Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 18:03
Behavioral task
behavioral1
Sample
NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe
-
Size
133KB
-
MD5
1c4d3ae1ef74fc93ed1eb52ea42afed0
-
SHA1
a58259616e7ad7c4acc784919e030890a3be6992
-
SHA256
33ab1b879bf0f1709f88d6c649ea73bb0d2fe090fdabd4ac978bb83de3370f83
-
SHA512
0d1e30b3bb333e205fa5d8c6f683c925532af96a1f77655a7596794dabd4ea3557d0bebe407e7c645c9f8877fa6b5c76f0a42c0a0027bd8e0f88ba9061edf49b
-
SSDEEP
3072:wkxD/akwbHJ7fKG7UDd0pCrQIFdFtLwzTa:7D/avhiG7Ux0ocIPF9wzG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipkaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiogkfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoqbbkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoapo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagiqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcocmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkgnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdgqbag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkebekgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjicfhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmdng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnpja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhficc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopkkdgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonnfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogkhjii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpniaool.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgmamfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhamc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklbop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgggaamn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opongobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanmqbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpbhmna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higjkehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knioij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqaeme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmpjpfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbkhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgoolbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nccqbeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgmamfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmajdig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbhdojn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcmiofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklkej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaheio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgjdeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inokdcjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpomoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhejij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpckclld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfmlchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoehojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmpeffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghiogkfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpenoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhjjcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngdndfn.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022ce7-6.dat family_berbew behavioral2/files/0x0008000000022ce7-7.dat family_berbew behavioral2/files/0x000a000000022cef-10.dat family_berbew behavioral2/files/0x000a000000022cef-14.dat family_berbew behavioral2/files/0x000a000000022cef-16.dat family_berbew behavioral2/files/0x0007000000022cf1-22.dat family_berbew behavioral2/files/0x0007000000022cf1-24.dat family_berbew behavioral2/files/0x0007000000022cf3-30.dat family_berbew behavioral2/files/0x0007000000022cf3-32.dat family_berbew behavioral2/files/0x0006000000022cf7-38.dat family_berbew behavioral2/files/0x0006000000022cf7-40.dat family_berbew behavioral2/files/0x0006000000022cf9-45.dat family_berbew behavioral2/files/0x0006000000022cf9-48.dat family_berbew behavioral2/files/0x0006000000022cfb-54.dat family_berbew behavioral2/files/0x0006000000022cfb-56.dat family_berbew behavioral2/files/0x0006000000022cfd-62.dat family_berbew behavioral2/files/0x0006000000022cfd-63.dat family_berbew behavioral2/files/0x0006000000022cff-65.dat family_berbew behavioral2/files/0x0006000000022cff-70.dat family_berbew behavioral2/files/0x0006000000022cff-72.dat family_berbew behavioral2/files/0x0006000000022d01-77.dat family_berbew behavioral2/files/0x0006000000022d01-80.dat family_berbew behavioral2/files/0x0006000000022d03-86.dat family_berbew behavioral2/files/0x0006000000022d03-88.dat family_berbew behavioral2/files/0x0006000000022d05-94.dat family_berbew behavioral2/files/0x0006000000022d05-96.dat family_berbew behavioral2/files/0x0006000000022d07-102.dat family_berbew behavioral2/files/0x0006000000022d07-104.dat family_berbew behavioral2/files/0x0006000000022d09-110.dat family_berbew behavioral2/files/0x0006000000022d09-112.dat family_berbew behavioral2/files/0x0006000000022d0b-113.dat family_berbew behavioral2/files/0x0006000000022d0b-118.dat family_berbew behavioral2/files/0x0006000000022d0b-120.dat family_berbew behavioral2/files/0x0006000000022d0d-126.dat family_berbew behavioral2/files/0x0006000000022d0d-128.dat family_berbew behavioral2/files/0x0006000000022d0f-134.dat family_berbew behavioral2/files/0x0006000000022d0f-135.dat family_berbew behavioral2/files/0x0006000000022d11-137.dat family_berbew behavioral2/files/0x0006000000022d11-142.dat family_berbew behavioral2/files/0x0006000000022d11-144.dat family_berbew behavioral2/files/0x0006000000022d13-150.dat family_berbew behavioral2/files/0x0006000000022d13-151.dat family_berbew behavioral2/files/0x0006000000022d15-158.dat family_berbew behavioral2/files/0x0006000000022d15-160.dat family_berbew behavioral2/files/0x0006000000022d17-166.dat family_berbew behavioral2/files/0x0006000000022d17-168.dat family_berbew behavioral2/files/0x0006000000022d19-174.dat family_berbew behavioral2/files/0x0006000000022d19-176.dat family_berbew behavioral2/files/0x0006000000022d1b-182.dat family_berbew behavioral2/files/0x0006000000022d1b-184.dat family_berbew behavioral2/files/0x0006000000022d1d-190.dat family_berbew behavioral2/files/0x0006000000022d1d-192.dat family_berbew behavioral2/files/0x0006000000022d1f-194.dat family_berbew behavioral2/files/0x0006000000022d1f-198.dat family_berbew behavioral2/files/0x0006000000022d1f-200.dat family_berbew behavioral2/files/0x0006000000022d21-206.dat family_berbew behavioral2/files/0x0006000000022d21-207.dat family_berbew behavioral2/files/0x0006000000022d23-213.dat family_berbew behavioral2/files/0x0006000000022d23-215.dat family_berbew behavioral2/files/0x0006000000022d25-223.dat family_berbew behavioral2/files/0x0006000000022d25-222.dat family_berbew behavioral2/files/0x0006000000022d27-230.dat family_berbew behavioral2/files/0x0006000000022d27-232.dat family_berbew behavioral2/files/0x0006000000022d29-238.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4848 Pnmjomlg.exe 652 Cblebgfh.exe 2080 Cfljnejl.exe 1992 Dhbqalle.exe 1668 Efhjjcpo.exe 2196 Ebagdddp.exe 2012 Ehnpmkbg.exe 4520 Epgdch32.exe 3988 Fpnkdfko.exe 3144 Gohapb32.exe 3256 Gpodkdll.exe 3348 Hpaqqdjj.exe 4780 Hgpbhmna.exe 820 Ijedehgm.exe 5048 Imjgbb32.exe 3780 Jcgldl32.exe 2836 Jjhjae32.exe 772 Kpgoolbl.exe 3916 Kgcqlh32.exe 3280 Lpelqj32.exe 1720 Lfaqcclf.exe 5116 Opopdd32.exe 3976 Agnkck32.exe 4680 Bkamdi32.exe 1356 Bjmpfdhb.exe 5016 Cjdfgc32.exe 2444 Dendok32.exe 3980 Enbhdojn.exe 408 Flpkcbqm.exe 2984 Faamghko.exe 4888 Golcak32.exe 420 Hlgjko32.exe 1916 Iheaqolo.exe 1260 Ieknpb32.exe 4380 Ikhghi32.exe 852 Jbkbkbfo.exe 3044 Jbpkfa32.exe 2820 Kkmijf32.exe 2492 Kcfnqccd.exe 4188 Kfggbope.exe 3500 Lopkkdgf.exe 1028 Lmcldhfp.exe 1196 Ljglnmdi.exe 1568 Ljoboloa.exe 348 Mmokpglb.exe 220 Mfhpilbc.exe 3820 Mmdekf32.exe 3136 Mcpjnp32.exe 2916 Njmopj32.exe 4296 Npnqcpmc.exe 4332 Nifele32.exe 4908 Ofmbkipk.exe 5008 Opefdo32.exe 3108 Omigmc32.exe 3316 Plcmiofg.exe 3644 Pljcjn32.exe 4632 Qibmoa32.exe 4220 Akdfndpd.exe 4988 Acbhhf32.exe 4424 Adadbi32.exe 2224 Bdkghg32.exe 3884 Bnclamqe.exe 1248 Bdmdng32.exe 3096 Ccbaoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Adbhfi32.dll Oockeiod.exe File created C:\Windows\SysWOW64\Akpcfnpa.dll Kllhjplh.exe File opened for modification C:\Windows\SysWOW64\Effffd32.exe Epjadk32.exe File created C:\Windows\SysWOW64\Odjmneim.exe Ocfdqm32.exe File opened for modification C:\Windows\SysWOW64\Fhchhm32.exe Enfjdh32.exe File created C:\Windows\SysWOW64\Onapnbhi.exe Ohggah32.exe File created C:\Windows\SysWOW64\Pmecdbbh.dll Iemdkl32.exe File created C:\Windows\SysWOW64\Odgohi32.dll Ghklmk32.exe File created C:\Windows\SysWOW64\Iohlkd32.dll Dkbomgde.exe File created C:\Windows\SysWOW64\Gplofb32.dll Bnclamqe.exe File created C:\Windows\SysWOW64\Gjagapbn.exe Gplbcgbg.exe File created C:\Windows\SysWOW64\Bhdbaihi.exe Bajjeo32.exe File created C:\Windows\SysWOW64\Cmgijc32.dll Bemqcngl.exe File created C:\Windows\SysWOW64\Kbomclen.dll Gbgbgalj.exe File created C:\Windows\SysWOW64\Dhbqalle.exe Cfljnejl.exe File created C:\Windows\SysWOW64\Kofkjpof.dll Qqcjnell.exe File opened for modification C:\Windows\SysWOW64\Gihgoq32.exe Gldgflba.exe File created C:\Windows\SysWOW64\Bcnehb32.dll Lfaqcclf.exe File created C:\Windows\SysWOW64\Qfpbfljd.exe Qqcjnell.exe File created C:\Windows\SysWOW64\Hanhcl32.dll Jdodekhg.exe File created C:\Windows\SysWOW64\Elefkp32.dll Olmdln32.exe File created C:\Windows\SysWOW64\Eeelge32.exe Enkdjkep.exe File created C:\Windows\SysWOW64\Dknnhekd.exe Daeioo32.exe File opened for modification C:\Windows\SysWOW64\Offfhb32.exe Odfjno32.exe File created C:\Windows\SysWOW64\Nceonmdp.dll Lkbkkbdj.exe File created C:\Windows\SysWOW64\Alpmpn32.dll Lkgkqh32.exe File opened for modification C:\Windows\SysWOW64\Gbcohl32.exe Gljgkb32.exe File created C:\Windows\SysWOW64\Jggmnmmo.exe Jolhjj32.exe File created C:\Windows\SysWOW64\Kiggln32.exe Kbmoodbb.exe File created C:\Windows\SysWOW64\Pblfjipa.dll Dpmcfk32.exe File created C:\Windows\SysWOW64\Fkldjeil.dll Bpniaool.exe File created C:\Windows\SysWOW64\Ajoknk32.dll Ahenip32.exe File created C:\Windows\SysWOW64\Hhoomd32.exe Gnjjpk32.exe File opened for modification C:\Windows\SysWOW64\Bhpfjh32.exe Blieeglf.exe File created C:\Windows\SysWOW64\Mgggaamn.exe Majoikof.exe File opened for modification C:\Windows\SysWOW64\Oelhljaq.exe Oooodcci.exe File created C:\Windows\SysWOW64\Jpijgf32.exe Jfaenqjm.exe File opened for modification C:\Windows\SysWOW64\Mbbcofpf.exe Meobeb32.exe File created C:\Windows\SysWOW64\Mieeka32.exe Lnikmjdm.exe File created C:\Windows\SysWOW64\Ifplgc32.exe Hfnpacjb.exe File created C:\Windows\SysWOW64\Pjhpccnn.exe Pcnhfi32.exe File created C:\Windows\SysWOW64\Qibmoa32.exe Pljcjn32.exe File opened for modification C:\Windows\SysWOW64\Gpioca32.exe Giofggia.exe File created C:\Windows\SysWOW64\Fpbpmhjb.exe Fjfgealk.exe File created C:\Windows\SysWOW64\Hpifoq32.dll Jmpgfjmd.exe File opened for modification C:\Windows\SysWOW64\Plcdbghi.exe Pfilfm32.exe File created C:\Windows\SysWOW64\Keinepch.exe Knofif32.exe File created C:\Windows\SysWOW64\Cdlhpe32.exe Cpnpjgpn.exe File created C:\Windows\SysWOW64\Hhmdeink.exe Hoepmd32.exe File opened for modification C:\Windows\SysWOW64\Jfoihalp.exe Jpdqlgdc.exe File created C:\Windows\SysWOW64\Oaalfihk.dll Lcocmi32.exe File created C:\Windows\SysWOW64\Oleoij32.dll Kabibk32.exe File opened for modification C:\Windows\SysWOW64\Chagcdpe.exe Cnicko32.exe File created C:\Windows\SysWOW64\Lnikmjdm.exe Lkhbko32.exe File opened for modification C:\Windows\SysWOW64\Hmfkin32.exe Hcmgphma.exe File opened for modification C:\Windows\SysWOW64\Ccbhhl32.exe Cmipkb32.exe File created C:\Windows\SysWOW64\Pfjojopo.dll Effffd32.exe File opened for modification C:\Windows\SysWOW64\Aecnmo32.exe Aeodapcl.exe File created C:\Windows\SysWOW64\Keqeeg32.dll Cgklggic.exe File created C:\Windows\SysWOW64\Hgcccmnm.dll Mgggaamn.exe File created C:\Windows\SysWOW64\Kklkej32.exe Kpfggang.exe File created C:\Windows\SysWOW64\Piakng32.dll Papnhbgi.exe File opened for modification C:\Windows\SysWOW64\Gpnfak32.exe Gehbcb32.exe File opened for modification C:\Windows\SysWOW64\Phlqlgmg.exe Pjhpccnn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffcedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhlnii32.dll" Aeodapcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehpghph.dll" Ciadnggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdkcnklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligio32.dll" Oomnmfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdglg32.dll" Kfggbope.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jglkfmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojbamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikjcojn.dll" Jcgbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnlcndb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imjgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiljgjpp.dll" Ofmbkipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbkipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfbahcfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqfokblg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplammmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eabjjafe.dll" Qkjgomgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmabpmjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnkjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijfhn32.dll" Enbhdojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqfdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hncmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfbahcfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjogfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciljbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bngdndfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfjmlhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmblee32.dll" Immaimnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajoknk32.dll" Ahenip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhokeolc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkgcog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaiocjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjopnl32.dll" Helfbqeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Helfbqeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadejh32.dll" Aedfdjdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdkbgch.dll" Dhhnipbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggecffdi.dll" Cdlhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lacbiiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcppgoj.dll" Ifcimb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgklggic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgpmllg.dll" Fkjfkacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ommjnlnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkdqgbq.dll" Gehbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfneebc.dll" Aqffdejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellbmedl.dll" Cblebgfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kabibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofqiil32.dll" Ajeami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdakbbno.dll" Illmho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgjhicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmeagjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllhjplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliomjpb.dll" Moeock32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phkmoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giacmggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmnlnfcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4848 1652 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 92 PID 1652 wrote to memory of 4848 1652 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 92 PID 1652 wrote to memory of 4848 1652 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 92 PID 4848 wrote to memory of 652 4848 Pnmjomlg.exe 93 PID 4848 wrote to memory of 652 4848 Pnmjomlg.exe 93 PID 4848 wrote to memory of 652 4848 Pnmjomlg.exe 93 PID 652 wrote to memory of 2080 652 Cblebgfh.exe 94 PID 652 wrote to memory of 2080 652 Cblebgfh.exe 94 PID 652 wrote to memory of 2080 652 Cblebgfh.exe 94 PID 2080 wrote to memory of 1992 2080 Cfljnejl.exe 95 PID 2080 wrote to memory of 1992 2080 Cfljnejl.exe 95 PID 2080 wrote to memory of 1992 2080 Cfljnejl.exe 95 PID 1992 wrote to memory of 1668 1992 Dhbqalle.exe 96 PID 1992 wrote to memory of 1668 1992 Dhbqalle.exe 96 PID 1992 wrote to memory of 1668 1992 Dhbqalle.exe 96 PID 1668 wrote to memory of 2196 1668 Efhjjcpo.exe 97 PID 1668 wrote to memory of 2196 1668 Efhjjcpo.exe 97 PID 1668 wrote to memory of 2196 1668 Efhjjcpo.exe 97 PID 2196 wrote to memory of 2012 2196 Ebagdddp.exe 98 PID 2196 wrote to memory of 2012 2196 Ebagdddp.exe 98 PID 2196 wrote to memory of 2012 2196 Ebagdddp.exe 98 PID 2012 wrote to memory of 4520 2012 Ehnpmkbg.exe 99 PID 2012 wrote to memory of 4520 2012 Ehnpmkbg.exe 99 PID 2012 wrote to memory of 4520 2012 Ehnpmkbg.exe 99 PID 4520 wrote to memory of 3988 4520 Epgdch32.exe 100 PID 4520 wrote to memory of 3988 4520 Epgdch32.exe 100 PID 4520 wrote to memory of 3988 4520 Epgdch32.exe 100 PID 3988 wrote to memory of 3144 3988 Fpnkdfko.exe 101 PID 3988 wrote to memory of 3144 3988 Fpnkdfko.exe 101 PID 3988 wrote to memory of 3144 3988 Fpnkdfko.exe 101 PID 3144 wrote to memory of 3256 3144 Gohapb32.exe 102 PID 3144 wrote to memory of 3256 3144 Gohapb32.exe 102 PID 3144 wrote to memory of 3256 3144 Gohapb32.exe 102 PID 3256 wrote to memory of 3348 3256 Gpodkdll.exe 103 PID 3256 wrote to memory of 3348 3256 Gpodkdll.exe 103 PID 3256 wrote to memory of 3348 3256 Gpodkdll.exe 103 PID 3348 wrote to memory of 4780 3348 Hpaqqdjj.exe 104 PID 3348 wrote to memory of 4780 3348 Hpaqqdjj.exe 104 PID 3348 wrote to memory of 4780 3348 Hpaqqdjj.exe 104 PID 4780 wrote to memory of 820 4780 Hgpbhmna.exe 105 PID 4780 wrote to memory of 820 4780 Hgpbhmna.exe 105 PID 4780 wrote to memory of 820 4780 Hgpbhmna.exe 105 PID 820 wrote to memory of 5048 820 Ijedehgm.exe 106 PID 820 wrote to memory of 5048 820 Ijedehgm.exe 106 PID 820 wrote to memory of 5048 820 Ijedehgm.exe 106 PID 5048 wrote to memory of 3780 5048 Imjgbb32.exe 107 PID 5048 wrote to memory of 3780 5048 Imjgbb32.exe 107 PID 5048 wrote to memory of 3780 5048 Imjgbb32.exe 107 PID 3780 wrote to memory of 2836 3780 Jcgldl32.exe 108 PID 3780 wrote to memory of 2836 3780 Jcgldl32.exe 108 PID 3780 wrote to memory of 2836 3780 Jcgldl32.exe 108 PID 2836 wrote to memory of 772 2836 Jjhjae32.exe 109 PID 2836 wrote to memory of 772 2836 Jjhjae32.exe 109 PID 2836 wrote to memory of 772 2836 Jjhjae32.exe 109 PID 772 wrote to memory of 3916 772 Kpgoolbl.exe 110 PID 772 wrote to memory of 3916 772 Kpgoolbl.exe 110 PID 772 wrote to memory of 3916 772 Kpgoolbl.exe 110 PID 3916 wrote to memory of 3280 3916 Kgcqlh32.exe 111 PID 3916 wrote to memory of 3280 3916 Kgcqlh32.exe 111 PID 3916 wrote to memory of 3280 3916 Kgcqlh32.exe 111 PID 3280 wrote to memory of 1720 3280 Lpelqj32.exe 112 PID 3280 wrote to memory of 1720 3280 Lpelqj32.exe 112 PID 3280 wrote to memory of 1720 3280 Lpelqj32.exe 112 PID 1720 wrote to memory of 5116 1720 Lfaqcclf.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Imjgbb32.exeC:\Windows\system32\Imjgbb32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Lfaqcclf.exeC:\Windows\system32\Lfaqcclf.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe23⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe24⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe25⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe26⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe28⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Enbhdojn.exeC:\Windows\system32\Enbhdojn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe30⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe31⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe32⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe33⤵
- Executes dropped EXE
PID:420 -
C:\Windows\SysWOW64\Iheaqolo.exeC:\Windows\system32\Iheaqolo.exe34⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe35⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe36⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Jbkbkbfo.exeC:\Windows\system32\Jbkbkbfo.exe37⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Jbpkfa32.exeC:\Windows\system32\Jbpkfa32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Kkmijf32.exeC:\Windows\system32\Kkmijf32.exe39⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe40⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Kfggbope.exeC:\Windows\system32\Kfggbope.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4188 -
C:\Windows\SysWOW64\Lopkkdgf.exeC:\Windows\system32\Lopkkdgf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Lmcldhfp.exeC:\Windows\system32\Lmcldhfp.exe43⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ljglnmdi.exeC:\Windows\system32\Ljglnmdi.exe44⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe46⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe47⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Mmdekf32.exeC:\Windows\system32\Mmdekf32.exe48⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe49⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Njmopj32.exeC:\Windows\system32\Njmopj32.exe50⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Npnqcpmc.exeC:\Windows\system32\Npnqcpmc.exe51⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Nifele32.exeC:\Windows\system32\Nifele32.exe52⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe54⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe55⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Plcmiofg.exeC:\Windows\system32\Plcmiofg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe58⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Akdfndpd.exeC:\Windows\system32\Akdfndpd.exe59⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe60⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe61⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe62⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe65⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe66⤵PID:4348
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe67⤵PID:4804
-
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3116 -
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe69⤵PID:4204
-
C:\Windows\SysWOW64\Dedceddg.exeC:\Windows\system32\Dedceddg.exe70⤵PID:4028
-
C:\Windows\SysWOW64\Ecjpfp32.exeC:\Windows\system32\Ecjpfp32.exe71⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe72⤵PID:2072
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe73⤵PID:4152
-
C:\Windows\SysWOW64\Eglbhnkp.exeC:\Windows\system32\Eglbhnkp.exe74⤵PID:2404
-
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe75⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe76⤵PID:2864
-
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe78⤵PID:2692
-
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe79⤵PID:4608
-
C:\Windows\SysWOW64\Hldgkiki.exeC:\Windows\system32\Hldgkiki.exe80⤵PID:4860
-
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe81⤵PID:1136
-
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe82⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Hhmdeink.exeC:\Windows\system32\Hhmdeink.exe83⤵PID:3800
-
C:\Windows\SysWOW64\Idinej32.exeC:\Windows\system32\Idinej32.exe84⤵PID:4428
-
C:\Windows\SysWOW64\Ionbcb32.exeC:\Windows\system32\Ionbcb32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Iemdkl32.exeC:\Windows\system32\Iemdkl32.exe86⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Ikjmcc32.exeC:\Windows\system32\Ikjmcc32.exe87⤵PID:4468
-
C:\Windows\SysWOW64\Ieoapl32.exeC:\Windows\system32\Ieoapl32.exe88⤵PID:4256
-
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe89⤵PID:2108
-
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe90⤵PID:1192
-
C:\Windows\SysWOW64\Jddnah32.exeC:\Windows\system32\Jddnah32.exe91⤵
- Modifies registry class
PID:724 -
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe92⤵PID:2708
-
C:\Windows\SysWOW64\Kaaaak32.exeC:\Windows\system32\Kaaaak32.exe93⤵PID:3816
-
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe94⤵PID:2016
-
C:\Windows\SysWOW64\Kdbjbfjl.exeC:\Windows\system32\Kdbjbfjl.exe95⤵PID:2748
-
C:\Windows\SysWOW64\Kklbop32.exeC:\Windows\system32\Kklbop32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Komhkn32.exeC:\Windows\system32\Komhkn32.exe97⤵PID:404
-
C:\Windows\SysWOW64\Lhelddln.exeC:\Windows\system32\Lhelddln.exe98⤵PID:1392
-
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe99⤵
- Drops file in System32 directory
PID:4648 -
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe100⤵
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe101⤵PID:3984
-
C:\Windows\SysWOW64\Meobeb32.exeC:\Windows\system32\Meobeb32.exe102⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Mbbcofpf.exeC:\Windows\system32\Mbbcofpf.exe103⤵PID:2004
-
C:\Windows\SysWOW64\Npmjij32.exeC:\Windows\system32\Npmjij32.exe104⤵PID:4652
-
C:\Windows\SysWOW64\Nmajbnha.exeC:\Windows\system32\Nmajbnha.exe105⤵PID:5168
-
C:\Windows\SysWOW64\Oemofpel.exeC:\Windows\system32\Oemofpel.exe106⤵PID:5208
-
C:\Windows\SysWOW64\Opgloh32.exeC:\Windows\system32\Opgloh32.exe107⤵PID:5252
-
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe108⤵PID:5296
-
C:\Windows\SysWOW64\Ofcaab32.exeC:\Windows\system32\Ofcaab32.exe109⤵PID:5336
-
C:\Windows\SysWOW64\Ommjnlnd.exeC:\Windows\system32\Ommjnlnd.exe110⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe111⤵PID:5428
-
C:\Windows\SysWOW64\Beippj32.exeC:\Windows\system32\Beippj32.exe112⤵PID:5528
-
C:\Windows\SysWOW64\Egeemiml.exeC:\Windows\system32\Egeemiml.exe113⤵PID:5572
-
C:\Windows\SysWOW64\Emanepld.exeC:\Windows\system32\Emanepld.exe114⤵PID:5616
-
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe115⤵PID:5652
-
C:\Windows\SysWOW64\Eqpfknbj.exeC:\Windows\system32\Eqpfknbj.exe116⤵PID:5716
-
C:\Windows\SysWOW64\Enfcjb32.exeC:\Windows\system32\Enfcjb32.exe117⤵PID:5756
-
C:\Windows\SysWOW64\Epgpajdp.exeC:\Windows\system32\Epgpajdp.exe118⤵PID:5804
-
C:\Windows\SysWOW64\Fjldocde.exeC:\Windows\system32\Fjldocde.exe119⤵PID:5844
-
C:\Windows\SysWOW64\Fpimgjbm.exeC:\Windows\system32\Fpimgjbm.exe120⤵PID:5888
-
C:\Windows\SysWOW64\Ffcedd32.exeC:\Windows\system32\Ffcedd32.exe121⤵
- Modifies registry class
PID:5932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-