Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:28
Behavioral task
behavioral1
Sample
NEAS.ce20937294cc8a8b748d6a8fca63e540.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ce20937294cc8a8b748d6a8fca63e540.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ce20937294cc8a8b748d6a8fca63e540.exe
-
Size
366KB
-
MD5
ce20937294cc8a8b748d6a8fca63e540
-
SHA1
138b4bf4071e5a49a544f48111e7fba6f8cbf36d
-
SHA256
92f440a98803d46f8dd26cb8a0db58b91d4f3d8454c5b67ce4eb2eac5853a523
-
SHA512
729313e1176496ceb9d418764c34b857ef28c2e45045202d914219561d3dea941efe3686ceef3328ccc24f2805e1c08c320696909345694eec7bf00509229522
-
SSDEEP
6144:g8i6++52tyzaVFqHTCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWD2/:xiWaVwHxFHRFbe7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnjecfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmodffo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcimdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfolacnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihhhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affikdfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmeodjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgibkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijdjfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cplckbmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciiaogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addaif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjeckpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qamago32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmhqapg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejloi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochamg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlcikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clijablo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peahgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnphoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qikbaaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepineo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcgcqab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odljjo32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/844-0-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/844-1-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x000300000001e83e-7.dat family_berbew behavioral2/files/0x000300000001e83e-8.dat family_berbew behavioral2/memory/4768-13-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022d97-15.dat family_berbew behavioral2/memory/4968-21-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022d9d-23.dat family_berbew behavioral2/memory/3116-25-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022d9d-24.dat family_berbew behavioral2/files/0x0007000000022da3-32.dat family_berbew behavioral2/files/0x0007000000022da3-31.dat family_berbew behavioral2/memory/4856-37-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0007000000022d97-16.dat family_berbew behavioral2/files/0x0009000000022dbc-39.dat family_berbew behavioral2/memory/1328-41-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0009000000022dbc-40.dat family_berbew behavioral2/files/0x0008000000022e69-47.dat family_berbew behavioral2/memory/1160-48-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0008000000022e69-49.dat family_berbew behavioral2/files/0x0007000000022e7d-55.dat family_berbew behavioral2/files/0x0007000000022e7d-57.dat family_berbew behavioral2/memory/1612-56-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8f-63.dat family_berbew behavioral2/files/0x0006000000022e8f-65.dat family_berbew behavioral2/memory/844-64-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/memory/5096-71-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e91-73.dat family_berbew behavioral2/memory/3724-74-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e93-81.dat family_berbew behavioral2/memory/3228-82-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e95-89.dat family_berbew behavioral2/files/0x0006000000022e97-97.dat family_berbew behavioral2/memory/900-98-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e99-104.dat family_berbew behavioral2/memory/1804-106-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e99-105.dat family_berbew behavioral2/files/0x0006000000022e97-96.dat family_berbew behavioral2/memory/4840-94-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e95-88.dat family_berbew behavioral2/files/0x0006000000022e93-80.dat family_berbew behavioral2/files/0x0006000000022e91-72.dat family_berbew behavioral2/memory/1284-113-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e9b-114.dat family_berbew behavioral2/files/0x0006000000022e9b-112.dat family_berbew behavioral2/files/0x0006000000022e9d-121.dat family_berbew behavioral2/files/0x0006000000022e9d-120.dat family_berbew behavioral2/memory/4752-122-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e9f-128.dat family_berbew behavioral2/memory/2820-129-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022e9f-130.dat family_berbew behavioral2/files/0x0006000000022ea1-136.dat family_berbew behavioral2/memory/2232-138-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ea1-137.dat family_berbew behavioral2/files/0x0006000000022ea3-145.dat family_berbew behavioral2/memory/3452-146-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ea3-144.dat family_berbew behavioral2/files/0x0006000000022ea5-152.dat family_berbew behavioral2/files/0x0006000000022ea5-154.dat family_berbew behavioral2/memory/3920-153-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ea7-160.dat family_berbew behavioral2/memory/1044-161-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral2/files/0x0006000000022ea7-162.dat family_berbew behavioral2/files/0x0006000000022ea9-168.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4768 Gpcfmkff.exe 4968 Gmggfp32.exe 3116 Gfokoelp.exe 4856 Gbfldf32.exe 1328 Hpjmnjqn.exe 1160 Hgfapd32.exe 1612 Lnadagbm.exe 5096 Ljhefhha.exe 3724 Mkhapk32.exe 3228 Mepfiq32.exe 4840 Mjmoag32.exe 900 Mkmkkjko.exe 1804 Mchppmij.exe 1284 Malpia32.exe 4752 Nmenca32.exe 2820 Njinmf32.exe 2232 Nmigoagp.exe 3452 Nmlddqem.exe 3920 Nhahaiec.exe 1044 Oloahhki.exe 3628 Ohhnbhok.exe 4180 Ohkkhhmh.exe 2388 Oacoqnci.exe 3328 Olicnfco.exe 1892 Peahgl32.exe 4220 Phaahggp.exe 3324 Pefabkej.exe 2164 Pejkmk32.exe 2816 Pldcjeia.exe 408 Qhkdof32.exe 4776 Addaif32.exe 4952 Adfnofpd.exe 2764 Ahdged32.exe 2448 Aamknj32.exe 3076 Akepfpcl.exe 2172 Adndoe32.exe 3236 Bemqih32.exe 2188 Bnhenj32.exe 3752 Bhnikc32.exe 2688 Bebjdgmj.exe 2588 Bkobmnka.exe 2888 Bhbcfbjk.exe 4736 Bnoknihb.exe 3608 Bheplb32.exe 676 Camddhoi.exe 2496 Ckeimm32.exe 3984 Cdnmfclj.exe 3812 Cbbnpg32.exe 1240 Cnindhpg.exe 1112 Cohkokgj.exe 1280 Cfbcke32.exe 5020 Dokgdkeh.exe 4208 Dfdpad32.exe 4164 Dkahilkl.exe 744 Dheibpje.exe 456 Dbnmke32.exe 3444 Dkfadkgf.exe 1152 Dflfac32.exe 644 Dodjjimm.exe 4412 Emhkdmlg.exe 2280 Ebdcld32.exe 4620 Eecphp32.exe 2468 Efblbbqd.exe 4940 Emmdom32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Blnjecfl.exe Bedbhi32.exe File created C:\Windows\SysWOW64\Mfgdjh32.dll Nhahaiec.exe File created C:\Windows\SysWOW64\Ohhnbhok.exe Oloahhki.exe File opened for modification C:\Windows\SysWOW64\Pldcjeia.exe Pejkmk32.exe File created C:\Windows\SysWOW64\Opjghl32.dll Akblfj32.exe File created C:\Windows\SysWOW64\Goniok32.dll Iefphb32.exe File opened for modification C:\Windows\SysWOW64\Johggfha.exe Jhnojl32.exe File created C:\Windows\SysWOW64\Edommp32.dll Efblbbqd.exe File created C:\Windows\SysWOW64\Hkhcdb32.dll Hajkqfoe.exe File created C:\Windows\SysWOW64\Elkodmbe.dll Dgdncplk.exe File opened for modification C:\Windows\SysWOW64\Dpjompqc.exe Dedkogqm.exe File created C:\Windows\SysWOW64\Hkpnbd32.dll Addaif32.exe File opened for modification C:\Windows\SysWOW64\Bnoknihb.exe Bhbcfbjk.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Ihbponja.exe File opened for modification C:\Windows\SysWOW64\Jifecp32.exe Jblmgf32.exe File created C:\Windows\SysWOW64\Damlpgkc.dll Nfgklkoc.exe File created C:\Windows\SysWOW64\Obqanjdb.exe Omdieb32.exe File opened for modification C:\Windows\SysWOW64\Dgdncplk.exe Dahfkimd.exe File opened for modification C:\Windows\SysWOW64\Gjkbnfha.exe Gcqjal32.exe File opened for modification C:\Windows\SysWOW64\Dlqpaafg.exe Dgdgijhp.exe File opened for modification C:\Windows\SysWOW64\Hebcao32.exe Hjmodffo.exe File created C:\Windows\SysWOW64\Abjfqpji.exe Pofhbgmn.exe File created C:\Windows\SysWOW64\Fechok32.dll Oacoqnci.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fefedmil.exe File created C:\Windows\SysWOW64\Lfeljd32.exe Lokdnjkg.exe File created C:\Windows\SysWOW64\Bogkmgba.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Anhaoj32.dll Fbplml32.exe File opened for modification C:\Windows\SysWOW64\Inebjihf.exe Hnbeeiji.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Beoimjce.exe File created C:\Windows\SysWOW64\Ochamg32.exe Ohcmpn32.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Lokdnjkg.exe File created C:\Windows\SysWOW64\Hnekbm32.dll Llnnmhfe.exe File created C:\Windows\SysWOW64\Mdcajc32.dll Mqhfoebo.exe File created C:\Windows\SysWOW64\Apeknk32.exe Qikbaaml.exe File created C:\Windows\SysWOW64\Egnajocq.exe Epdime32.exe File created C:\Windows\SysWOW64\Hnmeodjc.exe Hgcmbj32.exe File opened for modification C:\Windows\SysWOW64\Jllhpkfk.exe Jeapcq32.exe File opened for modification C:\Windows\SysWOW64\Bpcgpihi.exe Biiobo32.exe File created C:\Windows\SysWOW64\Ijmhkchl.exe Hegmlnbp.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hpjmnjqn.exe File created C:\Windows\SysWOW64\Gcgplk32.dll Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Hpioin32.exe Hahokfag.exe File opened for modification C:\Windows\SysWOW64\Adfnofpd.exe Addaif32.exe File created C:\Windows\SysWOW64\Kcpjnjii.exe Klfaapbl.exe File created C:\Windows\SysWOW64\Bfnikd32.dll Lokdnjkg.exe File opened for modification C:\Windows\SysWOW64\Ihbponja.exe Iojkeh32.exe File created C:\Windows\SysWOW64\Iponmakp.dll Bfaigclq.exe File created C:\Windows\SysWOW64\Pigbqakg.dll Eblimcdf.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Jnlkedai.exe File created C:\Windows\SysWOW64\Hegmlnbp.exe Hnmeodjc.exe File created C:\Windows\SysWOW64\Oenlmopg.dll Odljjo32.exe File created C:\Windows\SysWOW64\Bihhhi32.exe Bboplo32.exe File created C:\Windows\SysWOW64\Bedbhi32.exe Bpgjpb32.exe File opened for modification C:\Windows\SysWOW64\Bhbcfbjk.exe Bkobmnka.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mfqlfb32.exe File created C:\Windows\SysWOW64\Kpibgp32.dll Ofhknodl.exe File created C:\Windows\SysWOW64\Dqbcbkab.exe Dhgonidg.exe File created C:\Windows\SysWOW64\Iefphb32.exe Iolhkh32.exe File created C:\Windows\SysWOW64\Hagapc32.dll Gcqjal32.exe File created C:\Windows\SysWOW64\Badjai32.dll Eqdpgk32.exe File created C:\Windows\SysWOW64\Mfenglqf.exe Mqhfoebo.exe File opened for modification C:\Windows\SysWOW64\Mjmoag32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Ihbjebjh.dll Pejkmk32.exe File created C:\Windows\SysWOW64\Mbbiec32.dll Ahdged32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9792 980 WerFault.exe 500 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdlfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll" Bpcgpihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onapdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkgeainn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjfecno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdgijhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnelpod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpimlfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll" Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdpagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmaai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpemkcck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqafhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clijablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgihop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbpaipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlcidopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcqjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonchmn.dll" Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll" Bfoegm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpmagqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll" Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbnlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepineo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debcil32.dll" Nmaciefp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmphaaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caqpkjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolhkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gndbie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" Akpoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpioin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Podkmgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Eppjfgcp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 844 wrote to memory of 4768 844 NEAS.ce20937294cc8a8b748d6a8fca63e540.exe 86 PID 844 wrote to memory of 4768 844 NEAS.ce20937294cc8a8b748d6a8fca63e540.exe 86 PID 844 wrote to memory of 4768 844 NEAS.ce20937294cc8a8b748d6a8fca63e540.exe 86 PID 4768 wrote to memory of 4968 4768 Gpcfmkff.exe 88 PID 4768 wrote to memory of 4968 4768 Gpcfmkff.exe 88 PID 4768 wrote to memory of 4968 4768 Gpcfmkff.exe 88 PID 4968 wrote to memory of 3116 4968 Gmggfp32.exe 87 PID 4968 wrote to memory of 3116 4968 Gmggfp32.exe 87 PID 4968 wrote to memory of 3116 4968 Gmggfp32.exe 87 PID 3116 wrote to memory of 4856 3116 Gfokoelp.exe 89 PID 3116 wrote to memory of 4856 3116 Gfokoelp.exe 89 PID 3116 wrote to memory of 4856 3116 Gfokoelp.exe 89 PID 4856 wrote to memory of 1328 4856 Gbfldf32.exe 90 PID 4856 wrote to memory of 1328 4856 Gbfldf32.exe 90 PID 4856 wrote to memory of 1328 4856 Gbfldf32.exe 90 PID 1328 wrote to memory of 1160 1328 Hpjmnjqn.exe 92 PID 1328 wrote to memory of 1160 1328 Hpjmnjqn.exe 92 PID 1328 wrote to memory of 1160 1328 Hpjmnjqn.exe 92 PID 1160 wrote to memory of 1612 1160 Hgfapd32.exe 93 PID 1160 wrote to memory of 1612 1160 Hgfapd32.exe 93 PID 1160 wrote to memory of 1612 1160 Hgfapd32.exe 93 PID 1612 wrote to memory of 5096 1612 Lnadagbm.exe 94 PID 1612 wrote to memory of 5096 1612 Lnadagbm.exe 94 PID 1612 wrote to memory of 5096 1612 Lnadagbm.exe 94 PID 5096 wrote to memory of 3724 5096 Ljhefhha.exe 95 PID 5096 wrote to memory of 3724 5096 Ljhefhha.exe 95 PID 5096 wrote to memory of 3724 5096 Ljhefhha.exe 95 PID 3724 wrote to memory of 3228 3724 Mkhapk32.exe 96 PID 3724 wrote to memory of 3228 3724 Mkhapk32.exe 96 PID 3724 wrote to memory of 3228 3724 Mkhapk32.exe 96 PID 3228 wrote to memory of 4840 3228 Mepfiq32.exe 100 PID 3228 wrote to memory of 4840 3228 Mepfiq32.exe 100 PID 3228 wrote to memory of 4840 3228 Mepfiq32.exe 100 PID 4840 wrote to memory of 900 4840 Mjmoag32.exe 97 PID 4840 wrote to memory of 900 4840 Mjmoag32.exe 97 PID 4840 wrote to memory of 900 4840 Mjmoag32.exe 97 PID 900 wrote to memory of 1804 900 Mkmkkjko.exe 98 PID 900 wrote to memory of 1804 900 Mkmkkjko.exe 98 PID 900 wrote to memory of 1804 900 Mkmkkjko.exe 98 PID 1804 wrote to memory of 1284 1804 Mchppmij.exe 99 PID 1804 wrote to memory of 1284 1804 Mchppmij.exe 99 PID 1804 wrote to memory of 1284 1804 Mchppmij.exe 99 PID 1284 wrote to memory of 4752 1284 Malpia32.exe 101 PID 1284 wrote to memory of 4752 1284 Malpia32.exe 101 PID 1284 wrote to memory of 4752 1284 Malpia32.exe 101 PID 4752 wrote to memory of 2820 4752 Nmenca32.exe 102 PID 4752 wrote to memory of 2820 4752 Nmenca32.exe 102 PID 4752 wrote to memory of 2820 4752 Nmenca32.exe 102 PID 2820 wrote to memory of 2232 2820 Njinmf32.exe 103 PID 2820 wrote to memory of 2232 2820 Njinmf32.exe 103 PID 2820 wrote to memory of 2232 2820 Njinmf32.exe 103 PID 2232 wrote to memory of 3452 2232 Nmigoagp.exe 104 PID 2232 wrote to memory of 3452 2232 Nmigoagp.exe 104 PID 2232 wrote to memory of 3452 2232 Nmigoagp.exe 104 PID 3452 wrote to memory of 3920 3452 Nmlddqem.exe 105 PID 3452 wrote to memory of 3920 3452 Nmlddqem.exe 105 PID 3452 wrote to memory of 3920 3452 Nmlddqem.exe 105 PID 3920 wrote to memory of 1044 3920 Nhahaiec.exe 106 PID 3920 wrote to memory of 1044 3920 Nhahaiec.exe 106 PID 3920 wrote to memory of 1044 3920 Nhahaiec.exe 106 PID 1044 wrote to memory of 3628 1044 Oloahhki.exe 107 PID 1044 wrote to memory of 3628 1044 Oloahhki.exe 107 PID 1044 wrote to memory of 3628 1044 Oloahhki.exe 107 PID 3628 wrote to memory of 4180 3628 Ohhnbhok.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ce20937294cc8a8b748d6a8fca63e540.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ce20937294cc8a8b748d6a8fca63e540.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968
-
-
-
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe11⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe13⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe15⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe16⤵
- Executes dropped EXE
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe19⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe21⤵
- Executes dropped EXE
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe23⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe24⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe25⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe26⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe28⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe29⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe33⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe34⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe35⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe36⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe37⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe38⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe39⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe41⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe43⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe44⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe45⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe46⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe48⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe49⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe51⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe53⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe54⤵PID:4980
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe55⤵PID:4964
-
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe57⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe58⤵PID:4540
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe59⤵PID:4140
-
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe60⤵PID:1860
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe62⤵PID:3928
-
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe63⤵PID:3476
-
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe64⤵
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe66⤵
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe67⤵PID:2544
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe68⤵PID:2116
-
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe69⤵PID:1072
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe70⤵PID:3304
-
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4224 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe72⤵PID:1372
-
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe73⤵PID:1476
-
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe74⤵PID:4764
-
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe75⤵PID:3908
-
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe76⤵PID:4120
-
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe78⤵
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe79⤵PID:2992
-
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe80⤵PID:4672
-
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe81⤵PID:3940
-
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe82⤵PID:1132
-
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe83⤵PID:4568
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe85⤵
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe86⤵PID:1916
-
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe87⤵PID:3388
-
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe89⤵PID:2208
-
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe90⤵PID:4276
-
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe91⤵
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe92⤵PID:2500
-
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe93⤵PID:5128
-
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe95⤵PID:5216
-
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe96⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe97⤵PID:5304
-
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe101⤵PID:5480
-
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe102⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe103⤵PID:5576
-
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe104⤵PID:5616
-
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe105⤵PID:5656
-
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe106⤵PID:5700
-
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe107⤵PID:5748
-
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe108⤵PID:5792
-
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe109⤵PID:5836
-
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe111⤵PID:5924
-
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe112⤵PID:5968
-
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe113⤵PID:6008
-
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe114⤵PID:6056
-
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe115⤵PID:6096
-
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe116⤵PID:6136
-
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe117⤵PID:5144
-
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe118⤵PID:5212
-
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe119⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe120⤵PID:5352
-
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe121⤵
- Modifies registry class
PID:5412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-