Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:30
Behavioral task
behavioral1
Sample
NEAS.dc22005773f7f1d76889c8feaa12e640.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.dc22005773f7f1d76889c8feaa12e640.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.dc22005773f7f1d76889c8feaa12e640.exe
-
Size
367KB
-
MD5
dc22005773f7f1d76889c8feaa12e640
-
SHA1
8090b13655e793e2c50643302b6b53b55a144ae5
-
SHA256
70e3a42b169567f098f37726468261b37a3203cb335b77939df28c6ac1c9c653
-
SHA512
d2b2bed0ed76ee081d0d5b8b8c65834e6b63185875e4a617667a8de4b1d3c397df6a8fd8202fc202fcd1e52f2a0a97bdc82cfc1dfab725468df655029e218849
-
SSDEEP
6144:8chgSAJ6YwtnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:8chgSfFtJCXqP77D7FB24lwR45FB24lX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecphbckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hifmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbpjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoapcood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebcdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpilekqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goabhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emllbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaqde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnpibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbeeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmfodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkdjcjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncpelbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhgjll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deidjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfpkhjae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpaikm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgfjmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ankdbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dampal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoefgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chbncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlijodjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Palklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhblad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clohhbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffjdjmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbepdpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbncg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpcel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qffoejkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnfjbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dampal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glenpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elbmebbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfilkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmmifaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiaobjia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakchf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheaqolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcicipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngdndfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiohhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhigk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagdia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcieqpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipppc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdaij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhnaab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpccgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfjocb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdnlkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdecjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kppbejka.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000224ad-6.dat family_berbew behavioral2/files/0x00090000000224ad-8.dat family_berbew behavioral2/files/0x0008000000022e27-14.dat family_berbew behavioral2/files/0x0008000000022e27-15.dat family_berbew behavioral2/files/0x0007000000022e38-22.dat family_berbew behavioral2/files/0x0007000000022e38-24.dat family_berbew behavioral2/files/0x0006000000022e44-30.dat family_berbew behavioral2/files/0x0006000000022e44-32.dat family_berbew behavioral2/files/0x0006000000022e45-39.dat family_berbew behavioral2/files/0x0006000000022e45-38.dat family_berbew behavioral2/files/0x0006000000022e49-46.dat family_berbew behavioral2/files/0x0006000000022e49-48.dat family_berbew behavioral2/files/0x0006000000022e4c-54.dat family_berbew behavioral2/files/0x0006000000022e4c-56.dat family_berbew behavioral2/files/0x0006000000022e51-62.dat family_berbew behavioral2/files/0x0006000000022e51-64.dat family_berbew behavioral2/files/0x0006000000022e54-70.dat family_berbew behavioral2/files/0x0006000000022e57-80.dat family_berbew behavioral2/files/0x0006000000022e57-78.dat family_berbew behavioral2/files/0x0006000000022e59-87.dat family_berbew behavioral2/files/0x0006000000022e5b-95.dat family_berbew behavioral2/files/0x0006000000022e5d-102.dat family_berbew behavioral2/files/0x0006000000022e60-116.dat family_berbew behavioral2/files/0x0006000000022e62-124.dat family_berbew behavioral2/files/0x0006000000022e62-123.dat family_berbew behavioral2/files/0x0006000000022e60-115.dat family_berbew behavioral2/files/0x0007000000022e55-109.dat family_berbew behavioral2/files/0x0007000000022e55-108.dat family_berbew behavioral2/files/0x0006000000022e5d-101.dat family_berbew behavioral2/files/0x0006000000022e5b-94.dat family_berbew behavioral2/files/0x0006000000022e59-86.dat family_berbew behavioral2/files/0x0006000000022e54-71.dat family_berbew behavioral2/files/0x0006000000022e64-134.dat family_berbew behavioral2/files/0x0006000000022e64-135.dat family_berbew behavioral2/files/0x0007000000022d4a-142.dat family_berbew behavioral2/files/0x0007000000022d4a-144.dat family_berbew behavioral2/files/0x0006000000022e67-151.dat family_berbew behavioral2/files/0x0006000000022e67-150.dat family_berbew behavioral2/files/0x0006000000022e69-158.dat family_berbew behavioral2/files/0x0006000000022e69-159.dat family_berbew behavioral2/files/0x0008000000022d63-167.dat family_berbew behavioral2/files/0x0008000000022d63-166.dat family_berbew behavioral2/files/0x0006000000022e71-174.dat family_berbew behavioral2/files/0x0006000000022e73-183.dat family_berbew behavioral2/files/0x0006000000022e73-182.dat family_berbew behavioral2/files/0x0006000000022e71-175.dat family_berbew behavioral2/files/0x0006000000022e75-191.dat family_berbew behavioral2/files/0x0006000000022e77-199.dat family_berbew behavioral2/files/0x0006000000022e77-198.dat family_berbew behavioral2/files/0x0006000000022e75-190.dat family_berbew behavioral2/files/0x0006000000022e79-206.dat family_berbew behavioral2/files/0x0006000000022e79-207.dat family_berbew behavioral2/files/0x0006000000022e7b-215.dat family_berbew behavioral2/files/0x0006000000022e7b-214.dat family_berbew behavioral2/files/0x0006000000022e7f-223.dat family_berbew behavioral2/files/0x0006000000022e7f-222.dat family_berbew behavioral2/files/0x0007000000022e81-232.dat family_berbew behavioral2/files/0x0006000000022e84-239.dat family_berbew behavioral2/files/0x0006000000022e84-238.dat family_berbew behavioral2/files/0x0007000000022e81-230.dat family_berbew behavioral2/files/0x0006000000022e88-241.dat family_berbew behavioral2/files/0x0006000000022e88-246.dat family_berbew behavioral2/files/0x0006000000022e88-247.dat family_berbew behavioral2/files/0x0006000000022e8a-257.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1980 Icfekc32.exe 2372 Idfaefkd.exe 4308 Ijcjmmil.exe 644 Ijegcm32.exe 4920 Aahbbkaq.exe 4632 Hfjdqmng.exe 4964 Lqmmmmph.exe 1152 Palklf32.exe 2740 Coqncejg.exe 4236 Jaonbc32.exe 1692 Jldbpl32.exe 4020 Jaajhb32.exe 3420 Jpbjfjci.exe 3484 Jbagbebm.exe 4148 Jhnojl32.exe 4008 Jbccge32.exe 264 Jimldogg.exe 4408 Kifojnol.exe 1912 Kabcopmg.exe 3572 Kpccmhdg.exe 2968 Bpqjjjjl.exe 2324 Fcekfnkb.exe 3976 Fbfkceca.exe 2532 Gbhhieao.exe 3140 Gcnnllcg.exe 3560 Gbpnjdkg.exe 2604 Hepgkohh.exe 2448 Hcedmkmp.exe 1668 Ilhkigcd.exe 4072 Ibbcfa32.exe 2096 Ibgmaqfl.exe 1952 Iloajfml.exe 496 Jdalog32.exe 3808 Jbbmmo32.exe 3208 Jhoeef32.exe 692 Jjnaaa32.exe 1768 Kbeibo32.exe 4064 Cpcila32.exe 4168 Clijablo.exe 3364 Dfonnk32.exe 4796 Deidjf32.exe 4400 Dcmedk32.exe 456 Dmbiackg.exe 3080 Epcbbohh.exe 4564 Eilfldoi.exe 4864 Edakimoo.exe 3700 Eebgqe32.exe 4984 Ecfhji32.exe 3116 Ecidpiad.exe 5016 Flaiho32.exe 3372 Fgfmeg32.exe 116 Fpoaom32.exe 1104 Fncbha32.exe 3084 Fcpkph32.exe 3448 Flhoinbl.exe 2112 Fjlpbb32.exe 216 Ffcpgcfj.exe 5092 Gphddlfp.exe 1264 Gnlenp32.exe 1836 Gqmnpk32.exe 4572 Gjebiq32.exe 2376 Gcngafol.exe 1712 Gmfkjl32.exe 1860 Gcpcgfmi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgimjd32.dll Gbhhieao.exe File opened for modification C:\Windows\SysWOW64\Ecfhji32.exe Eebgqe32.exe File created C:\Windows\SysWOW64\Jfhbpmjb.dll Fmjjqhpn.exe File created C:\Windows\SysWOW64\Njcpok32.exe Nkqpcnig.exe File opened for modification C:\Windows\SysWOW64\Cellfm32.exe Cldgmgml.exe File opened for modification C:\Windows\SysWOW64\Dlijodjd.exe Ddbbngjb.exe File created C:\Windows\SysWOW64\Bqealm32.dll Ackiqpce.exe File created C:\Windows\SysWOW64\Pcmdcg32.dll Fpejec32.exe File opened for modification C:\Windows\SysWOW64\Lfpkhjae.exe Lennpb32.exe File created C:\Windows\SysWOW64\Qiclhh32.dll Pnmhqh32.exe File created C:\Windows\SysWOW64\Flngpc32.exe Fmkgdgej.exe File created C:\Windows\SysWOW64\Qodhmn32.dll Hnjaonij.exe File created C:\Windows\SysWOW64\Hdffah32.exe Hgbfhc32.exe File opened for modification C:\Windows\SysWOW64\Kdjhkp32.exe Kmppneal.exe File opened for modification C:\Windows\SysWOW64\Jpqedfne.exe Jjlmmbfo.exe File opened for modification C:\Windows\SysWOW64\Qhghge32.exe Qfilkj32.exe File opened for modification C:\Windows\SysWOW64\Hahedoci.exe Feella32.exe File created C:\Windows\SysWOW64\Kcfeablh.dll Iiigqdfd.exe File created C:\Windows\SysWOW64\Cimhdglm.dll Djnaco32.exe File created C:\Windows\SysWOW64\Bflajb32.dll Gphddlfp.exe File opened for modification C:\Windows\SysWOW64\Dhgjll32.exe Dfemdcba.exe File created C:\Windows\SysWOW64\Ohcakk32.dll Fefjanml.exe File created C:\Windows\SysWOW64\Ekhocd32.dll Eangimij.exe File opened for modification C:\Windows\SysWOW64\Gdleap32.exe Glenpb32.exe File created C:\Windows\SysWOW64\Aejfjocb.exe Abkjnd32.exe File created C:\Windows\SysWOW64\Idngkghj.dll Cfaddg32.exe File opened for modification C:\Windows\SysWOW64\Hnjaonij.exe Hgpibdam.exe File opened for modification C:\Windows\SysWOW64\Hfhbipdb.exe Hdffah32.exe File created C:\Windows\SysWOW64\Qhghge32.exe Qfilkj32.exe File created C:\Windows\SysWOW64\Afdmjk32.dll Kggjghkd.exe File opened for modification C:\Windows\SysWOW64\Aoenbkll.exe Ahkffqdo.exe File created C:\Windows\SysWOW64\Copekbjm.dll Iiblcdil.exe File created C:\Windows\SysWOW64\Ciolccoc.dll Bjlgnh32.exe File created C:\Windows\SysWOW64\Pneakj32.dll Eiobmjkd.exe File created C:\Windows\SysWOW64\Ecgamkhq.dll Idfaefkd.exe File created C:\Windows\SysWOW64\Hgbfhc32.exe Hnjaonij.exe File opened for modification C:\Windows\SysWOW64\Lennpb32.exe Ljijci32.exe File created C:\Windows\SysWOW64\Cihjeq32.exe Cppelkeb.exe File opened for modification C:\Windows\SysWOW64\Fcmgpbjc.exe Fhgccijm.exe File created C:\Windows\SysWOW64\Dlijodjd.exe Ddbbngjb.exe File created C:\Windows\SysWOW64\Kacofh32.dll Pfkpiled.exe File opened for modification C:\Windows\SysWOW64\Mgggaamn.exe Mcklac32.exe File opened for modification C:\Windows\SysWOW64\Panabc32.exe Pgemimck.exe File created C:\Windows\SysWOW64\Agiagn32.exe Aobieq32.exe File opened for modification C:\Windows\SysWOW64\Iiigqdfd.exe Igkkdigp.exe File created C:\Windows\SysWOW64\Gcnnllcg.exe Gbhhieao.exe File created C:\Windows\SysWOW64\Dfqdid32.exe Dhpdkm32.exe File created C:\Windows\SysWOW64\Efcagf32.dll Kgcqlh32.exe File created C:\Windows\SysWOW64\Kmiqfoie.exe Kkkdjcjb.exe File created C:\Windows\SysWOW64\Hjgedjco.dll Bjnece32.exe File created C:\Windows\SysWOW64\Elkdmjfa.dll Ecjhmm32.exe File opened for modification C:\Windows\SysWOW64\Jbbmmo32.exe Jdalog32.exe File created C:\Windows\SysWOW64\Qmlbfbpg.dll Idkpmgjo.exe File created C:\Windows\SysWOW64\Kcldjicn.dll Eflceb32.exe File created C:\Windows\SysWOW64\Ibkdmm32.dll Ccfcpm32.exe File opened for modification C:\Windows\SysWOW64\Andghd32.exe Alfkli32.exe File created C:\Windows\SysWOW64\Iiigqdfd.exe Igkkdigp.exe File created C:\Windows\SysWOW64\Mqhjakai.dll Kdcicipb.exe File opened for modification C:\Windows\SysWOW64\Pkoldl32.exe Pbfglg32.exe File opened for modification C:\Windows\SysWOW64\Qlhnng32.exe Emllbe32.exe File opened for modification C:\Windows\SysWOW64\Hdppaidl.exe Hjjldpdf.exe File created C:\Windows\SysWOW64\Qoocnpag.exe Qffoejkg.exe File created C:\Windows\SysWOW64\Kehmcnda.dll Kfaglf32.exe File created C:\Windows\SysWOW64\Gdobgp32.exe Gmdjjemp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipknp32.dll" Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimbcc32.dll" Eaklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdgdjib.dll" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnaacjha.dll" Iljpbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipme32.dll" Kpccgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adapqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekqcfpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holhikdn.dll" Jepjbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnkkem.dll" Jckeokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kboldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclbfl32.dll" Degdgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfngcdhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecjhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhqmknd.dll" Clffalkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmpnppap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebjckppa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcagf32.dll" Kgcqlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaofbqgi.dll" Noehac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkakhakq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcecgb32.dll" Aohfdnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinlep.dll" Biolkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajdbmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ackiqpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edjgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaldkid.dll" Gdleap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.dc22005773f7f1d76889c8feaa12e640.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aahbbkaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcofbifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpccmhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqopqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denihh32.dll" Jdqcglqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agcikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmpmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aopmpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccednl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejnp32.dll" Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffjdjmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfljfjpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Habndbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pclnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpkfmfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afpqabph.dll" Delnbdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmfodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iheaqolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmfjodgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpbl32.dll" Aonhblad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqochl32.dll" Bhppap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqioqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcbedom.dll" Clknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddbbngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmlhaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkclp32.dll" Bfieagka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hepoddcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfgpblda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpoaed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hifmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipabdl32.dll" Mcklac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idkpmgjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpgoolbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhbpmjb.dll" Fmjjqhpn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 1980 116 NEAS.dc22005773f7f1d76889c8feaa12e640.exe 88 PID 116 wrote to memory of 1980 116 NEAS.dc22005773f7f1d76889c8feaa12e640.exe 88 PID 116 wrote to memory of 1980 116 NEAS.dc22005773f7f1d76889c8feaa12e640.exe 88 PID 1980 wrote to memory of 2372 1980 Icfekc32.exe 89 PID 1980 wrote to memory of 2372 1980 Icfekc32.exe 89 PID 1980 wrote to memory of 2372 1980 Icfekc32.exe 89 PID 2372 wrote to memory of 4308 2372 Idfaefkd.exe 90 PID 2372 wrote to memory of 4308 2372 Idfaefkd.exe 90 PID 2372 wrote to memory of 4308 2372 Idfaefkd.exe 90 PID 4308 wrote to memory of 644 4308 Ijcjmmil.exe 92 PID 4308 wrote to memory of 644 4308 Ijcjmmil.exe 92 PID 4308 wrote to memory of 644 4308 Ijcjmmil.exe 92 PID 644 wrote to memory of 4920 644 Ijegcm32.exe 94 PID 644 wrote to memory of 4920 644 Ijegcm32.exe 94 PID 644 wrote to memory of 4920 644 Ijegcm32.exe 94 PID 4920 wrote to memory of 4632 4920 Aahbbkaq.exe 95 PID 4920 wrote to memory of 4632 4920 Aahbbkaq.exe 95 PID 4920 wrote to memory of 4632 4920 Aahbbkaq.exe 95 PID 4632 wrote to memory of 4964 4632 Hfjdqmng.exe 96 PID 4632 wrote to memory of 4964 4632 Hfjdqmng.exe 96 PID 4632 wrote to memory of 4964 4632 Hfjdqmng.exe 96 PID 4964 wrote to memory of 1152 4964 Lqmmmmph.exe 97 PID 4964 wrote to memory of 1152 4964 Lqmmmmph.exe 97 PID 4964 wrote to memory of 1152 4964 Lqmmmmph.exe 97 PID 1152 wrote to memory of 2740 1152 Palklf32.exe 98 PID 1152 wrote to memory of 2740 1152 Palklf32.exe 98 PID 1152 wrote to memory of 2740 1152 Palklf32.exe 98 PID 2740 wrote to memory of 4236 2740 Coqncejg.exe 99 PID 2740 wrote to memory of 4236 2740 Coqncejg.exe 99 PID 2740 wrote to memory of 4236 2740 Coqncejg.exe 99 PID 4236 wrote to memory of 1692 4236 Jaonbc32.exe 100 PID 4236 wrote to memory of 1692 4236 Jaonbc32.exe 100 PID 4236 wrote to memory of 1692 4236 Jaonbc32.exe 100 PID 1692 wrote to memory of 4020 1692 Jldbpl32.exe 101 PID 1692 wrote to memory of 4020 1692 Jldbpl32.exe 101 PID 1692 wrote to memory of 4020 1692 Jldbpl32.exe 101 PID 4020 wrote to memory of 3420 4020 Jaajhb32.exe 105 PID 4020 wrote to memory of 3420 4020 Jaajhb32.exe 105 PID 4020 wrote to memory of 3420 4020 Jaajhb32.exe 105 PID 3420 wrote to memory of 3484 3420 Jpbjfjci.exe 102 PID 3420 wrote to memory of 3484 3420 Jpbjfjci.exe 102 PID 3420 wrote to memory of 3484 3420 Jpbjfjci.exe 102 PID 3484 wrote to memory of 4148 3484 Jbagbebm.exe 103 PID 3484 wrote to memory of 4148 3484 Jbagbebm.exe 103 PID 3484 wrote to memory of 4148 3484 Jbagbebm.exe 103 PID 4148 wrote to memory of 4008 4148 Jhnojl32.exe 104 PID 4148 wrote to memory of 4008 4148 Jhnojl32.exe 104 PID 4148 wrote to memory of 4008 4148 Jhnojl32.exe 104 PID 4008 wrote to memory of 264 4008 Jbccge32.exe 106 PID 4008 wrote to memory of 264 4008 Jbccge32.exe 106 PID 4008 wrote to memory of 264 4008 Jbccge32.exe 106 PID 264 wrote to memory of 4408 264 Jimldogg.exe 107 PID 264 wrote to memory of 4408 264 Jimldogg.exe 107 PID 264 wrote to memory of 4408 264 Jimldogg.exe 107 PID 4408 wrote to memory of 1912 4408 Kifojnol.exe 108 PID 4408 wrote to memory of 1912 4408 Kifojnol.exe 108 PID 4408 wrote to memory of 1912 4408 Kifojnol.exe 108 PID 1912 wrote to memory of 3572 1912 Kabcopmg.exe 109 PID 1912 wrote to memory of 3572 1912 Kabcopmg.exe 109 PID 1912 wrote to memory of 3572 1912 Kabcopmg.exe 109 PID 3572 wrote to memory of 2968 3572 Kpccmhdg.exe 110 PID 3572 wrote to memory of 2968 3572 Kpccmhdg.exe 110 PID 3572 wrote to memory of 2968 3572 Kpccmhdg.exe 110 PID 2968 wrote to memory of 2324 2968 Bpqjjjjl.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.dc22005773f7f1d76889c8feaa12e640.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.dc22005773f7f1d76889c8feaa12e640.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe9⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe10⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe12⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe13⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe14⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe15⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe16⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe17⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe18⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe19⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe21⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe22⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe23⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe24⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe25⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe26⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe27⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe29⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe30⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe31⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe32⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe33⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe35⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe36⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe37⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe38⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe39⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe40⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe41⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe42⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe44⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe46⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe47⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe48⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe49⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe50⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe51⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe52⤵
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe53⤵PID:1168
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe54⤵PID:3540
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe55⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Hnjaonij.exeC:\Windows\system32\Hnjaonij.exe56⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe57⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe58⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe59⤵PID:1592
-
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe60⤵PID:4644
-
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe61⤵PID:4452
-
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe62⤵
- Drops file in System32 directory
- Modifies registry class
PID:3752 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe63⤵PID:1368
-
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe64⤵PID:888
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe65⤵PID:1404
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe66⤵PID:4788
-
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe67⤵PID:228
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe68⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe69⤵PID:840
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe70⤵PID:2040
-
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe71⤵PID:5164
-
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe72⤵PID:5204
-
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe74⤵PID:5284
-
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe75⤵PID:5328
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe76⤵PID:5372
-
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe77⤵PID:5416
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe78⤵PID:5456
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe79⤵PID:5496
-
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe80⤵PID:5536
-
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe81⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe82⤵PID:5616
-
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe84⤵PID:5708
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe85⤵PID:5748
-
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe86⤵PID:5788
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe87⤵PID:5832
-
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe88⤵PID:5872
-
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe89⤵PID:5912
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe90⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe91⤵PID:6004
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe92⤵PID:6048
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe93⤵PID:6092
-
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe94⤵PID:6132
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe95⤵PID:5128
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe96⤵PID:5200
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe97⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe98⤵
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe100⤵PID:5480
-
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe101⤵PID:5544
-
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe102⤵PID:5588
-
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe103⤵PID:5672
-
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe104⤵PID:4768
-
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe105⤵PID:5780
-
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe106⤵PID:5856
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe108⤵
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe109⤵PID:6060
-
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe110⤵
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe112⤵PID:5292
-
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe113⤵PID:5404
-
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe114⤵PID:5524
-
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe115⤵PID:5640
-
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe116⤵PID:1324
-
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe117⤵PID:5820
-
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe118⤵PID:5936
-
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe119⤵PID:6040
-
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe120⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe121⤵PID:5296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-