Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 22:45
Behavioral task
behavioral1
Sample
NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe
-
Size
305KB
-
MD5
c21dd445e9d50c84ff039891077959c0
-
SHA1
f81e618a0db46f7f5444240bdc5c5d551cfb9516
-
SHA256
437983882b65de2ec86978fd51349874c7aac789fa09541e6ba4d639c6a97a38
-
SHA512
5e4bbd2d22ec2c23879c4881679f794db198de0807e519615d2d119962c2f56f8b22fa0cd8a617cd31fba8f764d79e5dcc3452aced40453adbf742c8f9e7a064
-
SSDEEP
6144:oFDOC7OCmZrXNxunXe8yhrtMsQBvli+RQFdq:QOC7OvZTvAO8qRMsrOQF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnlpnbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcidelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkligd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iacepmik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifodcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjapamfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipbahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfkkjbnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inpaoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Denlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alcfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbglei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofhkgeij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aokkknbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfimheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcmnijkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjlciem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenmgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaliidon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kflink32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckdkbfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjbddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkdmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodnenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjdpoacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnlapbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ignndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbchnfei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilglbjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njaakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bplammmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoofej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icfnjcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceaealoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdffkgpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcggbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbmfje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khpcid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppphkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqaipgal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neglceej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdbjleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkmmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eijiak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emenhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jndenjmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbpoge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhajq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifglmlol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadgacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldgflba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jelogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nicalpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihdqkaf.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2372-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd6-6.dat family_berbew behavioral2/memory/1792-7-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd6-8.dat family_berbew behavioral2/files/0x0006000000022cd9-14.dat family_berbew behavioral2/memory/3432-15-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cd9-16.dat family_berbew behavioral2/files/0x0006000000022cdb-22.dat family_berbew behavioral2/memory/3332-23-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdb-24.dat family_berbew behavioral2/files/0x0006000000022cdd-30.dat family_berbew behavioral2/memory/2220-31-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdd-32.dat family_berbew behavioral2/files/0x0006000000022cdf-38.dat family_berbew behavioral2/files/0x0006000000022cdf-40.dat family_berbew behavioral2/memory/4148-39-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-46.dat family_berbew behavioral2/memory/936-47-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-48.dat family_berbew behavioral2/files/0x0008000000022cd3-54.dat family_berbew behavioral2/files/0x0008000000022cd3-56.dat family_berbew behavioral2/memory/1416-55-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd5-62.dat family_berbew behavioral2/memory/224-63-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd5-64.dat family_berbew behavioral2/files/0x0009000000022ce3-70.dat family_berbew behavioral2/memory/3500-71-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022ce3-72.dat family_berbew behavioral2/files/0x0007000000022cc8-78.dat family_berbew behavioral2/memory/4288-79-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc8-80.dat family_berbew behavioral2/files/0x0006000000022ce5-86.dat family_berbew behavioral2/files/0x0006000000022ce5-88.dat family_berbew behavioral2/memory/4384-87-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc9-94.dat family_berbew behavioral2/files/0x0007000000022cc9-96.dat family_berbew behavioral2/memory/1140-95-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-97.dat family_berbew behavioral2/files/0x0006000000022ce8-102.dat family_berbew behavioral2/memory/408-103-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-104.dat family_berbew behavioral2/files/0x0006000000022ceb-106.dat family_berbew behavioral2/files/0x0006000000022ceb-110.dat family_berbew behavioral2/memory/4300-111-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ceb-112.dat family_berbew behavioral2/files/0x0006000000022cee-118.dat family_berbew behavioral2/memory/4348-120-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-119.dat family_berbew behavioral2/files/0x0006000000022cf1-126.dat family_berbew behavioral2/files/0x0006000000022cf1-128.dat family_berbew behavioral2/memory/3340-127-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf3-129.dat family_berbew behavioral2/files/0x0006000000022cf3-135.dat family_berbew behavioral2/memory/336-136-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf3-134.dat family_berbew behavioral2/files/0x0006000000022cf5-142.dat family_berbew behavioral2/memory/2400-143-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-144.dat family_berbew behavioral2/files/0x0006000000022cf7-150.dat family_berbew behavioral2/memory/4248-151-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf7-152.dat family_berbew behavioral2/files/0x0006000000022cf9-158.dat family_berbew behavioral2/files/0x0006000000022cf9-160.dat family_berbew behavioral2/memory/4868-159-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1792 Ddjehneg.exe 3432 Gnckooob.exe 3332 Inagpm32.exe 2220 Iqbpahpc.exe 4148 Ijonfmbn.exe 936 Jmbdmg32.exe 1416 Jcaeea32.exe 224 Lndfchdj.exe 3500 Leqkeajd.exe 4288 Mhfmbl32.exe 4384 Mobbdf32.exe 1140 Nahdapae.exe 408 Ndmgnkja.exe 4300 Odbpij32.exe 4348 Ohdbkh32.exe 3340 Pdpmkhjl.exe 336 Qghlmbae.exe 2400 Aecbge32.exe 4248 Bkadoo32.exe 4868 Bpaikm32.exe 3572 Cpipkl32.exe 4660 Dpdogj32.exe 4168 Fhnichde.exe 724 Icklhnop.exe 4180 Ihmnldib.exe 2472 Jpdbjleo.exe 4436 Kmmmnp32.exe 4388 Kidmcqeg.exe 3804 Lplaaiqd.exe 4556 Okkalnjm.exe 2708 Phfhfa32.exe 1628 Ppamjcpj.exe 1872 Phkaqqoi.exe 3588 Pafcofcg.exe 4912 Pnlcdg32.exe 3364 Aqbfaa32.exe 836 Bgeadjai.exe 5036 Bdiamnpc.exe 4588 Cnkilbni.exe 3044 Cnpbgajc.exe 4624 Dlmegd32.exe 1528 Ebpqjmpd.exe 3920 Engaon32.exe 1996 Golcak32.exe 4992 Ghdhja32.exe 4432 Gammbfqa.exe 1468 Gekeie32.exe 3712 Hepoddcc.exe 640 Hcflch32.exe 2188 Hlnqln32.exe 1100 Ilqmam32.exe 2516 Ilcjgm32.exe 748 Iabodcnj.exe 3116 Ikjcmi32.exe 4228 Jkomhhae.exe 1796 Jmccnk32.exe 3988 Kicfijal.exe 3508 Kjcccm32.exe 3688 Lkflpe32.exe 860 Lkiiee32.exe 4700 Llmbqdfb.exe 2476 Ljoboloa.exe 4724 Obkiqi32.exe 552 Qciebg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cpipkl32.exe Bpaikm32.exe File created C:\Windows\SysWOW64\Iehkefih.dll Jpdbjleo.exe File opened for modification C:\Windows\SysWOW64\Fkjfkacd.exe Fqdbnhco.exe File created C:\Windows\SysWOW64\Gjhdkajh.exe Fclohg32.exe File created C:\Windows\SysWOW64\Ciioaa32.exe Bplammmf.exe File created C:\Windows\SysWOW64\Dgcmdj32.exe Daiegp32.exe File created C:\Windows\SysWOW64\Pmoefdap.dll Hpomme32.exe File created C:\Windows\SysWOW64\Enfcio32.dll Mgaoda32.exe File created C:\Windows\SysWOW64\Jocepc32.exe Jiglgl32.exe File created C:\Windows\SysWOW64\Giqemh32.dll Kckqlpck.exe File created C:\Windows\SysWOW64\Dooglp32.dll Dhidcffq.exe File created C:\Windows\SysWOW64\Bddcep32.dll Oflfoepg.exe File created C:\Windows\SysWOW64\Coeapbio.dll Adccnpqm.exe File opened for modification C:\Windows\SysWOW64\Bjaeei32.exe Aaiqmc32.exe File opened for modification C:\Windows\SysWOW64\Khabdk32.exe Kbeild32.exe File created C:\Windows\SysWOW64\Eohcon32.exe Ebdcejpk.exe File opened for modification C:\Windows\SysWOW64\Gaibhj32.exe Ghanoeel.exe File created C:\Windows\SysWOW64\Lnhinj32.dll Lgkhec32.exe File opened for modification C:\Windows\SysWOW64\Icoodj32.exe Hpjlgp32.exe File created C:\Windows\SysWOW64\Hpjdea32.dll Dkahba32.exe File opened for modification C:\Windows\SysWOW64\Ppbekd32.exe Ofjqbndk.exe File created C:\Windows\SysWOW64\Mlegifbk.dll Nnlhod32.exe File opened for modification C:\Windows\SysWOW64\Aamkgpbi.exe Akccje32.exe File opened for modification C:\Windows\SysWOW64\Cdlpjicj.exe Cakghn32.exe File created C:\Windows\SysWOW64\Pmamii32.dll Ofhkgeij.exe File created C:\Windows\SysWOW64\Noopof32.exe Nciojeem.exe File created C:\Windows\SysWOW64\Caqpdpii.exe Cgklggic.exe File created C:\Windows\SysWOW64\Llmbqdfb.exe Lkiiee32.exe File opened for modification C:\Windows\SysWOW64\Fnhppa32.exe Eqdpfm32.exe File opened for modification C:\Windows\SysWOW64\Oghgbe32.exe Mglhgg32.exe File opened for modification C:\Windows\SysWOW64\Dmpfla32.exe Dgcmdj32.exe File created C:\Windows\SysWOW64\Ldnhiemg.dll Kaophp32.exe File opened for modification C:\Windows\SysWOW64\Jondojna.exe Jpjhlche.exe File created C:\Windows\SysWOW64\Ipllghgi.dll Ehimkd32.exe File opened for modification C:\Windows\SysWOW64\Opongobp.exe Ofijifbj.exe File opened for modification C:\Windows\SysWOW64\Fieacc32.exe Ekaaio32.exe File created C:\Windows\SysWOW64\Gegkilik.exe Gpkbaekd.exe File opened for modification C:\Windows\SysWOW64\Jcaeea32.exe Jmbdmg32.exe File created C:\Windows\SysWOW64\Mnojcb32.exe Mhbakk32.exe File created C:\Windows\SysWOW64\Dhidcffq.exe Donceaac.exe File created C:\Windows\SysWOW64\Ckaolcol.exe Bllbkg32.exe File created C:\Windows\SysWOW64\Qkfbab32.dll Oaeegjeb.exe File created C:\Windows\SysWOW64\Pbdgkich.dll Clfdcgkj.exe File created C:\Windows\SysWOW64\Cljnffld.dll Ofjqbndk.exe File opened for modification C:\Windows\SysWOW64\Jbhmnhcm.exe Hboaql32.exe File created C:\Windows\SysWOW64\Hgnijh32.dll Hmcocn32.exe File opened for modification C:\Windows\SysWOW64\Knaldo32.exe Kggcgeop.exe File opened for modification C:\Windows\SysWOW64\Nqklfe32.exe Nkncno32.exe File opened for modification C:\Windows\SysWOW64\Mpnnek32.exe Lfeaegdi.exe File created C:\Windows\SysWOW64\Onhmhc32.exe Ogndki32.exe File created C:\Windows\SysWOW64\Fboellof.exe Fkempa32.exe File created C:\Windows\SysWOW64\Jjihpgcl.exe Jelogq32.exe File opened for modification C:\Windows\SysWOW64\Leqkeajd.exe Lndfchdj.exe File created C:\Windows\SysWOW64\Mdckpqod.exe Mccofn32.exe File created C:\Windows\SysWOW64\Menpgmap.exe Mjiljdaj.exe File opened for modification C:\Windows\SysWOW64\Ijonfmbn.exe Iqbpahpc.exe File opened for modification C:\Windows\SysWOW64\Cpljdjnd.exe Ciioaa32.exe File created C:\Windows\SysWOW64\Codhgg32.exe Ckfpai32.exe File created C:\Windows\SysWOW64\Jdahgq32.dll Mhbakk32.exe File opened for modification C:\Windows\SysWOW64\Anogbohj.exe Agcbqecp.exe File created C:\Windows\SysWOW64\Cpfgmkfc.dll Bddcocff.exe File created C:\Windows\SysWOW64\Olejbnna.dll Fcbehbim.exe File created C:\Windows\SysWOW64\Acaopjgd.exe Qaabfgpa.exe File created C:\Windows\SysWOW64\Gkgqdb32.dll Aklddmep.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6956 5516 WerFault.exe 938 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imdgjlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnbgcei.dll" Fmdach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nndjgjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgncmbq.dll" Pmmleg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmnncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghdhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkflpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmiqfoie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jndenjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehakpchb.dll" Phajgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdjgm32.dll" Pjaciafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifpjgg32.dll" Ihmnldib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhbaj32.dll" Kmobdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgoboake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenkd32.dll" Dbmfje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iecclhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jloacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidokffk.dll" Qejkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaoiobea.dll" Fpfppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joahjcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcofihm.dll" Cmnncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikpjkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhjbjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feegfd32.dll" Njkklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nclida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilbnhc.dll" Bnclamqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjiljdaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgoflpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmobdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnkajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epofikbn.dll" Ghgjlaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcmnijkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnmkdm.dll" Ojcidelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqpomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndbkoj32.dll" Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmooak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbchnfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pahiebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngddegd.dll" Iibclmkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcjjqcg.dll" Iabodcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgddal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnemabne.dll" Dcdnce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Docmqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coadgacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppemkhaa.dll" Bfenncdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqbpahpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpjhlche.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhhflhc.dll" Elojej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkgpleaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokmgk32.dll" Gefencoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pieloojf.dll" Kjponk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diahic32.dll" Eenflbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eonmkkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caapfnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnklh32.dll" Gldgflba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noijmagb.dll" Ojommdfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belgbbnd.dll" Iaekfjje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhck32.dll" Obebla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkgiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdomieml.dll" Cpipkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhojqcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgjhiibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kidmcqeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1792 2372 NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe 90 PID 2372 wrote to memory of 1792 2372 NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe 90 PID 2372 wrote to memory of 1792 2372 NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe 90 PID 1792 wrote to memory of 3432 1792 Ddjehneg.exe 91 PID 1792 wrote to memory of 3432 1792 Ddjehneg.exe 91 PID 1792 wrote to memory of 3432 1792 Ddjehneg.exe 91 PID 3432 wrote to memory of 3332 3432 Gnckooob.exe 92 PID 3432 wrote to memory of 3332 3432 Gnckooob.exe 92 PID 3432 wrote to memory of 3332 3432 Gnckooob.exe 92 PID 3332 wrote to memory of 2220 3332 Inagpm32.exe 93 PID 3332 wrote to memory of 2220 3332 Inagpm32.exe 93 PID 3332 wrote to memory of 2220 3332 Inagpm32.exe 93 PID 2220 wrote to memory of 4148 2220 Iqbpahpc.exe 94 PID 2220 wrote to memory of 4148 2220 Iqbpahpc.exe 94 PID 2220 wrote to memory of 4148 2220 Iqbpahpc.exe 94 PID 4148 wrote to memory of 936 4148 Ijonfmbn.exe 95 PID 4148 wrote to memory of 936 4148 Ijonfmbn.exe 95 PID 4148 wrote to memory of 936 4148 Ijonfmbn.exe 95 PID 936 wrote to memory of 1416 936 Jmbdmg32.exe 96 PID 936 wrote to memory of 1416 936 Jmbdmg32.exe 96 PID 936 wrote to memory of 1416 936 Jmbdmg32.exe 96 PID 1416 wrote to memory of 224 1416 Jcaeea32.exe 97 PID 1416 wrote to memory of 224 1416 Jcaeea32.exe 97 PID 1416 wrote to memory of 224 1416 Jcaeea32.exe 97 PID 224 wrote to memory of 3500 224 Lndfchdj.exe 98 PID 224 wrote to memory of 3500 224 Lndfchdj.exe 98 PID 224 wrote to memory of 3500 224 Lndfchdj.exe 98 PID 3500 wrote to memory of 4288 3500 Leqkeajd.exe 99 PID 3500 wrote to memory of 4288 3500 Leqkeajd.exe 99 PID 3500 wrote to memory of 4288 3500 Leqkeajd.exe 99 PID 4288 wrote to memory of 4384 4288 Mhfmbl32.exe 100 PID 4288 wrote to memory of 4384 4288 Mhfmbl32.exe 100 PID 4288 wrote to memory of 4384 4288 Mhfmbl32.exe 100 PID 4384 wrote to memory of 1140 4384 Mobbdf32.exe 102 PID 4384 wrote to memory of 1140 4384 Mobbdf32.exe 102 PID 4384 wrote to memory of 1140 4384 Mobbdf32.exe 102 PID 1140 wrote to memory of 408 1140 Nahdapae.exe 103 PID 1140 wrote to memory of 408 1140 Nahdapae.exe 103 PID 1140 wrote to memory of 408 1140 Nahdapae.exe 103 PID 408 wrote to memory of 4300 408 Ndmgnkja.exe 104 PID 408 wrote to memory of 4300 408 Ndmgnkja.exe 104 PID 408 wrote to memory of 4300 408 Ndmgnkja.exe 104 PID 4300 wrote to memory of 4348 4300 Odbpij32.exe 106 PID 4300 wrote to memory of 4348 4300 Odbpij32.exe 106 PID 4300 wrote to memory of 4348 4300 Odbpij32.exe 106 PID 4348 wrote to memory of 3340 4348 Ohdbkh32.exe 107 PID 4348 wrote to memory of 3340 4348 Ohdbkh32.exe 107 PID 4348 wrote to memory of 3340 4348 Ohdbkh32.exe 107 PID 3340 wrote to memory of 336 3340 Pdpmkhjl.exe 108 PID 3340 wrote to memory of 336 3340 Pdpmkhjl.exe 108 PID 3340 wrote to memory of 336 3340 Pdpmkhjl.exe 108 PID 336 wrote to memory of 2400 336 Qghlmbae.exe 109 PID 336 wrote to memory of 2400 336 Qghlmbae.exe 109 PID 336 wrote to memory of 2400 336 Qghlmbae.exe 109 PID 2400 wrote to memory of 4248 2400 Aecbge32.exe 110 PID 2400 wrote to memory of 4248 2400 Aecbge32.exe 110 PID 2400 wrote to memory of 4248 2400 Aecbge32.exe 110 PID 4248 wrote to memory of 4868 4248 Bkadoo32.exe 111 PID 4248 wrote to memory of 4868 4248 Bkadoo32.exe 111 PID 4248 wrote to memory of 4868 4248 Bkadoo32.exe 111 PID 4868 wrote to memory of 3572 4868 Bpaikm32.exe 112 PID 4868 wrote to memory of 3572 4868 Bpaikm32.exe 112 PID 4868 wrote to memory of 3572 4868 Bpaikm32.exe 112 PID 3572 wrote to memory of 4660 3572 Cpipkl32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c21dd445e9d50c84ff039891077959c0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe23⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe25⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Jpdbjleo.exeC:\Windows\system32\Jpdbjleo.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe28⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Kidmcqeg.exeC:\Windows\system32\Kidmcqeg.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe30⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe31⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Phfhfa32.exeC:\Windows\system32\Phfhfa32.exe32⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe33⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe34⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe35⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe36⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe37⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe38⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe39⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe40⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe41⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe42⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe44⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe45⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe47⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe48⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe49⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe50⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe51⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ilqmam32.exeC:\Windows\system32\Ilqmam32.exe52⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe53⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Iabodcnj.exeC:\Windows\system32\Iabodcnj.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe55⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe56⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Jmccnk32.exeC:\Windows\system32\Jmccnk32.exe57⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe58⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe59⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe62⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe63⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Obkiqi32.exeC:\Windows\system32\Obkiqi32.exe64⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe65⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe66⤵PID:4976
-
C:\Windows\SysWOW64\Anccjp32.exeC:\Windows\system32\Anccjp32.exe67⤵PID:2736
-
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe68⤵PID:3004
-
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe69⤵PID:212
-
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe70⤵PID:4672
-
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe71⤵PID:3860
-
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe72⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe73⤵PID:4064
-
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe74⤵PID:3788
-
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe75⤵PID:3952
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe76⤵PID:1040
-
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe77⤵PID:1904
-
C:\Windows\SysWOW64\Embdofop.exeC:\Windows\system32\Embdofop.exe78⤵PID:2308
-
C:\Windows\SysWOW64\Eenflbll.exeC:\Windows\system32\Eenflbll.exe79⤵
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Fjbddh32.exeC:\Windows\system32\Fjbddh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Felbmqpl.exeC:\Windows\system32\Felbmqpl.exe81⤵PID:968
-
C:\Windows\SysWOW64\Ghmkol32.exeC:\Windows\system32\Ghmkol32.exe82⤵PID:680
-
C:\Windows\SysWOW64\Gmjcgb32.exeC:\Windows\system32\Gmjcgb32.exe83⤵PID:4428
-
C:\Windows\SysWOW64\Helkdnaj.exeC:\Windows\system32\Helkdnaj.exe84⤵PID:3984
-
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe85⤵PID:3940
-
C:\Windows\SysWOW64\Iacepmik.exeC:\Windows\system32\Iacepmik.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4056 -
C:\Windows\SysWOW64\Jolodqcp.exeC:\Windows\system32\Jolodqcp.exe87⤵PID:4760
-
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe88⤵PID:768
-
C:\Windows\SysWOW64\Kklbop32.exeC:\Windows\system32\Kklbop32.exe89⤵PID:1052
-
C:\Windows\SysWOW64\Khpcid32.exeC:\Windows\system32\Khpcid32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3792 -
C:\Windows\SysWOW64\Kojkeogp.exeC:\Windows\system32\Kojkeogp.exe91⤵PID:2232
-
C:\Windows\SysWOW64\Loaafnah.exeC:\Windows\system32\Loaafnah.exe92⤵PID:4332
-
C:\Windows\SysWOW64\Lnkgbibj.exeC:\Windows\system32\Lnkgbibj.exe93⤵PID:2548
-
C:\Windows\SysWOW64\Meepoc32.exeC:\Windows\system32\Meepoc32.exe94⤵PID:1204
-
C:\Windows\SysWOW64\Nicalpak.exeC:\Windows\system32\Nicalpak.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Oeoklp32.exeC:\Windows\system32\Oeoklp32.exe96⤵PID:4172
-
C:\Windows\SysWOW64\Oecego32.exeC:\Windows\system32\Oecego32.exe97⤵PID:1184
-
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe98⤵PID:4384
-
C:\Windows\SysWOW64\Cjlbag32.exeC:\Windows\system32\Cjlbag32.exe99⤵PID:2400
-
C:\Windows\SysWOW64\Dflflg32.exeC:\Windows\system32\Dflflg32.exe100⤵PID:5132
-
C:\Windows\SysWOW64\Djjobedk.exeC:\Windows\system32\Djjobedk.exe101⤵PID:5208
-
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe102⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Ejennd32.exeC:\Windows\system32\Ejennd32.exe103⤵PID:5296
-
C:\Windows\SysWOW64\Eflocepa.exeC:\Windows\system32\Eflocepa.exe104⤵PID:5340
-
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe105⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe106⤵PID:5452
-
C:\Windows\SysWOW64\Fcgemhic.exeC:\Windows\system32\Fcgemhic.exe107⤵PID:5496
-
C:\Windows\SysWOW64\Fakfglhm.exeC:\Windows\system32\Fakfglhm.exe108⤵PID:5536
-
C:\Windows\SysWOW64\Fnofpqff.exeC:\Windows\system32\Fnofpqff.exe109⤵PID:5572
-
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe110⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe111⤵PID:5684
-
C:\Windows\SysWOW64\Ggoaje32.exeC:\Windows\system32\Ggoaje32.exe112⤵PID:5732
-
C:\Windows\SysWOW64\Ghanoeel.exeC:\Windows\system32\Ghanoeel.exe113⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Gaibhj32.exeC:\Windows\system32\Gaibhj32.exe114⤵PID:5840
-
C:\Windows\SysWOW64\Galonj32.exeC:\Windows\system32\Galonj32.exe115⤵PID:5884
-
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe116⤵PID:5928
-
C:\Windows\SysWOW64\Hhojqcil.exeC:\Windows\system32\Hhojqcil.exe117⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Ifipmo32.exeC:\Windows\system32\Ifipmo32.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe119⤵PID:5164
-
C:\Windows\SysWOW64\Jgbccm32.exeC:\Windows\system32\Jgbccm32.exe120⤵PID:5244
-
C:\Windows\SysWOW64\Jpjhlche.exeC:\Windows\system32\Jpjhlche.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-