Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 17:02
Behavioral task
behavioral1
Sample
NEAS.70dc7609d52896214a4d383c556bdafd.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.70dc7609d52896214a4d383c556bdafd.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.70dc7609d52896214a4d383c556bdafd.exe
-
Size
125KB
-
MD5
70dc7609d52896214a4d383c556bdafd
-
SHA1
5d293bf874e251a4059c7554846cd7ff675fb708
-
SHA256
149bfb6d68033b232e096b1b694f42eed5c49fa69f2da39d9fa1a7dffa11d5de
-
SHA512
48e7cf04ffa408cdcfeaab4d0c251f115472d6dd0e785c04d4d5fc4579b1877d4b8dc00c5ae6960cf5470c716c58a43c4c5c2ac2a614fc27cc3a554eb497029a
-
SSDEEP
3072:9j40ftA/Ftc71WdTCn93OGey/ZhJakrPF:j03cETCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjphoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jekpljgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnanadfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkcdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkjegb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqcoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmimdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boohcpgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkbmqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmiqfoie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcghm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Namegfql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oakjnnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiehhjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Denlgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdclak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbkeacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdpqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enoddi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldleoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfkpiled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkkdhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmoionj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpfokpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkboeobh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpqlof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnpja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnmbbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iophnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkmgali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqdcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdiohhbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpnooan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfiedfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Affgno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqhcno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmlghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgdbedmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfgfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmebnpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aacjofkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffggdmbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlefjnno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjlibib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgngih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbkdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmfcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfkna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpfokpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhiabbdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbkfjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jomeoggk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qciebg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iecmcpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjebiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nockkcjg.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4860-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce6-6.dat family_berbew behavioral2/memory/4420-7-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce6-8.dat family_berbew behavioral2/files/0x0008000000022ced-14.dat family_berbew behavioral2/memory/4980-15-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022ced-16.dat family_berbew behavioral2/files/0x0008000000022ce0-22.dat family_berbew behavioral2/memory/396-23-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce0-24.dat family_berbew behavioral2/files/0x0007000000022cef-30.dat family_berbew behavioral2/memory/4700-31-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000022cef-32.dat family_berbew behavioral2/files/0x0007000000022ce2-38.dat family_berbew behavioral2/files/0x0007000000022ce2-39.dat family_berbew behavioral2/memory/4244-40-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-47.dat family_berbew behavioral2/memory/5012-48-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf2-46.dat family_berbew behavioral2/files/0x0006000000022cf4-54.dat family_berbew behavioral2/memory/2980-56-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf4-55.dat family_berbew behavioral2/memory/4496-64-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf6-63.dat family_berbew behavioral2/files/0x0006000000022cf6-62.dat family_berbew behavioral2/memory/852-71-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf8-70.dat family_berbew behavioral2/files/0x0006000000022cf8-72.dat family_berbew behavioral2/files/0x0006000000022cfa-78.dat family_berbew behavioral2/files/0x0006000000022cfa-80.dat family_berbew behavioral2/memory/404-79-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfc-86.dat family_berbew behavioral2/files/0x0006000000022cfc-88.dat family_berbew behavioral2/memory/2820-87-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-89.dat family_berbew behavioral2/files/0x0006000000022cfe-94.dat family_berbew behavioral2/files/0x0006000000022cfe-96.dat family_berbew behavioral2/memory/5092-95-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/memory/3076-103-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d00-102.dat family_berbew behavioral2/files/0x0006000000022d00-104.dat family_berbew behavioral2/files/0x0006000000022d02-110.dat family_berbew behavioral2/files/0x0006000000022d04-113.dat family_berbew behavioral2/files/0x0006000000022d02-112.dat family_berbew behavioral2/memory/4948-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/memory/5000-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d04-118.dat family_berbew behavioral2/files/0x0006000000022d04-120.dat family_berbew behavioral2/files/0x0006000000022d06-126.dat family_berbew behavioral2/memory/1028-127-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d06-128.dat family_berbew behavioral2/files/0x0006000000022d08-134.dat family_berbew behavioral2/files/0x0006000000022d08-136.dat family_berbew behavioral2/memory/2748-135-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/memory/1012-143-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0a-142.dat family_berbew behavioral2/files/0x0006000000022d0a-144.dat family_berbew behavioral2/files/0x0006000000022d0c-145.dat family_berbew behavioral2/files/0x0006000000022d0c-150.dat family_berbew behavioral2/memory/1336-151-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0c-152.dat family_berbew behavioral2/files/0x0006000000022d0e-158.dat family_berbew behavioral2/files/0x0006000000022d0e-159.dat family_berbew behavioral2/memory/4644-160-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4420 Cpfmlghd.exe 4980 Enemaimp.exe 396 Egpnooan.exe 4700 Eahobg32.exe 4244 Fcekfnkb.exe 5012 Gcghkm32.exe 2980 Gjficg32.exe 4496 Gqbneq32.exe 852 Gnfooe32.exe 404 Hcedmkmp.exe 2820 Hbknebqi.exe 5092 Iabglnco.exe 3076 Jdjfohjg.exe 4948 Jjgkab32.exe 5000 Jlfhke32.exe 1028 Jaemilci.exe 2748 Kkpnga32.exe 1012 Klpjad32.exe 1336 Kkgdhp32.exe 4644 Lkiamp32.exe 4504 Lklnconj.exe 2468 Loopdmpk.exe 1136 Mhiabbdi.exe 4764 Mebkge32.exe 844 Namegfql.exe 1984 Nlefjnno.exe 212 Nfpghccm.exe 1580 Odjmdocp.exe 4220 Pbgqdb32.exe 4488 Qmanljfo.exe 4520 Aeopfl32.exe 3988 Alkeifga.exe 3728 Aecialmb.exe 3348 Bmddihfj.exe 2752 Bikeni32.exe 324 Bmimdg32.exe 4824 Cehlcikj.exe 468 Cdlhgpag.exe 4060 Debnjgcp.exe 3900 Dekapfke.exe 1876 Edoncm32.exe 2228 Egpgehnb.exe 1324 Ephlnn32.exe 3724 Eibmlc32.exe 4472 Feimadoe.exe 2804 Fncbha32.exe 1040 Flhoinbl.exe 4972 Fljlom32.exe 2776 Gloejmld.exe 4916 Gjebiq32.exe 3760 Hqfqfj32.exe 3892 Hqimlihn.exe 3772 Hdffah32.exe 1708 Hmbkfjko.exe 2696 Igjlibib.exe 820 Igneda32.exe 4512 Jeilne32.exe 772 Jndmlj32.exe 1312 Jfoaam32.exe 2108 Kdmeqo32.exe 4284 Lennpb32.exe 3224 Lechkaga.exe 1992 Ldhdlnli.exe 3320 Lkbmih32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lhelddln.exe Knphfklg.exe File created C:\Windows\SysWOW64\Miqlpbap.exe Lkmkfncf.exe File opened for modification C:\Windows\SysWOW64\Flgfqb32.exe Ecoahmhd.exe File created C:\Windows\SysWOW64\Oaejhh32.exe Ohmepbki.exe File created C:\Windows\SysWOW64\Olgnnqpe.exe Npqmipjq.exe File opened for modification C:\Windows\SysWOW64\Fjfgealk.exe Fanbll32.exe File created C:\Windows\SysWOW64\Lkgdfb32.exe Lnccmnak.exe File opened for modification C:\Windows\SysWOW64\Fnpmkg32.exe Fegiba32.exe File opened for modification C:\Windows\SysWOW64\Ldlmieaa.exe Lnbdlkje.exe File opened for modification C:\Windows\SysWOW64\Gcneca32.exe Ffjdjmpf.exe File created C:\Windows\SysWOW64\Kdalni32.exe Kbapdfkb.exe File created C:\Windows\SysWOW64\Klddgfbl.exe Kekljlkp.exe File opened for modification C:\Windows\SysWOW64\Jlfhke32.exe Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Oimdbnip.exe Oeoklp32.exe File created C:\Windows\SysWOW64\Ohkjah32.dll Aejmdegn.exe File opened for modification C:\Windows\SysWOW64\Jekpljgg.exe Jhgpbf32.exe File created C:\Windows\SysWOW64\Mbandfpf.dll Oeoklp32.exe File created C:\Windows\SysWOW64\Ppeipfdm.exe Plgpjhnf.exe File created C:\Windows\SysWOW64\Odipjk32.dll Pijiif32.exe File opened for modification C:\Windows\SysWOW64\Aacjofkp.exe Algbfo32.exe File created C:\Windows\SysWOW64\Namegfql.exe Mebkge32.exe File created C:\Windows\SysWOW64\Fkklfgll.dll Icdhdfcj.exe File created C:\Windows\SysWOW64\Kohnpoib.exe Kfpjgi32.exe File opened for modification C:\Windows\SysWOW64\Jjgcgo32.exe Jhhgmlli.exe File opened for modification C:\Windows\SysWOW64\Pehghhgc.exe Oiagcg32.exe File opened for modification C:\Windows\SysWOW64\Pnbifmla.exe Pblhalfm.exe File created C:\Windows\SysWOW64\Bfcqblgk.dll Kpbmme32.exe File created C:\Windows\SysWOW64\Fidgmfgl.dll Jhhgmlli.exe File created C:\Windows\SysWOW64\Pkkdhe32.exe Ppepkmhi.exe File created C:\Windows\SysWOW64\Cagaaleo.dll Oemofpel.exe File created C:\Windows\SysWOW64\Hodioegj.dll Bkglkapo.exe File opened for modification C:\Windows\SysWOW64\Eojcao32.exe Dccbln32.exe File created C:\Windows\SysWOW64\Eekanh32.exe Ehgqed32.exe File opened for modification C:\Windows\SysWOW64\Kipkaj32.exe Kpgfhddn.exe File created C:\Windows\SysWOW64\Boijog32.dll Fbnmkk32.exe File created C:\Windows\SysWOW64\Aphiikma.dll Gajpmg32.exe File created C:\Windows\SysWOW64\Aaafbp32.dll Nbiioe32.exe File created C:\Windows\SysWOW64\Cbnbhfde.exe Cejaobel.exe File opened for modification C:\Windows\SysWOW64\Pkedbmab.exe Opopdd32.exe File opened for modification C:\Windows\SysWOW64\Dcgcaq32.exe Dnkkij32.exe File created C:\Windows\SysWOW64\Apckeggh.dll Edoncm32.exe File created C:\Windows\SysWOW64\Ohkijc32.exe Nmedmj32.exe File created C:\Windows\SysWOW64\Ddpeigle.exe Docmqp32.exe File created C:\Windows\SysWOW64\Iqombb32.exe Igghilhi.exe File created C:\Windows\SysWOW64\Jbkdoilo.dll Bbljoh32.exe File opened for modification C:\Windows\SysWOW64\Lfhdem32.exe Lpnlicne.exe File opened for modification C:\Windows\SysWOW64\Okcmingd.exe Njcpok32.exe File created C:\Windows\SysWOW64\Hiemgadg.dll Jbcmhb32.exe File opened for modification C:\Windows\SysWOW64\Cpcnhbjj.exe Bodano32.exe File created C:\Windows\SysWOW64\Jggmnmmo.exe Jmnheggo.exe File opened for modification C:\Windows\SysWOW64\Lhiodm32.exe Lncjgddf.exe File created C:\Windows\SysWOW64\Bcnehb32.dll Oiehhjjp.exe File created C:\Windows\SysWOW64\Ncloim32.dll Fegiba32.exe File created C:\Windows\SysWOW64\Oabiak32.exe Oigdmh32.exe File created C:\Windows\SysWOW64\Edfaonkb.dll Nkmmbe32.exe File created C:\Windows\SysWOW64\Ioqohb32.exe Idkkki32.exe File created C:\Windows\SysWOW64\Cpfkna32.exe Cjlbag32.exe File created C:\Windows\SysWOW64\Keoeel32.exe Kpbmme32.exe File opened for modification C:\Windows\SysWOW64\Jhpjbgne.exe Jnjednnp.exe File created C:\Windows\SysWOW64\Lnccmnak.exe Ldjodh32.exe File created C:\Windows\SysWOW64\Ndmepe32.exe Mkepgp32.exe File created C:\Windows\SysWOW64\Baokejco.dll Feella32.exe File created C:\Windows\SysWOW64\Icmaan32.dll Damflb32.exe File created C:\Windows\SysWOW64\Apqhldjp.exe Albpff32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3780 496 WerFault.exe 745 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmidpjmc.dll" Gmnmbbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdheol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pblhalfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflmkci.dll" Jibejb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkoaagmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdhdkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmekbhdn.dll" Nkbfpeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbfel32.dll" Dcegkamd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcpfocg.dll" Qpikao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcbikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijaaij32.dll" Jlfhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cehlcikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfqgm32.dll" Imfmgcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkbabje.dll" Bdpqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bchgnoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keioln32.dll" Ddpeigle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkojihg.dll" Gbpnegbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcblakmh.dll" Iehfno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncbmpcd.dll" Gojgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbiooolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnpija.dll" Ehbgjenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kohnpoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdfpjee.dll" Cfeplh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aejmdegn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbaqaamj.dll" Maaoaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahjag32.dll" Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahkkhnpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnjednnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgocnleh.dll" Nldjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbnd32.dll" Imklncch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmimdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqombb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdpbope.dll" Djmima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjopgh32.dll" Jhqqlmba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koiejemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeilne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbnbhfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpkehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpbhin.dll" Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jicdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjikhb32.dll" Eaenkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcdkdpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnpmkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Albpff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihimfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghkogk.dll" Pdgckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoebkabl.dll" Dlbcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iehfno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giddddad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnhncjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkohd32.dll" Ecphbckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcnnjoam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcjogeh.dll" Gpjfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiakgkoe.dll" Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paeeon32.dll" Abpcicpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ideedj32.dll" Qckbggad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpfokpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memhpe32.dll" Ehgqed32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4420 4860 NEAS.70dc7609d52896214a4d383c556bdafd.exe 90 PID 4860 wrote to memory of 4420 4860 NEAS.70dc7609d52896214a4d383c556bdafd.exe 90 PID 4860 wrote to memory of 4420 4860 NEAS.70dc7609d52896214a4d383c556bdafd.exe 90 PID 4420 wrote to memory of 4980 4420 Cpfmlghd.exe 91 PID 4420 wrote to memory of 4980 4420 Cpfmlghd.exe 91 PID 4420 wrote to memory of 4980 4420 Cpfmlghd.exe 91 PID 4980 wrote to memory of 396 4980 Enemaimp.exe 92 PID 4980 wrote to memory of 396 4980 Enemaimp.exe 92 PID 4980 wrote to memory of 396 4980 Enemaimp.exe 92 PID 396 wrote to memory of 4700 396 Egpnooan.exe 93 PID 396 wrote to memory of 4700 396 Egpnooan.exe 93 PID 396 wrote to memory of 4700 396 Egpnooan.exe 93 PID 4700 wrote to memory of 4244 4700 Eahobg32.exe 94 PID 4700 wrote to memory of 4244 4700 Eahobg32.exe 94 PID 4700 wrote to memory of 4244 4700 Eahobg32.exe 94 PID 4244 wrote to memory of 5012 4244 Fcekfnkb.exe 95 PID 4244 wrote to memory of 5012 4244 Fcekfnkb.exe 95 PID 4244 wrote to memory of 5012 4244 Fcekfnkb.exe 95 PID 5012 wrote to memory of 2980 5012 Gcghkm32.exe 96 PID 5012 wrote to memory of 2980 5012 Gcghkm32.exe 96 PID 5012 wrote to memory of 2980 5012 Gcghkm32.exe 96 PID 2980 wrote to memory of 4496 2980 Gjficg32.exe 97 PID 2980 wrote to memory of 4496 2980 Gjficg32.exe 97 PID 2980 wrote to memory of 4496 2980 Gjficg32.exe 97 PID 4496 wrote to memory of 852 4496 Gqbneq32.exe 98 PID 4496 wrote to memory of 852 4496 Gqbneq32.exe 98 PID 4496 wrote to memory of 852 4496 Gqbneq32.exe 98 PID 852 wrote to memory of 404 852 Gnfooe32.exe 99 PID 852 wrote to memory of 404 852 Gnfooe32.exe 99 PID 852 wrote to memory of 404 852 Gnfooe32.exe 99 PID 404 wrote to memory of 2820 404 Hcedmkmp.exe 100 PID 404 wrote to memory of 2820 404 Hcedmkmp.exe 100 PID 404 wrote to memory of 2820 404 Hcedmkmp.exe 100 PID 2820 wrote to memory of 5092 2820 Hbknebqi.exe 101 PID 2820 wrote to memory of 5092 2820 Hbknebqi.exe 101 PID 2820 wrote to memory of 5092 2820 Hbknebqi.exe 101 PID 5092 wrote to memory of 3076 5092 Iabglnco.exe 102 PID 5092 wrote to memory of 3076 5092 Iabglnco.exe 102 PID 5092 wrote to memory of 3076 5092 Iabglnco.exe 102 PID 3076 wrote to memory of 4948 3076 Jdjfohjg.exe 103 PID 3076 wrote to memory of 4948 3076 Jdjfohjg.exe 103 PID 3076 wrote to memory of 4948 3076 Jdjfohjg.exe 103 PID 4948 wrote to memory of 5000 4948 Jjgkab32.exe 104 PID 4948 wrote to memory of 5000 4948 Jjgkab32.exe 104 PID 4948 wrote to memory of 5000 4948 Jjgkab32.exe 104 PID 5000 wrote to memory of 1028 5000 Jlfhke32.exe 105 PID 5000 wrote to memory of 1028 5000 Jlfhke32.exe 105 PID 5000 wrote to memory of 1028 5000 Jlfhke32.exe 105 PID 1028 wrote to memory of 2748 1028 Jaemilci.exe 106 PID 1028 wrote to memory of 2748 1028 Jaemilci.exe 106 PID 1028 wrote to memory of 2748 1028 Jaemilci.exe 106 PID 2748 wrote to memory of 1012 2748 Kkpnga32.exe 107 PID 2748 wrote to memory of 1012 2748 Kkpnga32.exe 107 PID 2748 wrote to memory of 1012 2748 Kkpnga32.exe 107 PID 1012 wrote to memory of 1336 1012 Klpjad32.exe 108 PID 1012 wrote to memory of 1336 1012 Klpjad32.exe 108 PID 1012 wrote to memory of 1336 1012 Klpjad32.exe 108 PID 1336 wrote to memory of 4644 1336 Kkgdhp32.exe 109 PID 1336 wrote to memory of 4644 1336 Kkgdhp32.exe 109 PID 1336 wrote to memory of 4644 1336 Kkgdhp32.exe 109 PID 4644 wrote to memory of 4504 4644 Lkiamp32.exe 110 PID 4644 wrote to memory of 4504 4644 Lkiamp32.exe 110 PID 4644 wrote to memory of 4504 4644 Lkiamp32.exe 110 PID 4504 wrote to memory of 2468 4504 Lklnconj.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.70dc7609d52896214a4d383c556bdafd.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.70dc7609d52896214a4d383c556bdafd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe23⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe28⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe30⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe31⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe32⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe33⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe34⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe35⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe36⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe39⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe40⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe41⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe43⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe44⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe45⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe46⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe47⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe48⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe49⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe50⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe53⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe54⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe57⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe59⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe60⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe61⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe62⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe63⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe64⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe65⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe66⤵PID:4780
-
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe67⤵PID:216
-
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe68⤵PID:1392
-
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe69⤵
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe71⤵PID:3968
-
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe72⤵PID:4380
-
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe73⤵PID:1456
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe74⤵PID:4716
-
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe75⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe77⤵PID:5124
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe78⤵PID:5164
-
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5204 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe80⤵PID:5244
-
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe82⤵PID:5324
-
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe84⤵PID:5424
-
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe85⤵PID:5476
-
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe86⤵
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe87⤵PID:5580
-
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe88⤵PID:5624
-
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe89⤵PID:5672
-
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe90⤵PID:5716
-
C:\Windows\SysWOW64\Ankgpk32.exeC:\Windows\system32\Ankgpk32.exe91⤵PID:5792
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe92⤵PID:5856
-
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe93⤵PID:5908
-
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe94⤵PID:5960
-
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe95⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe96⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe97⤵PID:6104
-
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe98⤵PID:400
-
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe99⤵PID:5212
-
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe100⤵PID:5276
-
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe101⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe102⤵PID:5416
-
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe103⤵PID:5516
-
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe104⤵PID:5588
-
C:\Windows\SysWOW64\Eeodqocd.exeC:\Windows\system32\Eeodqocd.exe105⤵PID:5664
-
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe106⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe107⤵PID:5808
-
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe108⤵PID:5888
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe109⤵PID:5976
-
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe110⤵PID:6072
-
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe111⤵
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe112⤵PID:5252
-
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe113⤵PID:4528
-
C:\Windows\SysWOW64\Ghcbohpp.exeC:\Windows\system32\Ghcbohpp.exe114⤵PID:5396
-
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe115⤵PID:5472
-
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe116⤵PID:5564
-
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe117⤵PID:5700
-
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe118⤵PID:2072
-
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe119⤵PID:5936
-
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016 -
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe121⤵PID:5156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-