Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:22
Behavioral task
behavioral1
Sample
NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe
-
Size
199KB
-
MD5
e3a225e093ebb18fcfcc0e53670847b0
-
SHA1
a33682c5a4de079f40677d61b2d1af9a71a08a5f
-
SHA256
4203bd4b2bd922513cef89ca1105cd839ae4600e2ac513e6a74a39ce80c67fd7
-
SHA512
cd29b3691c4e567aac8e9c6a0201f685a6989b5a604408d6564c6e8f176d9697c7f6ed07ac9f8774615f174b494e5e11f7563687bce4889eff20d68287eae137
-
SSDEEP
6144:9WqynRXRruaSZSCZj81+jq4peBK034YOmFz1h:UqypYZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iencmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhofbma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdagbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggccllai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecanojgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjaci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclccd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfghlhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpaqqdjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbhapha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnmhpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcpkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbfpeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miipencp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjcne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbbfadn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogjflhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknnoofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flgadake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aidomjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkbkbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipdpbgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jffokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlpgibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpnkdfko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mankaked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maeaajpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqdkkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljoboloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcljmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaqphgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmqjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Defajqko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beoimjce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophjdehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfdgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkdohg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoefagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epiaig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaooihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcicjbal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaokbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhfek32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022d95-9.dat family_berbew behavioral2/files/0x0006000000022d9b-15.dat family_berbew behavioral2/files/0x0006000000022d9b-16.dat family_berbew behavioral2/files/0x0007000000022d95-7.dat family_berbew behavioral2/files/0x0006000000022d9d-23.dat family_berbew behavioral2/files/0x0006000000022d9d-25.dat family_berbew behavioral2/files/0x0006000000022da0-31.dat family_berbew behavioral2/files/0x0006000000022da0-33.dat family_berbew behavioral2/files/0x0006000000022da2-39.dat family_berbew behavioral2/files/0x0006000000022da2-41.dat family_berbew behavioral2/files/0x0006000000022da5-47.dat family_berbew behavioral2/files/0x0006000000022da5-49.dat family_berbew behavioral2/files/0x0006000000022da7-55.dat family_berbew behavioral2/files/0x0006000000022da7-57.dat family_berbew behavioral2/files/0x0006000000022da9-63.dat family_berbew behavioral2/files/0x0006000000022da9-65.dat family_berbew behavioral2/files/0x0006000000022dab-71.dat family_berbew behavioral2/files/0x0006000000022dab-72.dat family_berbew behavioral2/files/0x0006000000022dad-80.dat family_berbew behavioral2/files/0x0006000000022daf-87.dat family_berbew behavioral2/files/0x0006000000022daf-88.dat family_berbew behavioral2/files/0x0006000000022dad-79.dat family_berbew behavioral2/files/0x0006000000022db2-96.dat family_berbew behavioral2/files/0x0006000000022db2-97.dat family_berbew behavioral2/files/0x0006000000022db4-104.dat family_berbew behavioral2/files/0x0006000000022db4-106.dat family_berbew behavioral2/files/0x0006000000022db6-112.dat family_berbew behavioral2/files/0x0006000000022db6-113.dat family_berbew behavioral2/files/0x0006000000022db8-121.dat family_berbew behavioral2/files/0x0006000000022dba-128.dat family_berbew behavioral2/files/0x0006000000022db8-120.dat family_berbew behavioral2/files/0x0006000000022dba-130.dat family_berbew behavioral2/files/0x0006000000022dbc-136.dat family_berbew behavioral2/files/0x0006000000022dbc-138.dat family_berbew behavioral2/files/0x0006000000022dbe-146.dat family_berbew behavioral2/files/0x0006000000022dbe-144.dat family_berbew behavioral2/files/0x0006000000022dc0-152.dat family_berbew behavioral2/files/0x0006000000022dc0-154.dat family_berbew behavioral2/files/0x0006000000022dc2-159.dat family_berbew behavioral2/files/0x0006000000022dc2-162.dat family_berbew behavioral2/files/0x0006000000022dc4-168.dat family_berbew behavioral2/files/0x0006000000022dc4-169.dat family_berbew behavioral2/files/0x0006000000022dc6-176.dat family_berbew behavioral2/files/0x0006000000022dc6-177.dat family_berbew behavioral2/files/0x0006000000022dc8-184.dat family_berbew behavioral2/files/0x0006000000022dc8-186.dat family_berbew behavioral2/files/0x0006000000022dca-192.dat family_berbew behavioral2/files/0x0006000000022dca-194.dat family_berbew behavioral2/files/0x0006000000022dcc-200.dat family_berbew behavioral2/files/0x0006000000022dcc-202.dat family_berbew behavioral2/files/0x0006000000022dce-208.dat family_berbew behavioral2/files/0x0006000000022dce-209.dat family_berbew behavioral2/files/0x0006000000022dd0-217.dat family_berbew behavioral2/files/0x0006000000022dd0-216.dat family_berbew behavioral2/files/0x0006000000022dd2-225.dat family_berbew behavioral2/files/0x0006000000022dd2-224.dat family_berbew behavioral2/files/0x0006000000022dd4-232.dat family_berbew behavioral2/files/0x0006000000022dd6-240.dat family_berbew behavioral2/files/0x0006000000022dd4-233.dat family_berbew behavioral2/files/0x0006000000022dd6-241.dat family_berbew behavioral2/files/0x0006000000022dd8-249.dat family_berbew behavioral2/files/0x0006000000022dd8-248.dat family_berbew behavioral2/files/0x0006000000022dda-256.dat family_berbew behavioral2/files/0x0006000000022dda-258.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2768 Aalmimfd.exe 2632 Bkmeha32.exe 3052 Bpjmph32.exe 4908 Cpljehpo.exe 2488 Ckdkhq32.exe 5036 Cdolgfbp.exe 1968 Cacmpj32.exe 3848 Dmjmekgn.exe 4656 Dknnoofg.exe 2072 Fbaahf32.exe 3108 Fkjfakng.exe 4744 Fcekfnkb.exe 5076 Ggccllai.exe 2276 Gbhhieao.exe 5092 Gjcmngnj.exe 1636 Gclafmej.exe 4996 Gjhfif32.exe 2692 Gglfbkin.exe 1400 Hqdkkp32.exe 4824 Hbdgec32.exe 4376 Hnkhjdle.exe 4888 Hchqbkkm.exe 2148 Halaloif.exe 4528 Hcljmj32.exe 4392 Ibnjkbog.exe 2352 Iencmm32.exe 1172 Ilhkigcd.exe 640 Ijmhkchl.exe 4364 Iecmhlhb.exe 4304 Ijpepcfj.exe 3460 Idhiii32.exe 4380 Jaljbmkd.exe 2400 Jejbhk32.exe 2100 Jnbgaa32.exe 1724 Jdopjh32.exe 2720 Jeolckne.exe 2820 Jogqlpde.exe 2968 Jeaiij32.exe 4644 Kbeibo32.exe 2184 Khabke32.exe 3424 Kefbdjgm.exe 2496 Kkbkmqed.exe 3372 Kehojiej.exe 4152 Kaopoj32.exe 4728 Lahbei32.exe 2912 Llngbabj.exe 2444 Lbhool32.exe 4956 Llpchaqg.exe 2180 Lhgdmb32.exe 844 Mclhjkfa.exe 540 Mhiabbdi.exe 3016 Mcoepkdo.exe 1844 Nhbciqln.exe 2792 Nkcmjlio.exe 3416 Namegfql.exe 4892 Nlcidopb.exe 2112 Nfknmd32.exe 452 Nkhfek32.exe 3576 Nbbnbemf.exe 2028 Nkjckkcg.exe 3760 Ohncdobq.exe 4276 Okmpqjad.exe 2644 Obfhmd32.exe 1544 Ohqpjo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjlaoioh.exe Hgmebnpd.exe File created C:\Windows\SysWOW64\Hednfnpf.dll Hjlaoioh.exe File created C:\Windows\SysWOW64\Iabbeiag.dll Lgjglg32.exe File created C:\Windows\SysWOW64\Ianfdf32.dll Lpelqj32.exe File created C:\Windows\SysWOW64\Qidimpef.dll Adpogp32.exe File created C:\Windows\SysWOW64\Fkgejncb.exe Fifhbf32.exe File created C:\Windows\SysWOW64\Ibnjkbog.exe Hcljmj32.exe File opened for modification C:\Windows\SysWOW64\Ifjoop32.exe Hclccd32.exe File opened for modification C:\Windows\SysWOW64\Ihgnfnjl.exe Iameid32.exe File opened for modification C:\Windows\SysWOW64\Ilgcblnp.exe Ifnkeb32.exe File created C:\Windows\SysWOW64\Fbelak32.dll Cepadh32.exe File opened for modification C:\Windows\SysWOW64\Kcehejic.exe Kmkpipaf.exe File created C:\Windows\SysWOW64\Flgadake.exe Faamghko.exe File created C:\Windows\SysWOW64\Jfikaqme.exe Joobdfei.exe File created C:\Windows\SysWOW64\Cadpqeqg.dll Iencmm32.exe File created C:\Windows\SysWOW64\Jelhcd32.exe Jjfdfl32.exe File created C:\Windows\SysWOW64\Bpeidj32.dll Gcpcgfmi.exe File created C:\Windows\SysWOW64\Iiceol32.dll Egdqph32.exe File opened for modification C:\Windows\SysWOW64\Cmbpjfij.exe Cfhhml32.exe File created C:\Windows\SysWOW64\Bojllo32.dll Kiajck32.exe File opened for modification C:\Windows\SysWOW64\Kmpido32.exe Kgcqlh32.exe File created C:\Windows\SysWOW64\Qajlje32.exe Qjcdih32.exe File created C:\Windows\SysWOW64\Pfkbkibi.dll Gogjflhf.exe File created C:\Windows\SysWOW64\Pgllad32.exe Pfkpiled.exe File created C:\Windows\SysWOW64\Dijgjpip.exe Cbqonf32.exe File created C:\Windows\SysWOW64\Cpklql32.exe Ceehcc32.exe File created C:\Windows\SysWOW64\Icncngca.dll Hfhbipdb.exe File created C:\Windows\SysWOW64\Jjfdfl32.exe Janpnfee.exe File created C:\Windows\SysWOW64\Emabga32.dll Kjbdbjbi.exe File opened for modification C:\Windows\SysWOW64\Feifgnki.exe Foonjd32.exe File created C:\Windows\SysWOW64\Eblgon32.exe Dalkek32.exe File opened for modification C:\Windows\SysWOW64\Jhejgl32.exe Jbkbkbfo.exe File created C:\Windows\SysWOW64\Nkcmjlio.exe Nhbciqln.exe File created C:\Windows\SysWOW64\Ddegbipa.dll Ifmldo32.exe File created C:\Windows\SysWOW64\Jjqdafmp.exe Jcgldl32.exe File created C:\Windows\SysWOW64\Jgedpmpf.dll Nlcidopb.exe File opened for modification C:\Windows\SysWOW64\Ailabddb.exe Afnefieo.exe File created C:\Windows\SysWOW64\Cmjninol.dll Mejnlpai.exe File created C:\Windows\SysWOW64\Glnnofhi.exe Gipbck32.exe File created C:\Windows\SysWOW64\Lbqdmodg.exe Lobhqdec.exe File created C:\Windows\SysWOW64\Doklblnq.dll Ammnhilb.exe File created C:\Windows\SysWOW64\Dkdeofjc.dll Ijmapm32.exe File opened for modification C:\Windows\SysWOW64\Beaohcmf.exe Bkhjpn32.exe File created C:\Windows\SysWOW64\Gdclbd32.dll Adnbapjp.exe File created C:\Windows\SysWOW64\Fgcijglg.dll Jmpgghoo.exe File created C:\Windows\SysWOW64\Kkabefqp.exe Kjqfmn32.exe File opened for modification C:\Windows\SysWOW64\Nkhfek32.exe Nfknmd32.exe File opened for modification C:\Windows\SysWOW64\Kebodc32.exe Kccbjq32.exe File created C:\Windows\SysWOW64\Anijjkbj.exe Ailabddb.exe File created C:\Windows\SysWOW64\Lckglc32.exe Kmaooihb.exe File created C:\Windows\SysWOW64\Ldbeqlcg.dll Ddekmo32.exe File created C:\Windows\SysWOW64\Biadee32.dll Lfmnbjcg.exe File created C:\Windows\SysWOW64\Gnfmkhcj.dll Pnlcdg32.exe File created C:\Windows\SysWOW64\Nopkoobi.dll Diafqi32.exe File created C:\Windows\SysWOW64\Llpchaqg.exe Lbhool32.exe File created C:\Windows\SysWOW64\Hgdjfd32.dll Jjfdfl32.exe File opened for modification C:\Windows\SysWOW64\Kcikfcab.exe Kkabefqp.exe File created C:\Windows\SysWOW64\Fpckjlje.exe Fjjcmbci.exe File created C:\Windows\SysWOW64\Kjcjmclj.exe Kciaqi32.exe File opened for modification C:\Windows\SysWOW64\Nfknmd32.exe Nlcidopb.exe File opened for modification C:\Windows\SysWOW64\Fdhail32.exe Eibmlc32.exe File opened for modification C:\Windows\SysWOW64\Lkkekdhe.exe Limioiia.exe File created C:\Windows\SysWOW64\Mffajo32.dll Mcnmhpoj.exe File created C:\Windows\SysWOW64\Gjhfif32.exe Gclafmej.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11288 2968 WerFault.exe 654 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkmhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjghdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpjnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkbkmqed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nockkcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjikhb32.dll" Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkabefqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hchqbkkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjpeelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okiboajh.dll" Eijigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjlolpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolfep32.dll" Fcmnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnlmdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfdnnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jloibkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcoepkdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didqkeeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoocnpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Minipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibbklke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhhieao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecdkdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agcdnjcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faamghko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmldpop.dll" Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jelhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efqigigj.dll" Cpmifkgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohaokbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hchihhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beaohcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfobofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnphkkg.dll" Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mejnlpai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijjpjqc.dll" Aoapcood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeglbeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkhjdle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcgfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjqdafmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddekmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpobmca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilqmam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhcjbfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkmpjb32.dll" Eflceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adpogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcmkpj.dll" Nidhffef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clijablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpkhjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmgbginj.dll" Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblpflfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheopk32.dll" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcekfnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnjkbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekleggo.dll" Lkbmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneilj32.dll" Nkghqo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2768 1224 NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe 84 PID 1224 wrote to memory of 2768 1224 NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe 84 PID 1224 wrote to memory of 2768 1224 NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe 84 PID 2768 wrote to memory of 2632 2768 Aalmimfd.exe 85 PID 2768 wrote to memory of 2632 2768 Aalmimfd.exe 85 PID 2768 wrote to memory of 2632 2768 Aalmimfd.exe 85 PID 2632 wrote to memory of 3052 2632 Bkmeha32.exe 86 PID 2632 wrote to memory of 3052 2632 Bkmeha32.exe 86 PID 2632 wrote to memory of 3052 2632 Bkmeha32.exe 86 PID 3052 wrote to memory of 4908 3052 Bpjmph32.exe 87 PID 3052 wrote to memory of 4908 3052 Bpjmph32.exe 87 PID 3052 wrote to memory of 4908 3052 Bpjmph32.exe 87 PID 4908 wrote to memory of 2488 4908 Cpljehpo.exe 88 PID 4908 wrote to memory of 2488 4908 Cpljehpo.exe 88 PID 4908 wrote to memory of 2488 4908 Cpljehpo.exe 88 PID 2488 wrote to memory of 5036 2488 Ckdkhq32.exe 89 PID 2488 wrote to memory of 5036 2488 Ckdkhq32.exe 89 PID 2488 wrote to memory of 5036 2488 Ckdkhq32.exe 89 PID 5036 wrote to memory of 1968 5036 Cdolgfbp.exe 90 PID 5036 wrote to memory of 1968 5036 Cdolgfbp.exe 90 PID 5036 wrote to memory of 1968 5036 Cdolgfbp.exe 90 PID 1968 wrote to memory of 3848 1968 Cacmpj32.exe 91 PID 1968 wrote to memory of 3848 1968 Cacmpj32.exe 91 PID 1968 wrote to memory of 3848 1968 Cacmpj32.exe 91 PID 3848 wrote to memory of 4656 3848 Dmjmekgn.exe 92 PID 3848 wrote to memory of 4656 3848 Dmjmekgn.exe 92 PID 3848 wrote to memory of 4656 3848 Dmjmekgn.exe 92 PID 4656 wrote to memory of 2072 4656 Dknnoofg.exe 93 PID 4656 wrote to memory of 2072 4656 Dknnoofg.exe 93 PID 4656 wrote to memory of 2072 4656 Dknnoofg.exe 93 PID 2072 wrote to memory of 3108 2072 Fbaahf32.exe 94 PID 2072 wrote to memory of 3108 2072 Fbaahf32.exe 94 PID 2072 wrote to memory of 3108 2072 Fbaahf32.exe 94 PID 3108 wrote to memory of 4744 3108 Fkjfakng.exe 95 PID 3108 wrote to memory of 4744 3108 Fkjfakng.exe 95 PID 3108 wrote to memory of 4744 3108 Fkjfakng.exe 95 PID 4744 wrote to memory of 5076 4744 Fcekfnkb.exe 96 PID 4744 wrote to memory of 5076 4744 Fcekfnkb.exe 96 PID 4744 wrote to memory of 5076 4744 Fcekfnkb.exe 96 PID 5076 wrote to memory of 2276 5076 Ggccllai.exe 97 PID 5076 wrote to memory of 2276 5076 Ggccllai.exe 97 PID 5076 wrote to memory of 2276 5076 Ggccllai.exe 97 PID 2276 wrote to memory of 5092 2276 Gbhhieao.exe 98 PID 2276 wrote to memory of 5092 2276 Gbhhieao.exe 98 PID 2276 wrote to memory of 5092 2276 Gbhhieao.exe 98 PID 5092 wrote to memory of 1636 5092 Gjcmngnj.exe 99 PID 5092 wrote to memory of 1636 5092 Gjcmngnj.exe 99 PID 5092 wrote to memory of 1636 5092 Gjcmngnj.exe 99 PID 1636 wrote to memory of 4996 1636 Gclafmej.exe 100 PID 1636 wrote to memory of 4996 1636 Gclafmej.exe 100 PID 1636 wrote to memory of 4996 1636 Gclafmej.exe 100 PID 4996 wrote to memory of 2692 4996 Gjhfif32.exe 101 PID 4996 wrote to memory of 2692 4996 Gjhfif32.exe 101 PID 4996 wrote to memory of 2692 4996 Gjhfif32.exe 101 PID 2692 wrote to memory of 1400 2692 Gglfbkin.exe 102 PID 2692 wrote to memory of 1400 2692 Gglfbkin.exe 102 PID 2692 wrote to memory of 1400 2692 Gglfbkin.exe 102 PID 1400 wrote to memory of 4824 1400 Hqdkkp32.exe 103 PID 1400 wrote to memory of 4824 1400 Hqdkkp32.exe 103 PID 1400 wrote to memory of 4824 1400 Hqdkkp32.exe 103 PID 4824 wrote to memory of 4376 4824 Hbdgec32.exe 104 PID 4824 wrote to memory of 4376 4824 Hbdgec32.exe 104 PID 4824 wrote to memory of 4376 4824 Hbdgec32.exe 104 PID 4376 wrote to memory of 4888 4376 Hnkhjdle.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e3a225e093ebb18fcfcc0e53670847b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe24⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe28⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe29⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe30⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe31⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe32⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe33⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe34⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe35⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe36⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe37⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe38⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe39⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe40⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe42⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe44⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe45⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe46⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe47⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe49⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe50⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe51⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe52⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe55⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe56⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe60⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe61⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe62⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe63⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe64⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe65⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:472 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe67⤵PID:3220
-
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe68⤵PID:2780
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe69⤵PID:3764
-
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe70⤵PID:4272
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe71⤵PID:2168
-
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe72⤵PID:4264
-
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe73⤵PID:4420
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe74⤵PID:3816
-
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe75⤵PID:4856
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe76⤵PID:4196
-
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe77⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe78⤵
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe79⤵PID:3992
-
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe80⤵PID:3232
-
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe81⤵PID:1108
-
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe82⤵
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe83⤵PID:4384
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe84⤵PID:4404
-
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe85⤵PID:4812
-
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe87⤵PID:5128
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe88⤵PID:5176
-
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe89⤵PID:5220
-
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe90⤵PID:5264
-
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe91⤵PID:5304
-
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe92⤵PID:5352
-
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe93⤵PID:5392
-
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe94⤵PID:5432
-
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe95⤵
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe96⤵PID:5528
-
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe97⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe98⤵PID:5612
-
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe101⤵PID:5740
-
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe102⤵PID:5784
-
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe103⤵PID:5832
-
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe104⤵PID:5876
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe105⤵PID:5920
-
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe107⤵PID:6012
-
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe108⤵PID:6116
-
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe109⤵PID:5140
-
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe110⤵PID:5216
-
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe111⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe112⤵PID:5380
-
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe113⤵PID:5448
-
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe114⤵PID:5508
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe115⤵PID:5592
-
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe116⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe117⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe118⤵PID:5820
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe119⤵PID:5904
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe121⤵PID:6036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-