Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 08:34 UTC
Behavioral task
behavioral1
Sample
NEAS.b57be66e9dae728198526a9856130060.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b57be66e9dae728198526a9856130060.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b57be66e9dae728198526a9856130060.exe
-
Size
368KB
-
MD5
b57be66e9dae728198526a9856130060
-
SHA1
b5352b51610b1dca8d1e521a66bcd1416c17cb62
-
SHA256
b891c271e323f68bdf49b88d6911e1e3777931125a8f684fb685bb4980311db8
-
SHA512
b3e4714ee038d82f4248712c89b4e819d05bd83943c8f6bc394c460ff2b9401750d9e4482b06318c6009f3e063c166b07d1366c0e8db6ca061ad91fadb5fd692
-
SSDEEP
6144:GWJK1l+x1M4JNiWu9PE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CU:GW06P1NiWuaaAD6RrI1+lDMEAD6Rr2Na
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcpqgbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnplqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnlnfcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maeaajpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbknnid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbeinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neaokboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffpadn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlagndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipkaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekljpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dblnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlmieaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hboaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggdpnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koimbpbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqopqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kphmbjhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbohhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enedio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiibdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgokflpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfngke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbjade32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndpafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfcnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdcbic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkepgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foonjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljhchc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkinmlnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehnboko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peddhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkoemhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkbfpeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmpbkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iecmcpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjffpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabodcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeigilml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibijbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ledoegkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjapfjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjhbah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmall32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdclcmba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbanfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bonjnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmncgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plejoode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmgkja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcjedcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnochl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjffkhpl.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cd4-6.dat family_berbew behavioral2/files/0x0007000000022cd4-8.dat family_berbew behavioral2/files/0x000a000000022cd6-14.dat family_berbew behavioral2/files/0x000a000000022cd6-16.dat family_berbew behavioral2/files/0x0008000000022cd8-21.dat family_berbew behavioral2/files/0x0008000000022cd8-24.dat family_berbew behavioral2/files/0x0009000000022cdb-30.dat family_berbew behavioral2/files/0x0009000000022cdb-32.dat family_berbew behavioral2/files/0x0006000000022cde-40.dat family_berbew behavioral2/files/0x0006000000022cde-38.dat family_berbew behavioral2/files/0x0006000000022ce0-46.dat family_berbew behavioral2/files/0x0006000000022ce0-48.dat family_berbew behavioral2/files/0x0006000000022ce2-49.dat family_berbew behavioral2/files/0x0006000000022ce2-54.dat family_berbew behavioral2/files/0x0006000000022ce2-56.dat family_berbew behavioral2/files/0x0006000000022ce4-62.dat family_berbew behavioral2/files/0x0006000000022ce4-64.dat family_berbew behavioral2/files/0x0006000000022ce6-70.dat family_berbew behavioral2/files/0x0006000000022ce6-72.dat family_berbew behavioral2/files/0x0006000000022ce8-78.dat family_berbew behavioral2/files/0x0006000000022ce8-80.dat family_berbew behavioral2/files/0x0006000000022cea-81.dat family_berbew behavioral2/files/0x0006000000022cea-86.dat family_berbew behavioral2/files/0x0006000000022cea-88.dat family_berbew behavioral2/files/0x0006000000022cec-94.dat family_berbew behavioral2/files/0x0006000000022cec-96.dat family_berbew behavioral2/files/0x0006000000022cee-102.dat family_berbew behavioral2/files/0x0006000000022cee-104.dat family_berbew behavioral2/files/0x0006000000022cf0-105.dat family_berbew behavioral2/files/0x0006000000022cf0-110.dat family_berbew behavioral2/files/0x0006000000022cf0-112.dat family_berbew behavioral2/files/0x0006000000022cf2-117.dat family_berbew behavioral2/files/0x0006000000022cf2-120.dat family_berbew behavioral2/files/0x0006000000022cf4-125.dat family_berbew behavioral2/files/0x0006000000022cf4-128.dat family_berbew behavioral2/files/0x0006000000022cf6-134.dat family_berbew behavioral2/files/0x0006000000022cf6-136.dat family_berbew behavioral2/files/0x0006000000022cf8-142.dat family_berbew behavioral2/files/0x0006000000022cf8-144.dat family_berbew behavioral2/files/0x0006000000022cfa-150.dat family_berbew behavioral2/files/0x0006000000022cfa-152.dat family_berbew behavioral2/files/0x0006000000022cfc-153.dat family_berbew behavioral2/files/0x0006000000022cfc-158.dat family_berbew behavioral2/files/0x0006000000022cfc-160.dat family_berbew behavioral2/files/0x0006000000022cfe-167.dat family_berbew behavioral2/files/0x0006000000022cfe-166.dat family_berbew behavioral2/files/0x0006000000022d01-174.dat family_berbew behavioral2/files/0x0006000000022d01-176.dat family_berbew behavioral2/files/0x0006000000022d03-177.dat family_berbew behavioral2/files/0x0006000000022d03-182.dat family_berbew behavioral2/files/0x0006000000022d03-184.dat family_berbew behavioral2/files/0x0006000000022d05-190.dat family_berbew behavioral2/files/0x0006000000022d05-191.dat family_berbew behavioral2/files/0x0006000000022d07-198.dat family_berbew behavioral2/files/0x0006000000022d07-200.dat family_berbew behavioral2/files/0x0006000000022d09-206.dat family_berbew behavioral2/files/0x0006000000022d09-208.dat family_berbew behavioral2/files/0x0006000000022d0b-214.dat family_berbew behavioral2/files/0x0006000000022d0b-215.dat family_berbew behavioral2/files/0x0006000000022d0d-222.dat family_berbew behavioral2/files/0x0006000000022d0d-223.dat family_berbew behavioral2/files/0x0006000000022d0f-230.dat family_berbew behavioral2/files/0x0006000000022d0f-232.dat family_berbew behavioral2/files/0x0006000000022d11-238.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3020 Iajdgcab.exe 3704 Jaajhb32.exe 1316 Kakmna32.exe 3900 Keifdpif.exe 2852 Kofdhd32.exe 784 Llqjbhdc.exe 4292 Mjidgkog.exe 1880 Mfenglqf.exe 2156 Njgqhicg.exe 892 Nfqnbjfi.exe 2844 Oiccje32.exe 1732 Oophlo32.exe 1332 Oikjkc32.exe 3356 Pjoppf32.exe 2740 Pakdbp32.exe 2168 Qjffpe32.exe 3756 Ajaelc32.exe 2556 Bfmolc32.exe 4128 Cgiohbfi.exe 1312 Cgmhcaac.exe 2220 Dgdncplk.exe 4912 Ddhomdje.exe 648 Ekljpm32.exe 1356 Fggdpnkf.exe 1120 Fcneeo32.exe 4928 Fjocbhbo.exe 3540 Gjcmngnj.exe 4200 Gbpnjdkg.exe 2188 Gjkbnfha.exe 1968 Hghfnioq.exe 4536 Icfmci32.exe 816 Jjkdlall.exe 3504 Koimbpbc.exe 572 Khabke32.exe 3388 Kejloi32.exe 4020 Ledoegkm.exe 3224 Llngbabj.exe 2180 Memalfcb.exe 3904 Nhbciqln.exe 2972 Nlqloo32.exe 4016 Napameoi.exe 4736 Nconfh32.exe 4500 Ocmjhfjl.exe 1308 Pecpknke.exe 1228 Pkoemhao.exe 1044 Abjfqpji.exe 4280 Bbefln32.exe 4604 Cefoni32.exe 1908 Clpgkcdj.exe 3464 Clbdpc32.exe 1172 Cleqfb32.exe 2884 Dpjompqc.exe 4312 Emioab32.exe 2200 Elolco32.exe 2484 Gcgqag32.exe 560 Hqddqj32.exe 3964 Inagpm32.exe 3880 Iepihf32.exe 640 Jnapgjdo.exe 2848 Jeneidji.exe 4404 Khonkogj.exe 4344 Nkpijfgf.exe 4000 Nkbfpeec.exe 4580 Ndkjik32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cqkkcghn.exe Cgbfka32.exe File opened for modification C:\Windows\SysWOW64\Llngbabj.exe Ledoegkm.exe File created C:\Windows\SysWOW64\Facjlhil.exe Fkehdnee.exe File created C:\Windows\SysWOW64\Eldafjjc.dll Cefoni32.exe File opened for modification C:\Windows\SysWOW64\Qfcjhphd.exe Qmkfoj32.exe File opened for modification C:\Windows\SysWOW64\Dnjdncio.exe Dnhgidka.exe File created C:\Windows\SysWOW64\Eejmhi32.dll Obnlpnbm.exe File opened for modification C:\Windows\SysWOW64\Pbndgl32.exe Piepnfnj.exe File created C:\Windows\SysWOW64\Ifjgobkn.dll Mpkbohhd.exe File created C:\Windows\SysWOW64\Ifkfgiph.dll Kipkaj32.exe File opened for modification C:\Windows\SysWOW64\Cefoni32.exe Bbefln32.exe File created C:\Windows\SysWOW64\Nfpahcln.dll Eapmedef.exe File created C:\Windows\SysWOW64\Pmfldkei.exe Plgpjhnf.exe File created C:\Windows\SysWOW64\Kgkfil32.exe Kaonaekb.exe File created C:\Windows\SysWOW64\Nmhgmd32.dll Obbekn32.exe File created C:\Windows\SysWOW64\Kmeikl32.dll Fqmlbfbo.exe File created C:\Windows\SysWOW64\Lckbje32.exe Lmnjan32.exe File created C:\Windows\SysWOW64\Doljemai.dll Jnapgjdo.exe File opened for modification C:\Windows\SysWOW64\Cnahbk32.exe Ccldebeo.exe File created C:\Windows\SysWOW64\Fiinbn32.dll Cleqfb32.exe File created C:\Windows\SysWOW64\Fboioldm.dll Fapobl32.exe File created C:\Windows\SysWOW64\Aaccdp32.exe Alfkli32.exe File created C:\Windows\SysWOW64\Lmdcif32.dll Bhaeli32.exe File created C:\Windows\SysWOW64\Ifcimb32.exe Ikmepj32.exe File created C:\Windows\SysWOW64\Bjmpfdhb.exe Aqilaplo.exe File opened for modification C:\Windows\SysWOW64\Mkkmaalo.exe Lpfidh32.exe File created C:\Windows\SysWOW64\Oggjni32.exe Opmaaodc.exe File created C:\Windows\SysWOW64\Anafep32.dll Llqjbhdc.exe File created C:\Windows\SysWOW64\Jflnafno.exe Jfjakgpa.exe File created C:\Windows\SysWOW64\Bcbhbdoa.dll Ajfobfaj.exe File opened for modification C:\Windows\SysWOW64\Bbefln32.exe Abjfqpji.exe File opened for modification C:\Windows\SysWOW64\Iqombb32.exe Hfgloiqf.exe File created C:\Windows\SysWOW64\Ekliod32.dll Mpkkgbmi.exe File created C:\Windows\SysWOW64\Ogljcokf.exe Onceji32.exe File created C:\Windows\SysWOW64\Cgmhcaac.exe Cgiohbfi.exe File created C:\Windows\SysWOW64\Gipeopep.dll Aaccdp32.exe File opened for modification C:\Windows\SysWOW64\Mnochl32.exe Mpkbohhd.exe File created C:\Windows\SysWOW64\Kbceoped.exe Kfmejopp.exe File opened for modification C:\Windows\SysWOW64\Oiccje32.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Oikjkc32.exe Oophlo32.exe File created C:\Windows\SysWOW64\Abnnnjfh.exe Aldeap32.exe File created C:\Windows\SysWOW64\Negihjme.dll Fggkifmg.exe File created C:\Windows\SysWOW64\Akgjnj32.exe Pkinmlnm.exe File created C:\Windows\SysWOW64\Pinpojcj.dll Hchihhng.exe File created C:\Windows\SysWOW64\Ldlmieaa.exe Loodqn32.exe File created C:\Windows\SysWOW64\Nkjqme32.exe Mkangg32.exe File created C:\Windows\SysWOW64\Najlhn32.dll Aoqegk32.exe File opened for modification C:\Windows\SysWOW64\Clknnf32.exe Cbcieqpd.exe File created C:\Windows\SysWOW64\Oedbaphl.dll Ibijbc32.exe File opened for modification C:\Windows\SysWOW64\Ajaelc32.exe Qjffpe32.exe File opened for modification C:\Windows\SysWOW64\Cbihmg32.exe Ciaddaaj.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Cebdcmhh.exe File created C:\Windows\SysWOW64\Acgacegg.exe Akkmocjl.exe File opened for modification C:\Windows\SysWOW64\Ngekmf32.exe Nnmfdpni.exe File created C:\Windows\SysWOW64\Chlomnfl.exe Baojkdqb.exe File created C:\Windows\SysWOW64\Mnhmoi32.dll Bjdkcd32.exe File opened for modification C:\Windows\SysWOW64\Ljoboloa.exe Lpinac32.exe File opened for modification C:\Windows\SysWOW64\Lohggm32.exe Ldlmieaa.exe File opened for modification C:\Windows\SysWOW64\Mknjgajl.exe Mddbjg32.exe File created C:\Windows\SysWOW64\Mckefmai.exe Mmnlnfcb.exe File opened for modification C:\Windows\SysWOW64\Iaqapggb.exe Ikgicmpe.exe File opened for modification C:\Windows\SysWOW64\Aaldngqg.exe Alplfpbp.exe File opened for modification C:\Windows\SysWOW64\Ikhghi32.exe Hchihhng.exe File created C:\Windows\SysWOW64\Dmknog32.exe Dccjfaog.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 560 5104 WerFault.exe 654 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbceoped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjhlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngpnm32.dll" Npfchkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcmcfeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djkdnool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iepaieii.dll" Cnokmkfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eodlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlciobhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjnjo32.dll" Pjhbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mckefmai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll" Oiccje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocmjhfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjogidqd.dll" Iffmmihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnokeqm.dll" Cggikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnochl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkinmlnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aljefena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Picchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipme32.dll" Kpccgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccldebeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dccjfaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piepnfnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nneiikqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kihdqkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbedde32.dll" Ndkjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnkbcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnmjkahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqpgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bonjnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfmejopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbhpg32.dll" Mddbjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbhdafdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlidkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elnehifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fehplggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpigk32.dll" Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpbl32.dll" Alplfpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caachqjp.dll" Gcdkdpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll" Bfmolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hghfnioq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll" Pecpknke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koimbpbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clknnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlgmjdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmmffhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dboiaoff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nloikqnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiccje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opedqiad.dll" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkcpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fapobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enbhdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhhjg32.dll" Kpkqbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odbgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkgn32.dll" Iabodcnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndcdfnpa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 3020 1956 NEAS.b57be66e9dae728198526a9856130060.exe 90 PID 1956 wrote to memory of 3020 1956 NEAS.b57be66e9dae728198526a9856130060.exe 90 PID 1956 wrote to memory of 3020 1956 NEAS.b57be66e9dae728198526a9856130060.exe 90 PID 3020 wrote to memory of 3704 3020 Iajdgcab.exe 91 PID 3020 wrote to memory of 3704 3020 Iajdgcab.exe 91 PID 3020 wrote to memory of 3704 3020 Iajdgcab.exe 91 PID 3704 wrote to memory of 1316 3704 Jaajhb32.exe 92 PID 3704 wrote to memory of 1316 3704 Jaajhb32.exe 92 PID 3704 wrote to memory of 1316 3704 Jaajhb32.exe 92 PID 1316 wrote to memory of 3900 1316 Kakmna32.exe 93 PID 1316 wrote to memory of 3900 1316 Kakmna32.exe 93 PID 1316 wrote to memory of 3900 1316 Kakmna32.exe 93 PID 3900 wrote to memory of 2852 3900 Keifdpif.exe 94 PID 3900 wrote to memory of 2852 3900 Keifdpif.exe 94 PID 3900 wrote to memory of 2852 3900 Keifdpif.exe 94 PID 2852 wrote to memory of 784 2852 Kofdhd32.exe 95 PID 2852 wrote to memory of 784 2852 Kofdhd32.exe 95 PID 2852 wrote to memory of 784 2852 Kofdhd32.exe 95 PID 784 wrote to memory of 4292 784 Llqjbhdc.exe 96 PID 784 wrote to memory of 4292 784 Llqjbhdc.exe 96 PID 784 wrote to memory of 4292 784 Llqjbhdc.exe 96 PID 4292 wrote to memory of 1880 4292 Mjidgkog.exe 97 PID 4292 wrote to memory of 1880 4292 Mjidgkog.exe 97 PID 4292 wrote to memory of 1880 4292 Mjidgkog.exe 97 PID 1880 wrote to memory of 2156 1880 Mfenglqf.exe 98 PID 1880 wrote to memory of 2156 1880 Mfenglqf.exe 98 PID 1880 wrote to memory of 2156 1880 Mfenglqf.exe 98 PID 2156 wrote to memory of 892 2156 Njgqhicg.exe 99 PID 2156 wrote to memory of 892 2156 Njgqhicg.exe 99 PID 2156 wrote to memory of 892 2156 Njgqhicg.exe 99 PID 892 wrote to memory of 2844 892 Nfqnbjfi.exe 100 PID 892 wrote to memory of 2844 892 Nfqnbjfi.exe 100 PID 892 wrote to memory of 2844 892 Nfqnbjfi.exe 100 PID 2844 wrote to memory of 1732 2844 Oiccje32.exe 101 PID 2844 wrote to memory of 1732 2844 Oiccje32.exe 101 PID 2844 wrote to memory of 1732 2844 Oiccje32.exe 101 PID 1732 wrote to memory of 1332 1732 Oophlo32.exe 102 PID 1732 wrote to memory of 1332 1732 Oophlo32.exe 102 PID 1732 wrote to memory of 1332 1732 Oophlo32.exe 102 PID 1332 wrote to memory of 3356 1332 Oikjkc32.exe 103 PID 1332 wrote to memory of 3356 1332 Oikjkc32.exe 103 PID 1332 wrote to memory of 3356 1332 Oikjkc32.exe 103 PID 3356 wrote to memory of 2740 3356 Pjoppf32.exe 104 PID 3356 wrote to memory of 2740 3356 Pjoppf32.exe 104 PID 3356 wrote to memory of 2740 3356 Pjoppf32.exe 104 PID 2740 wrote to memory of 2168 2740 Pakdbp32.exe 105 PID 2740 wrote to memory of 2168 2740 Pakdbp32.exe 105 PID 2740 wrote to memory of 2168 2740 Pakdbp32.exe 105 PID 2168 wrote to memory of 3756 2168 Qjffpe32.exe 106 PID 2168 wrote to memory of 3756 2168 Qjffpe32.exe 106 PID 2168 wrote to memory of 3756 2168 Qjffpe32.exe 106 PID 3756 wrote to memory of 2556 3756 Ajaelc32.exe 107 PID 3756 wrote to memory of 2556 3756 Ajaelc32.exe 107 PID 3756 wrote to memory of 2556 3756 Ajaelc32.exe 107 PID 2556 wrote to memory of 4128 2556 Bfmolc32.exe 108 PID 2556 wrote to memory of 4128 2556 Bfmolc32.exe 108 PID 2556 wrote to memory of 4128 2556 Bfmolc32.exe 108 PID 4128 wrote to memory of 1312 4128 Cgiohbfi.exe 109 PID 4128 wrote to memory of 1312 4128 Cgiohbfi.exe 109 PID 4128 wrote to memory of 1312 4128 Cgiohbfi.exe 109 PID 1312 wrote to memory of 2220 1312 Cgmhcaac.exe 110 PID 1312 wrote to memory of 2220 1312 Cgmhcaac.exe 110 PID 1312 wrote to memory of 2220 1312 Cgmhcaac.exe 110 PID 2220 wrote to memory of 4912 2220 Dgdncplk.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b57be66e9dae728198526a9856130060.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b57be66e9dae728198526a9856130060.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Kofdhd32.exeC:\Windows\system32\Kofdhd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe26⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe27⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe28⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe29⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe30⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe32⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe33⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe35⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe36⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe38⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe39⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe40⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe41⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe42⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe43⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe50⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe51⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe53⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe54⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe55⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe56⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe57⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe58⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe59⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe62⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe63⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe66⤵PID:3840
-
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe67⤵PID:2912
-
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe68⤵PID:2348
-
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe69⤵PID:932
-
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe70⤵PID:564
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe71⤵PID:2924
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe72⤵PID:4772
-
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe73⤵
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe74⤵PID:3392
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe75⤵PID:552
-
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Dblnid32.exeC:\Windows\system32\Dblnid32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe78⤵PID:3896
-
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe79⤵
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe80⤵PID:2244
-
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe81⤵PID:1920
-
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe82⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe84⤵PID:876
-
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe85⤵PID:4828
-
C:\Windows\SysWOW64\Googaaej.exeC:\Windows\system32\Googaaej.exe86⤵PID:4088
-
C:\Windows\SysWOW64\Hpejlc32.exeC:\Windows\system32\Hpejlc32.exe87⤵PID:3908
-
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe88⤵PID:3576
-
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe89⤵
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Iqombb32.exeC:\Windows\system32\Iqombb32.exe90⤵PID:5128
-
C:\Windows\SysWOW64\Iqdfmajd.exeC:\Windows\system32\Iqdfmajd.exe91⤵PID:5164
-
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe92⤵PID:5216
-
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe93⤵PID:5260
-
C:\Windows\SysWOW64\Jfjakgpa.exeC:\Windows\system32\Jfjakgpa.exe94⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe95⤵PID:5348
-
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe96⤵PID:5392
-
C:\Windows\SysWOW64\Ljhchc32.exeC:\Windows\system32\Ljhchc32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe99⤵PID:5524
-
C:\Windows\SysWOW64\Mjfoja32.exeC:\Windows\system32\Mjfoja32.exe100⤵PID:5560
-
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe101⤵PID:5616
-
C:\Windows\SysWOW64\Maeaajpl.exeC:\Windows\system32\Maeaajpl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe103⤵PID:5720
-
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe104⤵PID:5844
-
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe105⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe106⤵PID:5936
-
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe107⤵PID:5972
-
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Akgjnj32.exeC:\Windows\system32\Akgjnj32.exe109⤵PID:6068
-
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe110⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe111⤵PID:5296
-
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe112⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe113⤵PID:5416
-
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe115⤵PID:5540
-
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe116⤵PID:5608
-
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe117⤵PID:5700
-
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe118⤵PID:5056
-
C:\Windows\SysWOW64\Enbhdojn.exeC:\Windows\system32\Enbhdojn.exe119⤵
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Eihlahjd.exeC:\Windows\system32\Eihlahjd.exe120⤵PID:5864
-
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-