created C:\Windows\SysWOW64\Fimgonmc.dll Ignndo32.exe File opened for modification C:\Windows\SysWOW64\Ipaeedpp.exe Iophnl32.exe File created C:\Windows\SysWOW64\Mlddkdne.dll Pkkdci32.exe File created C:\Windows\SysWOW64\Fhbolp32.dll Engjol32.exe File created C:\Windows\SysWOW64\Flkdpnjl.exe Fealcc32.exe File created C:\Windows\SysWOW64\Iffadlme.dll Hoaocf32.exe File created C:\Windows\SysWOW64\Pmefiakh.exe Pgknlg32.exe File created C:\Windows\SysWOW64\Jhppdo32.dll Hbkgfode.exe File created C:\Windows\SysWOW64\Acilkp32.exe Afelal32.exe File created C:\Windows\SysWOW64\Bkmaja32.dll Piphaf32.exe File created C:\Windows\SysWOW64\Ilepmjdo.exe Hifcqo32.exe File created C:\Windows\SysWOW64\Kqcgjq32.dll Ccacjgfb.exe File opened for modification C:\Windows\SysWOW64\Nbadmege.exe Npbhqj32.exe File opened for modification C:\Windows\SysWOW64\Aofjoo32.exe Afkipi32.exe File opened for modification C:\Windows\SysWOW64\Ffggdmbi.exe Fqjolfda.exe File created C:\Windows\SysWOW64\Eijgnnhg.dll Hfaaddlo.exe File created C:\Windows\SysWOW64\Knfkfg32.dll Pehnaqid.exe File created C:\Windows\SysWOW64\Jdnnaj32.dll Cdpjeh32.exe File created C:\Windows\SysWOW64\Nghhhc32.dll Fbjjkble.exe File created C:\Windows\SysWOW64\Opmaaodc.exe Ojcidelf.exe File created C:\Windows\SysWOW64\Kldmmp32.exe Kfgddi32.exe File created C:\Windows\SysWOW64\Bjaqih32.exe Bcghlnih.exe File created C:\Windows\SysWOW64\Jdodekhg.exe Jnelha32.exe File created C:\Windows\SysWOW64\Ncjmob32.exe Nmpdbh32.exe File opened for modification C:\Windows\SysWOW64\Agjhadmh.exe Anadho32.exe File created C:\Windows\SysWOW64\Fhfepjoe.dll Hnmnpano.exe File created C:\Windows\SysWOW64\Igbhpned.exe Iafogggl.exe File created C:\Windows\SysWOW64\Neiiiecg.exe Nnpalk32.exe File created C:\Windows\SysWOW64\Mnmhgjpl.dll Nfpled32.exe File created C:\Windows\SysWOW64\Bidfhgld.dll Dpqonl32.exe File created C:\Windows\SysWOW64\Oioojh32.exe Noijmp32.exe File created C:\Windows\SysWOW64\Iobbbpgd.dll Oobfhh32.exe File opened for modification C:\Windows\SysWOW64\Kloljf32.exe Kokkqbog.exe File created C:\Windows\SysWOW64\Coigllel.exe Bddcocff.exe File created C:\Windows\SysWOW64\Dgmejc32.dll Knnhdied.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1428 8784 WerFault.exe 1043 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biogieke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacqnom.dll" Jnelha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbcphph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbchnfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbdfbob.dll" Onqbjccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfjbk32.dll" Eejjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbchc32.dll" Ghpehjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgjfqgj.dll" Epgdch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehkpmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfcjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maohdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emikje32.dll" Klceeejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggonfbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjnbfmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklfbocn.dll" Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgefae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkfanqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnnokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaalf32.dll" Bmngjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgpgplej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohhnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aofjoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkaeimf.dll" Aiapjecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibicgmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjqjqao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.055abb3b4da1780e637bf46c2aff1a50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmiljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baeenn32.dll" Kkmijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpolhlc.dll" Ndjldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmnbbpe.dll" Cocjbkna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggpfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Momqblgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfddoq32.dll" Oianmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehnaqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagojbeb.dll" Jgonfcnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbchnfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kddpnpdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmfilfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanhgdgm.dll" Gfngke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeffip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihacc32.dll" Ncbfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minkhnmc.dll" Fklcbocl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkkheak.dll" Mnanpfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfdho32.dll" Cahffmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoecana.dll" Ohhnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpmgnmk.dll" Efpofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnhfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljiimeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fealcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focgfi32.dll" Gobicbgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmbkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhglhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faemjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbmmcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpojpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmjoidf.dll" Pcfhlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghfnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhkdjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cejjpn32.dll" Ljmfdp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 372 4796 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 92 PID 4796 wrote to memory of 372 4796 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 92 PID 4796 wrote to memory of 372 4796 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 92 PID 372 wrote to memory of 4700 372 Hcgjhega.exe 93 PID 372 wrote to memory of 4700 372 Hcgjhega.exe 93 PID 372 wrote to memory of 4700 372 Hcgjhega.exe 93 PID 4700 wrote to memory of 3628 4700 Iepihf32.exe 94 PID 4700 wrote to memory of 3628 4700 Iepihf32.exe 94 PID 4700 wrote to memory of 3628 4700 Iepihf32.exe 94 PID 3628 wrote to memory of 4536 3628 Iqgjmg32.exe 95 PID 3628 wrote to memory of 4536 3628 Iqgjmg32.exe 95 PID 3628 wrote to memory of 4536 3628 Iqgjmg32.exe 95 PID 4536 wrote to memory of 3992 4536 Japmcfcc.exe 96 PID 4536 wrote to memory of 3992 4536 Japmcfcc.exe 96 PID 4536 wrote to memory of 3992 4536 Japmcfcc.exe 96 PID 3992 wrote to memory of 1532 3992 Knifging.exe 97 PID 3992 wrote to memory of 1532 3992 Knifging.exe 97 PID 3992 wrote to memory of 1532 3992 Knifging.exe 97 PID 1532 wrote to memory of 1344 1532 Kmncif32.exe 98 PID 1532 wrote to memory of 1344 1532 Kmncif32.exe 98 PID 1532 wrote to memory of 1344 1532 Kmncif32.exe 98 PID 1344 wrote to memory of 1372 1344 Kjdqhjpf.exe 99 PID 1344 wrote to memory of 1372 1344 Kjdqhjpf.exe 99 PID 1344 wrote to memory of 1372 1344 Kjdqhjpf.exe 99 PID 1372 wrote to memory of 2816 1372 Kfkamk32.exe 100 PID 1372 wrote to memory of 2816 1372 Kfkamk32.exe 100 PID 1372 wrote to memory of 2816 1372 Kfkamk32.exe 100 PID 2816 wrote to memory of 1504 2816 Laeoec32.exe 101 PID 2816 wrote to memory of 1504 2816 Laeoec32.exe 101 PID 2816 wrote to memory of 1504 2816 Laeoec32.exe 101 PID 1504 wrote to memory of 760 1504 Laglkb32.exe 102 PID 1504 wrote to memory of 760 1504 Laglkb32.exe 102 PID 1504 wrote to memory of 760 1504 Laglkb32.exe 102 PID 760 wrote to memory of 2452 760 Mehafq32.exe 103 PID 760 wrote to memory of 2452 760 Mehafq32.exe 103 PID 760 wrote to memory of 2452 760 Mehafq32.exe 103 PID 2452 wrote to memory of 3120 2452 Maoakaip.exe 104 PID 2452 wrote to memory of 3120 2452 Maoakaip.exe 104 PID 2452 wrote to memory of 3120 2452 Maoakaip.exe 104 PID 3120 wrote to memory of 5104 3120 Mdokmm32.exe 105 PID 3120 wrote to memory of 5104 3120 Mdokmm32.exe 105 PID 3120 wrote to memory of 5104 3120 Mdokmm32.exe 105 PID 5104 wrote to memory of 2168 5104 Namnmp32.exe 106 PID 5104 wrote to memory of 2168 5104 Namnmp32.exe 106 PID 5104 wrote to memory of 2168 5104 Namnmp32.exe 106 PID 2168 wrote to memory of 1832 2168 Ngnppfgb.exe 107 PID 2168 wrote to memory of 1832 2168 Ngnppfgb.exe 107 PID 2168 wrote to memory of 1832 2168 Ngnppfgb.exe 107 PID 1832 wrote to memory of 648 1832 Oogdfc32.exe 108 PID 1832 wrote to memory of 648 1832 Oogdfc32.exe 108 PID 1832 wrote to memory of 648 1832 Oogdfc32.exe 108 PID 648 wrote to memory of 3760 648 Pdeffgff.exe 109 PID 648 wrote to memory of 3760 648 Pdeffgff.exe 109 PID 648 wrote to memory of 3760 648 Pdeffgff.exe 109 PID 3760 wrote to memory of 2200 3760 Afkipi32.exe 110 PID 3760 wrote to memory of 2200 3760 Afkipi32.exe 110 PID 3760 wrote to memory of 2200 3760 Afkipi32.exe 110 PID 2200 wrote to memory of 3416 2200 Aofjoo32.exe 111 PID 2200 wrote to memory of 3416 2200 Aofjoo32.exe 111 PID 2200 wrote to memory of 3416 2200 Aofjoo32.exe 111 PID 3416 wrote to memory of 652 3416 Aeeomegd.exe 112 PID 3416 wrote to memory of 652 3416 Aeeomegd.exe 112 PID 3416 wrote to memory of 652 3416 Aeeomegd.exe 112 PID 652 wrote to memory of 4316 652 Bngfli32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.055abb3b4da1780e637bf46c2aff1a50.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.055abb3b4da1780e637bf46c2aff1a50.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe24⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe26⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe27⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe29⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe31⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Gpjjpe32.exeC:\Windows\system32\Gpjjpe32.exe32⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe33⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe34⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe35⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe36⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Kqdodo32.exeC:\Windows\system32\Kqdodo32.exe38⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe39⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe40⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe41⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe44⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mhefhf32.exeC:\Windows\system32\Mhefhf32.exe45⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe46⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe47⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe48⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe49⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe50⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe51⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe52⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe53⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe54⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe55⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe56⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe57⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe58⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe59⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe60⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe61⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe62⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe63⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe64⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe65⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe66⤵PID:3360
-
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe67⤵PID:4816
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe68⤵PID:4988
-
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe69⤵PID:4636
-
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe70⤵PID:444
-
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe71⤵PID:4136
-
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe72⤵PID:4028
-
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe73⤵PID:1060
-
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe74⤵PID:1440
-
C:\Windows\SysWOW64\Ieiajckh.exeC:\Windows\system32\Ieiajckh.exe75⤵PID:1112
-
C:\Windows\SysWOW64\Jhcmbm32.exeC:\Windows\system32\Jhcmbm32.exe76⤵PID:764
-
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe77⤵PID:2800
-
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe78⤵PID:692
-
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe79⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Kkmijf32.exeC:\Windows\system32\Kkmijf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe81⤵PID:1888
-
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe82⤵PID:456
-
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe83⤵PID:3672
-
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe84⤵PID:1884
-
C:\Windows\SysWOW64\Lbqdmodg.exeC:\Windows\system32\Lbqdmodg.exe85⤵PID:4160
-
C:\Windows\SysWOW64\Lfnmcnjn.exeC:\Windows\system32\Lfnmcnjn.exe86⤵PID:2464
-
C:\Windows\SysWOW64\Lkkekdhe.exeC:\Windows\system32\Lkkekdhe.exe87⤵PID:4900
-
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5156 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe89⤵PID:5252
-
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe90⤵PID:5292
-
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe91⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe92⤵PID:5396
-
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe93⤵PID:5436
-
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe94⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Pidamcgd.exeC:\Windows\system32\Pidamcgd.exe97⤵PID:5636
-
C:\Windows\SysWOW64\Pbmffi32.exeC:\Windows\system32\Pbmffi32.exe98⤵PID:5688
-
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe99⤵PID:5724
-
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe100⤵PID:5772
-
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe101⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Pmefiakh.exeC:\Windows\system32\Pmefiakh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Pllppnnm.exeC:\Windows\system32\Pllppnnm.exe103⤵PID:5912
-
C:\Windows\SysWOW64\Pcfhlh32.exeC:\Windows\system32\Pcfhlh32.exe104⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe105⤵PID:5992
-
C:\Windows\SysWOW64\Qdfefkll.exeC:\Windows\system32\Qdfefkll.exe106⤵PID:6044
-
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe107⤵PID:6088
-
C:\Windows\SysWOW64\Aphegjhc.exeC:\Windows\system32\Aphegjhc.exe108⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Bnobfn32.exeC:\Windows\system32\Bnobfn32.exe109⤵PID:5196
-
C:\Windows\SysWOW64\Bdhkchlg.exeC:\Windows\system32\Bdhkchlg.exe110⤵PID:5424
-
C:\Windows\SysWOW64\Cjlilndf.exeC:\Windows\system32\Cjlilndf.exe111⤵PID:5580
-
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe112⤵PID:5656
-
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe113⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Dqgjoenq.exeC:\Windows\system32\Dqgjoenq.exe114⤵PID:5852
-
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe115⤵PID:1032
-
C:\Windows\SysWOW64\Ejfeij32.exeC:\Windows\system32\Ejfeij32.exe116⤵PID:6004
-
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe117⤵PID:6084
-
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe118⤵PID:6116
-
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe119⤵PID:5264
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe120⤵PID:5444
-
C:\Windows\SysWOW64\Flaaok32.exeC:\Windows\system32\Flaaok32.exe121⤵PID:5564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-