Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 10:41
Behavioral task
behavioral1
Sample
NEAS.dadc34fa9c9d8e5237573c956f466250.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.dadc34fa9c9d8e5237573c956f466250.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.dadc34fa9c9d8e5237573c956f466250.exe
-
Size
256KB
-
MD5
dadc34fa9c9d8e5237573c956f466250
-
SHA1
1a9269e651636c59fed003cd7c2214bcd473c387
-
SHA256
1d571d1565d574dbee1a3dd10787df83775159c851717b8fa7444572a81eafe4
-
SHA512
c0546486339565d3f0465952e644dcc208d8fd5846e081e188f30d3e28068479f1a690326b4acdbc18946a8e91ea3dc037447ba7d98a2761d16a4afd24c54383
-
SSDEEP
6144:swlBCQAn0Of4rQD85k/hQO+zrWnAdqjeOpKfduBU:sw/CQ00/rQg5W/+zrWAI5KFuU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfbfjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihancje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghfnej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpboj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcpcehko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boaeioej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkeedk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbiooolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpojml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihnihm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haaaaeim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfqngcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqgjmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdgal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elagjihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcmodajm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkojheoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qleahgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchfib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjinpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcompnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfakon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nockfgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pamiaboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecanojgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjnndime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nicjaino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chnlbndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nglcjfie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklpaeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnolojhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qljcoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phcogice.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khpgmqpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nciopppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifcnjpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pengna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggqingie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjfhbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incdem32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2952-0-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/memory/4832-8-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x0006000000022e21-14.dat family_berbew behavioral2/memory/4844-15-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e21-16.dat family_berbew behavioral2/files/0x0008000000022e09-22.dat family_berbew behavioral2/files/0x0008000000022e09-24.dat family_berbew behavioral2/memory/2932-23-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e26-30.dat family_berbew behavioral2/memory/4540-31-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e26-32.dat family_berbew behavioral2/files/0x0006000000022e29-38.dat family_berbew behavioral2/files/0x0006000000022e29-40.dat family_berbew behavioral2/memory/3328-39-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2b-46.dat family_berbew behavioral2/files/0x0006000000022e2b-48.dat family_berbew behavioral2/memory/4868-47-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/memory/2832-55-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2d-56.dat family_berbew behavioral2/files/0x0006000000022e2d-54.dat family_berbew behavioral2/files/0x0006000000022e2f-62.dat family_berbew behavioral2/files/0x0006000000022e2f-64.dat family_berbew behavioral2/memory/4336-63-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-70.dat family_berbew behavioral2/memory/4640-71-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-72.dat family_berbew behavioral2/files/0x0006000000022e33-78.dat family_berbew behavioral2/files/0x0006000000022e33-80.dat family_berbew behavioral2/memory/2952-79-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/memory/5040-81-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e35-87.dat family_berbew behavioral2/memory/4832-89-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e35-88.dat family_berbew behavioral2/memory/1700-94-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-96.dat family_berbew behavioral2/memory/4844-97-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-98.dat family_berbew behavioral2/files/0x0006000000022e39-105.dat family_berbew behavioral2/memory/4852-104-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e39-106.dat family_berbew behavioral2/memory/2932-113-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3b-114.dat family_berbew behavioral2/memory/2672-119-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-123.dat family_berbew behavioral2/memory/3980-132-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e41-138.dat family_berbew behavioral2/files/0x0006000000022e3f-131.dat family_berbew behavioral2/files/0x0006000000022e3f-130.dat family_berbew behavioral2/memory/4540-124-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-122.dat family_berbew behavioral2/memory/3876-121-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/memory/3060-140-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e43-147.dat family_berbew behavioral2/files/0x0006000000022e43-146.dat family_berbew behavioral2/files/0x0006000000022e41-139.dat family_berbew behavioral2/files/0x0006000000022e3b-112.dat family_berbew behavioral2/memory/3328-148-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/memory/1096-153-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/memory/4688-155-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/files/0x0006000000022e45-156.dat family_berbew behavioral2/memory/4868-157-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral2/memory/760-158-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4832 Gkiaej32.exe 4844 Hpmpnp32.exe 2932 Idghpmnp.exe 4540 Ijhjcchb.exe 3328 Jhlgfj32.exe 4868 Jhndljll.exe 2832 Jdedak32.exe 4336 Jjamia32.exe 4640 Jkaicd32.exe 5040 Kkcfid32.exe 1700 Kiggbhda.exe 4852 Kjhcjq32.exe 2672 Keqdmihc.exe 3876 Kniieo32.exe 3980 Kinmcg32.exe 3060 Leenhhdn.exe 1096 Ljbfpo32.exe 4688 Lalnmiia.exe 760 Lbngllob.exe 8 Lijlof32.exe 2016 Mngegmbc.exe 2692 Mecjif32.exe 3412 Mlmbfqoj.exe 3828 Mjbogmdb.exe 4908 Micoed32.exe 3780 Mnphmkji.exe 2340 Noeahkfc.exe 1952 Nklbmllg.exe 2376 Nimbkc32.exe 1128 Nahgoe32.exe 3808 Nlnkmnah.exe 1520 Nhdlao32.exe 3364 Okedcjcm.exe 4804 Oekiqccc.exe 3308 Oemefcap.exe 4716 Oafcqcea.exe 1688 Oimkbaed.exe 3688 Pahpfc32.exe 4904 Polppg32.exe 1868 Pibdmp32.exe 3276 Pamiaboj.exe 4404 Poajkgnc.exe 2480 Pekbga32.exe 4816 Plejdkmm.exe 3232 Pemomqcn.exe 4712 Qljcoj32.exe 3488 Aojlaeei.exe 1328 Alnmjjdb.exe 4748 Aakebqbj.exe 2992 Ajbmdn32.exe 4144 Aanbhp32.exe 4380 Alcfei32.exe 1232 Abponp32.exe 1588 Ahjgjj32.exe 2624 Aodogdmn.exe 2468 Bfngdn32.exe 1552 Bkmmaeap.exe 3628 Bfbaonae.exe 2988 Bmlilh32.exe 652 Bcfahbpo.exe 4252 Bombmcec.exe 4928 Bmabggdm.exe 3840 Bbnkonbd.exe 748 Cmcolgbj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lchfib32.exe Lomjicei.exe File created C:\Windows\SysWOW64\Elhfbp32.exe Digmqe32.exe File created C:\Windows\SysWOW64\Bjpakhmh.dll Mmpbkm32.exe File created C:\Windows\SysWOW64\Oiepphim.dll Dgnffp32.exe File created C:\Windows\SysWOW64\Flodilma.exe Fchlhnlo.exe File created C:\Windows\SysWOW64\Ocgjojai.dll Njljch32.exe File created C:\Windows\SysWOW64\Opepqban.dll Qkfkng32.exe File opened for modification C:\Windows\SysWOW64\Ddjecalo.exe Donlkjng.exe File opened for modification C:\Windows\SysWOW64\Kmobdm32.exe Process not Found File created C:\Windows\SysWOW64\Bkefcnhm.dll Lpbokjho.exe File opened for modification C:\Windows\SysWOW64\Hkbddo32.exe Process not Found File created C:\Windows\SysWOW64\Jihdpleo.dll Gmiclo32.exe File opened for modification C:\Windows\SysWOW64\Fbnhjn32.exe Fqmlbfbo.exe File created C:\Windows\SysWOW64\Eiclml32.dll Emjomf32.exe File created C:\Windows\SysWOW64\Hhbipa32.dll Moobkh32.exe File created C:\Windows\SysWOW64\Mbjofoen.dll Process not Found File created C:\Windows\SysWOW64\Pahiebeq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gjdaodja.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Ecgjjo32.dll Nnfkgp32.exe File opened for modification C:\Windows\SysWOW64\Cbglgg32.exe Clmckmcq.exe File created C:\Windows\SysWOW64\Ejbgidpn.dll Ngcngfgl.exe File opened for modification C:\Windows\SysWOW64\Gajibq32.exe Gokmfe32.exe File created C:\Windows\SysWOW64\Efpinffg.dll Femgia32.exe File created C:\Windows\SysWOW64\Fapdomgg.exe Process not Found File created C:\Windows\SysWOW64\Lbkigk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iehmmb32.exe Ibjqaf32.exe File created C:\Windows\SysWOW64\Hjlkfnim.dll Bbbblhnc.exe File created C:\Windows\SysWOW64\Plbeef32.dll Fmejlcoj.exe File opened for modification C:\Windows\SysWOW64\Lemjlcgo.exe Lhijcohe.exe File created C:\Windows\SysWOW64\Oekpdoll.exe Ooaghe32.exe File created C:\Windows\SysWOW64\Pamiaboj.exe Pibdmp32.exe File created C:\Windows\SysWOW64\Bmabggdm.exe Bombmcec.exe File created C:\Windows\SysWOW64\Efccmidp.exe Epikpo32.exe File created C:\Windows\SysWOW64\Jfdqcf32.dll Albkieqj.exe File created C:\Windows\SysWOW64\Pplcnf32.exe Pchcdbck.exe File created C:\Windows\SysWOW64\Donecfao.exe Dlpigk32.exe File created C:\Windows\SysWOW64\Cgmfel32.exe Cofndo32.exe File opened for modification C:\Windows\SysWOW64\Jefbomoe.exe Jlnnfghd.exe File created C:\Windows\SysWOW64\Fipbnn32.exe Process not Found File created C:\Windows\SysWOW64\Icimgcph.dll Process not Found File created C:\Windows\SysWOW64\Nbnpmp32.exe Process not Found File created C:\Windows\SysWOW64\Acbmjcgd.exe Aflpkpjm.exe File created C:\Windows\SysWOW64\Hklpaeno.exe Hhmdeink.exe File created C:\Windows\SysWOW64\Jfhbpmjb.dll Fqfeag32.exe File opened for modification C:\Windows\SysWOW64\Knifging.exe Kccbjq32.exe File created C:\Windows\SysWOW64\Fqjolfda.exe Ffekom32.exe File created C:\Windows\SysWOW64\Mannco32.dll Bcebadof.exe File created C:\Windows\SysWOW64\Niklip32.exe Npbhqj32.exe File opened for modification C:\Windows\SysWOW64\Bgpggm32.exe Process not Found File created C:\Windows\SysWOW64\Aqdjon32.dll Bombmcec.exe File created C:\Windows\SysWOW64\Ldacnaoi.dll Qkakhakq.exe File created C:\Windows\SysWOW64\Qhekaejj.exe Qdipag32.exe File opened for modification C:\Windows\SysWOW64\Ifnbph32.exe Icpecm32.exe File created C:\Windows\SysWOW64\Hkckoe32.exe Hdicbkci.exe File opened for modification C:\Windows\SysWOW64\Fjmkoeqi.exe Fdccbl32.exe File opened for modification C:\Windows\SysWOW64\Aflpkpjm.exe Qkfkng32.exe File created C:\Windows\SysWOW64\Nhkpdi32.exe Nemchn32.exe File created C:\Windows\SysWOW64\Fplpll32.exe Fibhpbea.exe File opened for modification C:\Windows\SysWOW64\Icnphd32.exe Imdgljil.exe File created C:\Windows\SysWOW64\Aofjoo32.exe Agobna32.exe File created C:\Windows\SysWOW64\Cjdegg32.dll Process not Found File created C:\Windows\SysWOW64\Knknhqjn.dll Dcpmen32.exe File created C:\Windows\SysWOW64\Hkdgdjib.dll Jabiie32.exe File created C:\Windows\SysWOW64\Pbdgkjib.dll Pnfdnnbo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkakhakq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jblloe32.dll" Bgimjmfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jikoopij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkebqokl.dll" Afeban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phbolflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmfqgao.dll" Liifnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgebmil.dll" Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhaclqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajjboai.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmmjpjpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmggfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkadoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fanigb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmkol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cekhihig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omecechf.dll" Jpkpbpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clijablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gedfblql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkiobhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll" Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll" Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hklpaeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhopqko.dll" Beoimjce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgfkpf.dll" Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhclcf32.dll" Mpchbhjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihgmo32.dll" Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbplg32.dll" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngdgaia.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloim32.dll" Fhfenmbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lemjlcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajnkmjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalbjhdj.dll" Oimkbaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Incdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eigdflna.dll" Jcnbekok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mabdlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkcqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfemdcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gedfblql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcnbekok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjiao32.dll" Bchogd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkfookmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Achmjmnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpbjfjci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgniimhp.dll" Phpbffnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbbblhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmapag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 4832 2952 NEAS.dadc34fa9c9d8e5237573c956f466250.exe 87 PID 2952 wrote to memory of 4832 2952 NEAS.dadc34fa9c9d8e5237573c956f466250.exe 87 PID 2952 wrote to memory of 4832 2952 NEAS.dadc34fa9c9d8e5237573c956f466250.exe 87 PID 4832 wrote to memory of 4844 4832 Gkiaej32.exe 89 PID 4832 wrote to memory of 4844 4832 Gkiaej32.exe 89 PID 4832 wrote to memory of 4844 4832 Gkiaej32.exe 89 PID 4844 wrote to memory of 2932 4844 Hpmpnp32.exe 90 PID 4844 wrote to memory of 2932 4844 Hpmpnp32.exe 90 PID 4844 wrote to memory of 2932 4844 Hpmpnp32.exe 90 PID 2932 wrote to memory of 4540 2932 Idghpmnp.exe 91 PID 2932 wrote to memory of 4540 2932 Idghpmnp.exe 91 PID 2932 wrote to memory of 4540 2932 Idghpmnp.exe 91 PID 4540 wrote to memory of 3328 4540 Ijhjcchb.exe 93 PID 4540 wrote to memory of 3328 4540 Ijhjcchb.exe 93 PID 4540 wrote to memory of 3328 4540 Ijhjcchb.exe 93 PID 3328 wrote to memory of 4868 3328 Jhlgfj32.exe 94 PID 3328 wrote to memory of 4868 3328 Jhlgfj32.exe 94 PID 3328 wrote to memory of 4868 3328 Jhlgfj32.exe 94 PID 4868 wrote to memory of 2832 4868 Jhndljll.exe 95 PID 4868 wrote to memory of 2832 4868 Jhndljll.exe 95 PID 4868 wrote to memory of 2832 4868 Jhndljll.exe 95 PID 2832 wrote to memory of 4336 2832 Jdedak32.exe 96 PID 2832 wrote to memory of 4336 2832 Jdedak32.exe 96 PID 2832 wrote to memory of 4336 2832 Jdedak32.exe 96 PID 4336 wrote to memory of 4640 4336 Jjamia32.exe 97 PID 4336 wrote to memory of 4640 4336 Jjamia32.exe 97 PID 4336 wrote to memory of 4640 4336 Jjamia32.exe 97 PID 4640 wrote to memory of 5040 4640 Jkaicd32.exe 98 PID 4640 wrote to memory of 5040 4640 Jkaicd32.exe 98 PID 4640 wrote to memory of 5040 4640 Jkaicd32.exe 98 PID 5040 wrote to memory of 1700 5040 Kkcfid32.exe 99 PID 5040 wrote to memory of 1700 5040 Kkcfid32.exe 99 PID 5040 wrote to memory of 1700 5040 Kkcfid32.exe 99 PID 1700 wrote to memory of 4852 1700 Kiggbhda.exe 100 PID 1700 wrote to memory of 4852 1700 Kiggbhda.exe 100 PID 1700 wrote to memory of 4852 1700 Kiggbhda.exe 100 PID 4852 wrote to memory of 2672 4852 Kjhcjq32.exe 101 PID 4852 wrote to memory of 2672 4852 Kjhcjq32.exe 101 PID 4852 wrote to memory of 2672 4852 Kjhcjq32.exe 101 PID 2672 wrote to memory of 3876 2672 Keqdmihc.exe 102 PID 2672 wrote to memory of 3876 2672 Keqdmihc.exe 102 PID 2672 wrote to memory of 3876 2672 Keqdmihc.exe 102 PID 3876 wrote to memory of 3980 3876 Kniieo32.exe 106 PID 3876 wrote to memory of 3980 3876 Kniieo32.exe 106 PID 3876 wrote to memory of 3980 3876 Kniieo32.exe 106 PID 3980 wrote to memory of 3060 3980 Kinmcg32.exe 105 PID 3980 wrote to memory of 3060 3980 Kinmcg32.exe 105 PID 3980 wrote to memory of 3060 3980 Kinmcg32.exe 105 PID 3060 wrote to memory of 1096 3060 Leenhhdn.exe 103 PID 3060 wrote to memory of 1096 3060 Leenhhdn.exe 103 PID 3060 wrote to memory of 1096 3060 Leenhhdn.exe 103 PID 1096 wrote to memory of 4688 1096 Ljbfpo32.exe 104 PID 1096 wrote to memory of 4688 1096 Ljbfpo32.exe 104 PID 1096 wrote to memory of 4688 1096 Ljbfpo32.exe 104 PID 4688 wrote to memory of 760 4688 Lalnmiia.exe 107 PID 4688 wrote to memory of 760 4688 Lalnmiia.exe 107 PID 4688 wrote to memory of 760 4688 Lalnmiia.exe 107 PID 760 wrote to memory of 8 760 Lbngllob.exe 108 PID 760 wrote to memory of 8 760 Lbngllob.exe 108 PID 760 wrote to memory of 8 760 Lbngllob.exe 108 PID 8 wrote to memory of 2016 8 Lijlof32.exe 109 PID 8 wrote to memory of 2016 8 Lijlof32.exe 109 PID 8 wrote to memory of 2016 8 Lijlof32.exe 109 PID 2016 wrote to memory of 2692 2016 Mngegmbc.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.dadc34fa9c9d8e5237573c956f466250.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.dadc34fa9c9d8e5237573c956f466250.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe6⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe7⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe8⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe9⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe10⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe11⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe12⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe13⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe14⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe15⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe16⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe17⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe18⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe19⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe20⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe21⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe22⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe23⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe26⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe27⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe28⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe29⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe31⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe32⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe33⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe34⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe35⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe36⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe37⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe38⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe39⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe40⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe41⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe42⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe43⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe44⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4252 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe47⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe48⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe49⤵
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe50⤵PID:2596
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe51⤵PID:2944
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe52⤵PID:4408
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe53⤵PID:4268
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe54⤵PID:4340
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4728 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe56⤵PID:1960
-
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe57⤵PID:3336
-
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe58⤵PID:4848
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe59⤵PID:4100
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe60⤵PID:5124
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe61⤵PID:5164
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe62⤵PID:5204
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe63⤵PID:5248
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe64⤵PID:5312
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe65⤵PID:5356
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe66⤵PID:5392
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe67⤵PID:5460
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe68⤵PID:5512
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe69⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe70⤵PID:5616
-
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe71⤵PID:5660
-
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe72⤵PID:5704
-
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe73⤵PID:5756
-
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe74⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe75⤵PID:5840
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe76⤵PID:5884
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe77⤵PID:5928
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe78⤵PID:5968
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe80⤵PID:6088
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe81⤵PID:6140
-
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe82⤵PID:5196
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe83⤵PID:5272
-
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe84⤵PID:5368
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe85⤵PID:5448
-
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe86⤵
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe87⤵PID:5644
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe88⤵PID:5728
-
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe89⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe90⤵PID:5868
-
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe91⤵PID:5956
-
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe92⤵PID:6072
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe93⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe94⤵PID:5236
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe95⤵PID:5384
-
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe96⤵PID:224
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe97⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe98⤵PID:5712
-
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe99⤵PID:5816
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe101⤵PID:6080
-
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe102⤵PID:5264
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe103⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe104⤵PID:5588
-
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe105⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe107⤵PID:5184
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe108⤵PID:5504
-
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe109⤵PID:5744
-
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe110⤵PID:6040
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe111⤵PID:1156
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe112⤵PID:5916
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe113⤵PID:5440
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe114⤵PID:5520
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe115⤵PID:5924
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe116⤵PID:6160
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe117⤵PID:6204
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe118⤵PID:6248
-
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe119⤵PID:6292
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe120⤵PID:6332
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe121⤵PID:6380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-