Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:38
Behavioral task
behavioral1
Sample
NEAS.4fbd87cb80a483ead783feb2a358a92e.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.4fbd87cb80a483ead783feb2a358a92e.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.4fbd87cb80a483ead783feb2a358a92e.exe
-
Size
141KB
-
MD5
4fbd87cb80a483ead783feb2a358a92e
-
SHA1
3aa0c5ed7a36bea906b77a6566ef0be1a37b1552
-
SHA256
bd513c4286f1cb434ccfa845b6efb15e5eb8e650d5fdb3c2c69181090a943160
-
SHA512
93ec0d052628e5b6deccf8ff01eeae241e757d6731c5898cce671c70ff15e0935ba04a6850d58584ab998ddbe89f33f78539f7e6413e1a9360bbd7eedbdeac5e
-
SSDEEP
3072:0lx7HUm7YAxdFzwQ9bGCmBJFWpoPSkGFj/p7sW0l:QN5suFzN9bGCKJFtE/JK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgkmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbaabom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkchmdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppopcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeccijoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpppmqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncecioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkpoelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedpjdoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcqojqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqofdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcmmjkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckleii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jihngboe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkdcccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgokikan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpehikja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkemble.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedlpgqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpggbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqcilgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmnqmam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobalm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Molefh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjaqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmpob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdahek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqngekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkihgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laiaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfeoijbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcmmjkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibmqond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linmlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qojeabie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngbgmpcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqpffaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqhlpbjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjemkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efepln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgjmnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbjgcnll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchogd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenedhaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklkmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkiephp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fneohd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepln32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2764-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/2764-1-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdd-7.dat family_berbew behavioral2/memory/2320-8-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdd-9.dat family_berbew behavioral2/files/0x0007000000022ce1-15.dat family_berbew behavioral2/memory/1664-16-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce1-17.dat family_berbew behavioral2/files/0x0006000000022ce5-23.dat family_berbew behavioral2/memory/3828-24-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce5-25.dat family_berbew behavioral2/files/0x0006000000022ce7-26.dat family_berbew behavioral2/files/0x0006000000022ce7-31.dat family_berbew behavioral2/files/0x0006000000022ce7-33.dat family_berbew behavioral2/memory/4872-32-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-39.dat family_berbew behavioral2/memory/3152-41-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-40.dat family_berbew behavioral2/files/0x0006000000022ceb-47.dat family_berbew behavioral2/files/0x0006000000022ceb-49.dat family_berbew behavioral2/memory/1820-48-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-55.dat family_berbew behavioral2/memory/4856-56-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-57.dat family_berbew behavioral2/files/0x0006000000022cef-63.dat family_berbew behavioral2/memory/3068-64-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cef-65.dat family_berbew behavioral2/files/0x0006000000022cf1-66.dat family_berbew behavioral2/files/0x0006000000022cf1-71.dat family_berbew behavioral2/memory/1380-72-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf1-73.dat family_berbew behavioral2/files/0x0006000000022cf3-79.dat family_berbew behavioral2/memory/2764-80-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf3-81.dat family_berbew behavioral2/memory/2164-82-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-88.dat family_berbew behavioral2/memory/3624-90-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-89.dat family_berbew behavioral2/files/0x0009000000022cd9-96.dat family_berbew behavioral2/memory/1464-97-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd9-98.dat family_berbew behavioral2/files/0x000a000000022cdc-104.dat family_berbew behavioral2/files/0x000a000000022cdc-106.dat family_berbew behavioral2/memory/4168-105-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022cf6-112.dat family_berbew behavioral2/memory/4076-113-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022cf6-114.dat family_berbew behavioral2/files/0x0006000000022cfa-116.dat family_berbew behavioral2/files/0x0006000000022cfa-121.dat family_berbew behavioral2/files/0x0006000000022cfa-120.dat family_berbew behavioral2/memory/1692-122-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-128.dat family_berbew behavioral2/memory/1948-129-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-130.dat family_berbew behavioral2/files/0x00050000000220da-136.dat family_berbew behavioral2/memory/1084-137-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x00050000000220da-138.dat family_berbew behavioral2/files/0x0006000000022d01-144.dat family_berbew behavioral2/files/0x0006000000022d01-146.dat family_berbew behavioral2/memory/5092-145-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-152.dat family_berbew behavioral2/files/0x0006000000022d03-154.dat family_berbew behavioral2/memory/3932-153-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0f-160.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2320 Kccbjq32.exe 1664 Kjbdbjbi.exe 3828 Mdkabmjf.exe 4872 Mmjlkb32.exe 3152 Noqofdlj.exe 1820 Okqbac32.exe 4856 Ogjpld32.exe 3068 Pfkpiled.exe 1380 Phbolflm.exe 2164 Akhaipei.exe 3624 Bnicai32.exe 1464 Clpppmqn.exe 4168 Eoconenj.exe 4076 Ebagdddp.exe 1692 Fgcjea32.exe 1948 Fhgccijm.exe 1084 Ggafgo32.exe 5092 Ghjhofjg.exe 3932 Hfeoijbi.exe 2408 Ifihdi32.exe 4436 Jifabb32.exe 3816 Jihngboe.exe 3052 Kpgoolbl.exe 5036 Kakednfj.exe 3920 Kjcjmclj.exe 180 Lapopm32.exe 1968 Ljjpnb32.exe 1180 Lhcjbfag.exe 3148 Mmpbkm32.exe 3588 Mfmpob32.exe 4984 Mjkiephp.exe 1128 Nmnnlk32.exe 4364 Omgabj32.exe 5096 Oahgnh32.exe 2636 Oajccgmd.exe 4368 Onqdhh32.exe 232 Phfhfa32.exe 3476 Ppffec32.exe 2672 Pphckb32.exe 2212 Aamipe32.exe 2632 Adnbapjp.exe 4852 Aqfolqna.exe 1332 Bkcjjhgp.exe 2844 Bjmpfdhb.exe 3248 Ciqmjkno.exe 4348 Cjfclcpg.exe 4048 Cgjcfgoa.exe 3852 Dilmeida.exe 3356 Dajnol32.exe 4916 Ejdonq32.exe 4868 Eeomfioh.exe 3544 Ebejem32.exe 5052 Fehplggn.exe 4032 Glkkop32.exe 1920 Gedohfmp.exe 2856 Gkcdfl32.exe 4272 Goamlkpk.exe 1104 Hllcfnhm.exe 5016 Ikcmmjkb.exe 3296 Iofpnhmc.exe 4448 Icdhdfcj.exe 4344 Jjbjlpga.exe 3420 Jbpkfa32.exe 1396 Jhjcbljf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bkcjjhgp.exe Aqfolqna.exe File opened for modification C:\Windows\SysWOW64\Kdiobd32.exe Jfeoip32.exe File created C:\Windows\SysWOW64\Ghlpioak.dll Mphoob32.exe File created C:\Windows\SysWOW64\Dgmlehnj.dll Miomnaip.exe File opened for modification C:\Windows\SysWOW64\Gpcffalc.exe Giinjg32.exe File opened for modification C:\Windows\SysWOW64\Lglopjkg.exe Lqbgcp32.exe File opened for modification C:\Windows\SysWOW64\Polpim32.exe Plndma32.exe File opened for modification C:\Windows\SysWOW64\Afddge32.exe Aojljkkf.exe File created C:\Windows\SysWOW64\Pbhndb32.dll Dllmoj32.exe File created C:\Windows\SysWOW64\Hacflg32.dll Aifdcgcp.exe File opened for modification C:\Windows\SysWOW64\Bjaqih32.exe Bcghlnih.exe File created C:\Windows\SysWOW64\Fpejjabq.dll Lgcjmjho.exe File created C:\Windows\SysWOW64\Emphhhoh.exe Efepln32.exe File created C:\Windows\SysWOW64\Fmbdnhme.exe Efhlan32.exe File opened for modification C:\Windows\SysWOW64\Ehcfkhel.exe Eplnijdj.exe File opened for modification C:\Windows\SysWOW64\Gdjpff32.exe Fagjolao.exe File opened for modification C:\Windows\SysWOW64\Kddnpj32.exe Jnjecp32.exe File created C:\Windows\SysWOW64\Beaced32.exe Aocamk32.exe File created C:\Windows\SysWOW64\Efocbmni.dll Lnnidjcg.exe File created C:\Windows\SysWOW64\Opnglhnd.exe Oeicopoo.exe File opened for modification C:\Windows\SysWOW64\Efdjqeni.exe Edcqojqh.exe File opened for modification C:\Windows\SysWOW64\Ljmmnf32.exe Kilpgnfi.exe File created C:\Windows\SysWOW64\Edkddeag.exe Ekngqqol.exe File created C:\Windows\SysWOW64\Gggnif32.dll Ifplgc32.exe File opened for modification C:\Windows\SysWOW64\Fneohd32.exe Ekbiaigk.exe File created C:\Windows\SysWOW64\Pgdodq32.exe Ojkepmqp.exe File created C:\Windows\SysWOW64\Pjehflie.exe Poodicio.exe File created C:\Windows\SysWOW64\Fkflbb32.exe Fhhpfg32.exe File created C:\Windows\SysWOW64\Fdamph32.exe Fmgecn32.exe File opened for modification C:\Windows\SysWOW64\Qhbcpb32.exe Oelhljaq.exe File created C:\Windows\SysWOW64\Cpljdjnd.exe Cimhlakl.exe File created C:\Windows\SysWOW64\Llelkhhc.dll Heapmp32.exe File created C:\Windows\SysWOW64\Qqcjnell.exe Ppopcf32.exe File created C:\Windows\SysWOW64\Kigmbohp.dll Acnefoac.exe File opened for modification C:\Windows\SysWOW64\Bcghlnih.exe Bqhlpbjd.exe File created C:\Windows\SysWOW64\Ccdncaoc.dll Gilajmfp.exe File created C:\Windows\SysWOW64\Ebejpp32.exe Dfjpppbh.exe File created C:\Windows\SysWOW64\Abcgql32.dll Knefnkla.exe File opened for modification C:\Windows\SysWOW64\Kkhpmigp.exe Kjdjhgdb.exe File created C:\Windows\SysWOW64\Oaajoj32.exe Okgabpgg.exe File opened for modification C:\Windows\SysWOW64\Gmggpekm.exe Ggmock32.exe File created C:\Windows\SysWOW64\Cjaadjcc.dll Bqhlpbjd.exe File created C:\Windows\SysWOW64\Iknmfg32.exe Iphihnjk.exe File created C:\Windows\SysWOW64\Qidimpef.dll Adnbapjp.exe File created C:\Windows\SysWOW64\Aepmjk32.exe Qojeabie.exe File opened for modification C:\Windows\SysWOW64\Ndfgfd32.exe Nnmojj32.exe File created C:\Windows\SysWOW64\Ifgbhbbh.exe Iioicn32.exe File created C:\Windows\SysWOW64\Mphoob32.exe Mgokflpj.exe File opened for modification C:\Windows\SysWOW64\Lifjgb32.exe Lblakh32.exe File created C:\Windows\SysWOW64\Nanmhf32.exe Njdeklca.exe File created C:\Windows\SysWOW64\Afddge32.exe Aojljkkf.exe File created C:\Windows\SysWOW64\Kdjenh32.dll Mdkabmjf.exe File created C:\Windows\SysWOW64\Imofip32.exe Hahedoci.exe File created C:\Windows\SysWOW64\Mdhdkp32.exe Megdmhbp.exe File opened for modification C:\Windows\SysWOW64\Eeagnc32.exe Eogoaifl.exe File created C:\Windows\SysWOW64\Akcmil32.dll Bjaqih32.exe File created C:\Windows\SysWOW64\Qnnlok32.dll Poajdlcq.exe File opened for modification C:\Windows\SysWOW64\Noqofdlj.exe Mmjlkb32.exe File opened for modification C:\Windows\SysWOW64\Mkoaagmh.exe Mddidm32.exe File opened for modification C:\Windows\SysWOW64\Mipchg32.exe Mphoob32.exe File created C:\Windows\SysWOW64\Canlfh32.exe Bjddinbn.exe File opened for modification C:\Windows\SysWOW64\Canlfh32.exe Bjddinbn.exe File created C:\Windows\SysWOW64\Danoae32.dll Amibqhed.exe File opened for modification C:\Windows\SysWOW64\Fhhpfg32.exe Eangimij.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6788 5532 WerFault.exe 781 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpbkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbkdjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daiegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkiephp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecfeldcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnoefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkffhmka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacmnlkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difpflco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lonnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjbpgom.dll" Jpkfmfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Canlfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeagnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmdnmee.dll" Nhkief32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocclj32.dll" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgfnlcj.dll" Glajeiml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qojeabie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhdbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpfjfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngfhd32.dll" Pimkkfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinnee32.dll" Fapdomgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnenagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknljofi.dll" Pcepdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Innfgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhlcnge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbjlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glajeiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dffdjmme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncplekbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knefnkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjehflie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eidbbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehplggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclbfl32.dll" Ddjecalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kicdke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkhpmigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcfnqccd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceqngekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjdmj32.dll" Donlkjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcghlnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhadl32.dll" Hgokikan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhckmlc.dll" Nmpdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aepmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moljgeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdqhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legjgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deiblamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghajgpd.dll" Donceaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckleii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcilgco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eigohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfliefc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpflhb32.dll" Noqofdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgppgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajjboai.dll" Cipppc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2320 2764 NEAS.4fbd87cb80a483ead783feb2a358a92e.exe 93 PID 2764 wrote to memory of 2320 2764 NEAS.4fbd87cb80a483ead783feb2a358a92e.exe 93 PID 2764 wrote to memory of 2320 2764 NEAS.4fbd87cb80a483ead783feb2a358a92e.exe 93 PID 2320 wrote to memory of 1664 2320 Kccbjq32.exe 94 PID 2320 wrote to memory of 1664 2320 Kccbjq32.exe 94 PID 2320 wrote to memory of 1664 2320 Kccbjq32.exe 94 PID 1664 wrote to memory of 3828 1664 Kjbdbjbi.exe 96 PID 1664 wrote to memory of 3828 1664 Kjbdbjbi.exe 96 PID 1664 wrote to memory of 3828 1664 Kjbdbjbi.exe 96 PID 3828 wrote to memory of 4872 3828 Mdkabmjf.exe 97 PID 3828 wrote to memory of 4872 3828 Mdkabmjf.exe 97 PID 3828 wrote to memory of 4872 3828 Mdkabmjf.exe 97 PID 4872 wrote to memory of 3152 4872 Mmjlkb32.exe 98 PID 4872 wrote to memory of 3152 4872 Mmjlkb32.exe 98 PID 4872 wrote to memory of 3152 4872 Mmjlkb32.exe 98 PID 3152 wrote to memory of 1820 3152 Noqofdlj.exe 99 PID 3152 wrote to memory of 1820 3152 Noqofdlj.exe 99 PID 3152 wrote to memory of 1820 3152 Noqofdlj.exe 99 PID 1820 wrote to memory of 4856 1820 Okqbac32.exe 100 PID 1820 wrote to memory of 4856 1820 Okqbac32.exe 100 PID 1820 wrote to memory of 4856 1820 Okqbac32.exe 100 PID 4856 wrote to memory of 3068 4856 Ogjpld32.exe 101 PID 4856 wrote to memory of 3068 4856 Ogjpld32.exe 101 PID 4856 wrote to memory of 3068 4856 Ogjpld32.exe 101 PID 3068 wrote to memory of 1380 3068 Pfkpiled.exe 102 PID 3068 wrote to memory of 1380 3068 Pfkpiled.exe 102 PID 3068 wrote to memory of 1380 3068 Pfkpiled.exe 102 PID 1380 wrote to memory of 2164 1380 Phbolflm.exe 103 PID 1380 wrote to memory of 2164 1380 Phbolflm.exe 103 PID 1380 wrote to memory of 2164 1380 Phbolflm.exe 103 PID 2164 wrote to memory of 3624 2164 Akhaipei.exe 105 PID 2164 wrote to memory of 3624 2164 Akhaipei.exe 105 PID 2164 wrote to memory of 3624 2164 Akhaipei.exe 105 PID 3624 wrote to memory of 1464 3624 Bnicai32.exe 106 PID 3624 wrote to memory of 1464 3624 Bnicai32.exe 106 PID 3624 wrote to memory of 1464 3624 Bnicai32.exe 106 PID 1464 wrote to memory of 4168 1464 Clpppmqn.exe 107 PID 1464 wrote to memory of 4168 1464 Clpppmqn.exe 107 PID 1464 wrote to memory of 4168 1464 Clpppmqn.exe 107 PID 4168 wrote to memory of 4076 4168 Eoconenj.exe 108 PID 4168 wrote to memory of 4076 4168 Eoconenj.exe 108 PID 4168 wrote to memory of 4076 4168 Eoconenj.exe 108 PID 4076 wrote to memory of 1692 4076 Ebagdddp.exe 109 PID 4076 wrote to memory of 1692 4076 Ebagdddp.exe 109 PID 4076 wrote to memory of 1692 4076 Ebagdddp.exe 109 PID 1692 wrote to memory of 1948 1692 Fgcjea32.exe 110 PID 1692 wrote to memory of 1948 1692 Fgcjea32.exe 110 PID 1692 wrote to memory of 1948 1692 Fgcjea32.exe 110 PID 1948 wrote to memory of 1084 1948 Fhgccijm.exe 111 PID 1948 wrote to memory of 1084 1948 Fhgccijm.exe 111 PID 1948 wrote to memory of 1084 1948 Fhgccijm.exe 111 PID 1084 wrote to memory of 5092 1084 Ggafgo32.exe 112 PID 1084 wrote to memory of 5092 1084 Ggafgo32.exe 112 PID 1084 wrote to memory of 5092 1084 Ggafgo32.exe 112 PID 5092 wrote to memory of 3932 5092 Ghjhofjg.exe 113 PID 5092 wrote to memory of 3932 5092 Ghjhofjg.exe 113 PID 5092 wrote to memory of 3932 5092 Ghjhofjg.exe 113 PID 3932 wrote to memory of 2408 3932 Hfeoijbi.exe 114 PID 3932 wrote to memory of 2408 3932 Hfeoijbi.exe 114 PID 3932 wrote to memory of 2408 3932 Hfeoijbi.exe 114 PID 2408 wrote to memory of 4436 2408 Ifihdi32.exe 115 PID 2408 wrote to memory of 4436 2408 Ifihdi32.exe 115 PID 2408 wrote to memory of 4436 2408 Ifihdi32.exe 115 PID 4436 wrote to memory of 3816 4436 Jifabb32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4fbd87cb80a483ead783feb2a358a92e.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4fbd87cb80a483ead783feb2a358a92e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe24⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Kakednfj.exeC:\Windows\system32\Kakednfj.exe25⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe26⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Lapopm32.exeC:\Windows\system32\Lapopm32.exe27⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Ljjpnb32.exeC:\Windows\system32\Ljjpnb32.exe28⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe29⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe33⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe34⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe35⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe36⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe37⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Phfhfa32.exeC:\Windows\system32\Phfhfa32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe39⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe41⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe44⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe45⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ciqmjkno.exeC:\Windows\system32\Ciqmjkno.exe46⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe47⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe48⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe49⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe51⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe52⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe53⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Glkkop32.exeC:\Windows\system32\Glkkop32.exe55⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe56⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe57⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Goamlkpk.exeC:\Windows\system32\Goamlkpk.exe58⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe59⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Ikcmmjkb.exeC:\Windows\system32\Ikcmmjkb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe61⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Icdhdfcj.exeC:\Windows\system32\Icdhdfcj.exe62⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Jjbjlpga.exeC:\Windows\system32\Jjbjlpga.exe63⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Jbpkfa32.exeC:\Windows\system32\Jbpkfa32.exe64⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Jhjcbljf.exeC:\Windows\system32\Jhjcbljf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe66⤵PID:4248
-
C:\Windows\SysWOW64\Kilphk32.exeC:\Windows\system32\Kilphk32.exe67⤵PID:1544
-
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe68⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe69⤵PID:5164
-
C:\Windows\SysWOW64\Lckglc32.exeC:\Windows\system32\Lckglc32.exe70⤵PID:5212
-
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe72⤵PID:5296
-
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe74⤵
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Omkdcccb.exeC:\Windows\system32\Omkdcccb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe77⤵PID:5568
-
C:\Windows\SysWOW64\Qlomemlj.exeC:\Windows\system32\Qlomemlj.exe78⤵PID:5604
-
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe79⤵PID:5648
-
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe80⤵PID:5688
-
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe81⤵PID:5732
-
C:\Windows\SysWOW64\Apaofk32.exeC:\Windows\system32\Apaofk32.exe82⤵PID:5856
-
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe83⤵PID:5896
-
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe84⤵PID:6000
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe85⤵PID:6044
-
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe86⤵PID:6080
-
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe87⤵PID:6124
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Ecjpfp32.exeC:\Windows\system32\Ecjpfp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe90⤵PID:5324
-
C:\Windows\SysWOW64\Gngckfdj.exeC:\Windows\system32\Gngckfdj.exe91⤵PID:5432
-
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe92⤵PID:5464
-
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe93⤵PID:5556
-
C:\Windows\SysWOW64\Gdfhil32.exeC:\Windows\system32\Gdfhil32.exe94⤵PID:5620
-
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe95⤵PID:5696
-
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe96⤵PID:4252
-
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe97⤵
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe98⤵PID:5768
-
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe99⤵PID:5940
-
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe100⤵PID:6028
-
C:\Windows\SysWOW64\Hdahek32.exeC:\Windows\system32\Hdahek32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe102⤵PID:5152
-
C:\Windows\SysWOW64\Headon32.exeC:\Windows\system32\Headon32.exe103⤵PID:5264
-
C:\Windows\SysWOW64\Hlkmlhea.exeC:\Windows\system32\Hlkmlhea.exe104⤵PID:5348
-
C:\Windows\SysWOW64\Hahedoci.exeC:\Windows\system32\Hahedoci.exe105⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Imofip32.exeC:\Windows\system32\Imofip32.exe106⤵PID:5848
-
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe107⤵PID:1720
-
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe108⤵PID:2096
-
C:\Windows\SysWOW64\Jknfnbmi.exeC:\Windows\system32\Jknfnbmi.exe109⤵PID:6008
-
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe110⤵PID:4908
-
C:\Windows\SysWOW64\Kdpmmf32.exeC:\Windows\system32\Kdpmmf32.exe111⤵PID:5832
-
C:\Windows\SysWOW64\Klnkoc32.exeC:\Windows\system32\Klnkoc32.exe112⤵PID:4960
-
C:\Windows\SysWOW64\Lhelddln.exeC:\Windows\system32\Lhelddln.exe113⤵PID:3360
-
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Lbdgmh32.exeC:\Windows\system32\Lbdgmh32.exe115⤵PID:4244
-
C:\Windows\SysWOW64\Neeifa32.exeC:\Windows\system32\Neeifa32.exe116⤵PID:5352
-
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe118⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe119⤵PID:4136
-
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe120⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Bedgejbo.exeC:\Windows\system32\Bedgejbo.exe121⤵PID:1476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-