Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 17:53
Behavioral task
behavioral1
Sample
NEAS.b855077b45106d78ff1de67d7ad3a210.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b855077b45106d78ff1de67d7ad3a210.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b855077b45106d78ff1de67d7ad3a210.exe
-
Size
235KB
-
MD5
b855077b45106d78ff1de67d7ad3a210
-
SHA1
303e961631942b62d08a094ca90ba988cd153056
-
SHA256
35f1f7b39ec20133dfeb32b46d94af6b266701459d22004716f25d5825225b84
-
SHA512
b3d5ca8731e0c8a4b5a93e365b0d02e59198e324205588e99caa05cb76bb413b8c17acf9b689f67225d134698888c07f7b07b21c69ac18db1c0003cccfde1d1d
-
SSDEEP
3072:a3Xm3Y0/HOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJaW4bI5:/Z/ulrtMsQB+vn87L5A5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqonf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agojdnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbppknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehdii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijeme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeobhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qefkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alelkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiohhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgjlaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmnfofi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eincadmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcncjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeodqocd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fochecog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajeiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efikco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bppcpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljijci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfmlok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihcln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckddn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomlek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdadpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdnnbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjemee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdjin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abemep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdoel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfqgkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkknogn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnjbdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlhipbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfefdpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmeqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahnhncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbppknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhqkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgfqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqcikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okeklcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmlmcmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcneca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpoheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohkai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmeg32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022e33-9.dat family_berbew behavioral2/files/0x0007000000022e33-7.dat family_berbew behavioral2/files/0x0007000000022e35-15.dat family_berbew behavioral2/files/0x0007000000022e35-17.dat family_berbew behavioral2/files/0x0007000000022e38-18.dat family_berbew behavioral2/files/0x0007000000022e38-23.dat family_berbew behavioral2/files/0x0007000000022e38-25.dat family_berbew behavioral2/files/0x0007000000022e3b-27.dat family_berbew behavioral2/files/0x0007000000022e3b-33.dat family_berbew behavioral2/files/0x0007000000022e3b-31.dat family_berbew behavioral2/files/0x0007000000022e3d-39.dat family_berbew behavioral2/files/0x0007000000022e3d-41.dat family_berbew behavioral2/files/0x0007000000022e3f-47.dat family_berbew behavioral2/files/0x0007000000022e3f-49.dat family_berbew behavioral2/files/0x0007000000022e41-55.dat family_berbew behavioral2/files/0x0007000000022e41-57.dat family_berbew behavioral2/files/0x0007000000022e43-63.dat family_berbew behavioral2/files/0x0007000000022e43-65.dat family_berbew behavioral2/files/0x0007000000022e45-71.dat family_berbew behavioral2/files/0x0007000000022e45-73.dat family_berbew behavioral2/files/0x0007000000022e47-79.dat family_berbew behavioral2/files/0x0007000000022e47-80.dat family_berbew behavioral2/files/0x0007000000022e49-87.dat family_berbew behavioral2/files/0x0007000000022e4b-97.dat family_berbew behavioral2/files/0x0007000000022e4b-96.dat family_berbew behavioral2/files/0x0007000000022e49-88.dat family_berbew behavioral2/files/0x0007000000022e4d-105.dat family_berbew behavioral2/files/0x0007000000022e4d-104.dat family_berbew behavioral2/files/0x0007000000022e50-112.dat family_berbew behavioral2/files/0x0007000000022e50-113.dat family_berbew behavioral2/files/0x0007000000022e52-120.dat family_berbew behavioral2/files/0x0007000000022e52-122.dat family_berbew behavioral2/files/0x0007000000022e54-129.dat family_berbew behavioral2/files/0x0007000000022e54-128.dat family_berbew behavioral2/files/0x0007000000022e56-136.dat family_berbew behavioral2/files/0x0007000000022e56-138.dat family_berbew behavioral2/files/0x0007000000022e58-144.dat family_berbew behavioral2/files/0x0007000000022e58-146.dat family_berbew behavioral2/files/0x0007000000022e5a-152.dat family_berbew behavioral2/files/0x0007000000022e5a-153.dat family_berbew behavioral2/files/0x0007000000022e5e-160.dat family_berbew behavioral2/files/0x0007000000022e5e-161.dat family_berbew behavioral2/files/0x0007000000022e60-168.dat family_berbew behavioral2/files/0x0007000000022e60-170.dat family_berbew behavioral2/files/0x0007000000022e62-176.dat family_berbew behavioral2/files/0x0007000000022e62-178.dat family_berbew behavioral2/files/0x0007000000022e64-184.dat family_berbew behavioral2/files/0x0007000000022e64-186.dat family_berbew behavioral2/files/0x0007000000022e67-193.dat family_berbew behavioral2/files/0x0007000000022e67-192.dat family_berbew behavioral2/files/0x0007000000022e69-200.dat family_berbew behavioral2/files/0x0007000000022e69-202.dat family_berbew behavioral2/files/0x0007000000022e6b-208.dat family_berbew behavioral2/files/0x0007000000022e6b-210.dat family_berbew behavioral2/files/0x0007000000022e6d-216.dat family_berbew behavioral2/files/0x0007000000022e6d-218.dat family_berbew behavioral2/files/0x0007000000022e75-224.dat family_berbew behavioral2/files/0x0007000000022e75-225.dat family_berbew behavioral2/files/0x000a000000022e6f-232.dat family_berbew behavioral2/files/0x000a000000022e6f-234.dat family_berbew behavioral2/files/0x0008000000022e73-242.dat family_berbew behavioral2/files/0x0008000000022e73-240.dat family_berbew behavioral2/files/0x0007000000022e7b-248.dat family_berbew behavioral2/files/0x0007000000022e7b-249.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2668 Mniallpq.exe 4912 Mlpokp32.exe 4388 Mnphmkji.exe 3972 Nobdbkhf.exe 4796 Noeahkfc.exe 4064 Nliaao32.exe 5080 Nhpbfpka.exe 3528 Nbefdijg.exe 428 Nbgcih32.exe 1172 Niakfbpa.exe 2324 Oondnini.exe 2484 Oidhlb32.exe 856 Okedcjcm.exe 1016 Oldamm32.exe 2880 Oemefcap.exe 2248 Obafpg32.exe 4724 Obcceg32.exe 3700 Pcepkfld.exe 1532 Piphgq32.exe 3848 Pefhlaie.exe 4504 Plpqil32.exe 1556 Pidabppl.exe 648 Poajkgnc.exe 1416 Phincl32.exe 3632 Pocfpf32.exe 1304 Qkjgegae.exe 3016 Qkmdkgob.exe 3944 Alqjpi32.exe 1364 Ajdjin32.exe 3168 Afkknogn.exe 2628 Aleckinj.exe 3736 Abbkcpma.exe 4332 Boflmdkk.exe 3688 Bhoqeibl.exe 3820 Bfbaonae.exe 1576 Bhamkipi.exe 3292 Bcfahbpo.exe 4996 Bkafmd32.exe 1724 Bfgjjm32.exe 3952 Bkdcbd32.exe 3844 Codhnb32.exe 2088 Cimmggfl.exe 1320 Cofecami.exe 1684 Cmjemflb.exe 1528 Cjnffjkl.exe 2888 Ckpbnb32.exe 4952 Dmoohe32.exe 2524 Difpmfna.exe 3484 Dihlbf32.exe 1408 Dcnqpo32.exe 3048 Dikihe32.exe 3692 Dlieda32.exe 2996 Dbcmakpl.exe 1504 Dmhand32.exe 2960 Ecbjkngo.exe 1096 Ejlbhh32.exe 436 Emkndc32.exe 3720 Efccmidp.exe 396 Emmkiclm.exe 3716 Ebjcajjd.exe 1060 Emphocjj.exe 1536 Ejchhgid.exe 2092 Eleepoob.exe 4640 Ebommi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Megdmhbp.exe Gfngke32.exe File created C:\Windows\SysWOW64\Qkjgegae.exe Pocfpf32.exe File created C:\Windows\SysWOW64\Ohcakk32.dll Fgcjea32.exe File created C:\Windows\SysWOW64\Naaeedej.dll Onekeb32.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Ckhain32.dll Ggahedjn.exe File opened for modification C:\Windows\SysWOW64\Oahnhncc.exe Ohpiphlb.exe File created C:\Windows\SysWOW64\Eihcln32.exe Efjgpc32.exe File created C:\Windows\SysWOW64\Aidcjk32.exe Aeigilml.exe File created C:\Windows\SysWOW64\Gjnlha32.exe Fgpplf32.exe File opened for modification C:\Windows\SysWOW64\Qhekaejj.exe Qdipag32.exe File created C:\Windows\SysWOW64\Akhkncql.dll Ddnfmqng.exe File created C:\Windows\SysWOW64\Hgnlmdcp.exe Hnehdo32.exe File opened for modification C:\Windows\SysWOW64\Mlpokp32.exe Mniallpq.exe File created C:\Windows\SysWOW64\Ocjggbdl.dll Glgjlm32.exe File created C:\Windows\SysWOW64\Dcmjpl32.exe Dobnpm32.exe File created C:\Windows\SysWOW64\Eocegn32.exe Eleikb32.exe File created C:\Windows\SysWOW64\Mcpeehaj.dll Goabhl32.exe File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cofecami.exe File opened for modification C:\Windows\SysWOW64\Ojllkcdk.exe Ognpoheh.exe File opened for modification C:\Windows\SysWOW64\Badanigc.exe Bochmn32.exe File opened for modification C:\Windows\SysWOW64\Eincadmf.exe Egpgehnb.exe File opened for modification C:\Windows\SysWOW64\Ccdgjm32.exe Cpfkna32.exe File opened for modification C:\Windows\SysWOW64\Fplpll32.exe Fmndpq32.exe File created C:\Windows\SysWOW64\Nibaepqb.dll Ohpiphlb.exe File created C:\Windows\SysWOW64\Amblpikl.exe Aekdolkj.exe File created C:\Windows\SysWOW64\Lcgmnddm.dll Meoggpmd.exe File created C:\Windows\SysWOW64\Pcmnmk32.dll Ainnhdbp.exe File opened for modification C:\Windows\SysWOW64\Bnkbcj32.exe Blielbfi.exe File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Bnkbcj32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bdgged32.exe File created C:\Windows\SysWOW64\Fphmhm32.dll Gnlenp32.exe File created C:\Windows\SysWOW64\Cifmoa32.exe Cblebgfh.exe File opened for modification C:\Windows\SysWOW64\Ellpmolj.exe Eincadmf.exe File created C:\Windows\SysWOW64\Hmbkfjko.exe Hjcojo32.exe File created C:\Windows\SysWOW64\Ollklain.dll Apcead32.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Nkeoha32.dll Beaecjab.exe File created C:\Windows\SysWOW64\Mdokmm32.exe Maaoaa32.exe File opened for modification C:\Windows\SysWOW64\Meoggpmd.exe Mmhofbma.exe File created C:\Windows\SysWOW64\Fepmgm32.exe Fcaqka32.exe File created C:\Windows\SysWOW64\Dofgklcb.exe Dmhkoaco.exe File opened for modification C:\Windows\SysWOW64\Dofgklcb.exe Dmhkoaco.exe File opened for modification C:\Windows\SysWOW64\Enajobbf.exe Ejennd32.exe File created C:\Windows\SysWOW64\Fkjfloeo.exe Flgfqb32.exe File opened for modification C:\Windows\SysWOW64\Gbabigfj.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Cnjpknni.dll Gkhkjd32.exe File created C:\Windows\SysWOW64\Gefchq32.dll Hdhedh32.exe File created C:\Windows\SysWOW64\Amkejmgc.dll Cfhhml32.exe File created C:\Windows\SysWOW64\Cbccbiml.dll Dmkcpdao.exe File opened for modification C:\Windows\SysWOW64\Fdogjk32.exe Fneoma32.exe File opened for modification C:\Windows\SysWOW64\Oidhlb32.exe Oondnini.exe File created C:\Windows\SysWOW64\Gfemmb32.exe Gcgqag32.exe File opened for modification C:\Windows\SysWOW64\Efopjbjg.exe Elilmi32.exe File created C:\Windows\SysWOW64\Amgekh32.exe Agmmnnpj.exe File opened for modification C:\Windows\SysWOW64\Oemefcap.exe Oldamm32.exe File created C:\Windows\SysWOW64\Qcanijap.dll Qkmdkgob.exe File created C:\Windows\SysWOW64\Gjimmmpe.dll Fmpqfq32.exe File created C:\Windows\SysWOW64\Icncngca.dll Hjcojo32.exe File created C:\Windows\SysWOW64\Cflpcaoh.dll Bgmnooom.exe File created C:\Windows\SysWOW64\Diopep32.exe Dfqdid32.exe File created C:\Windows\SysWOW64\Cmncbodd.dll Oemefcap.exe File opened for modification C:\Windows\SysWOW64\Adikdfna.exe Aajohjon.exe File opened for modification C:\Windows\SysWOW64\Cnfaohbj.exe Ckhecmcf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8044 8596 WerFault.exe 755 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdannb32.dll" Hnehdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abodhpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdjapphl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agckiqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcdji32.dll" Efjgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjnqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noeahkfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmennnni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqcilgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefjnc32.dll" Iggocbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahnhncc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legokici.dll" Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmcjb32.dll" Fllkqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpcbchm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnqig32.dll" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpbpopl.dll" Ljkghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknohl32.dll" Cpklql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbqoqg.dll" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcinq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmqgd32.dll" Fpandm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgblkajh.dll" Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpjdepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijjpjqc.dll" Andqol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmdkgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqcilgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifmo32.dll" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abohmm32.dll" Nconfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meoggpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbppknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmich32.dll" Eehdii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambahc32.dll" Bkdcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkhfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpoo32.dll" Ejaecdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll" Cffkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpdlbon.dll" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ognpoheh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll" Beaecjab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkdn32.dll" Dpnbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnheh32.dll" Dcmjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogkcihgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnfpcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjemee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfimpfmj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5092 wrote to memory of 2668 5092 NEAS.b855077b45106d78ff1de67d7ad3a210.exe 89 PID 5092 wrote to memory of 2668 5092 NEAS.b855077b45106d78ff1de67d7ad3a210.exe 89 PID 5092 wrote to memory of 2668 5092 NEAS.b855077b45106d78ff1de67d7ad3a210.exe 89 PID 2668 wrote to memory of 4912 2668 Mniallpq.exe 90 PID 2668 wrote to memory of 4912 2668 Mniallpq.exe 90 PID 2668 wrote to memory of 4912 2668 Mniallpq.exe 90 PID 4912 wrote to memory of 4388 4912 Mlpokp32.exe 91 PID 4912 wrote to memory of 4388 4912 Mlpokp32.exe 91 PID 4912 wrote to memory of 4388 4912 Mlpokp32.exe 91 PID 4388 wrote to memory of 3972 4388 Mnphmkji.exe 92 PID 4388 wrote to memory of 3972 4388 Mnphmkji.exe 92 PID 4388 wrote to memory of 3972 4388 Mnphmkji.exe 92 PID 3972 wrote to memory of 4796 3972 Nobdbkhf.exe 93 PID 3972 wrote to memory of 4796 3972 Nobdbkhf.exe 93 PID 3972 wrote to memory of 4796 3972 Nobdbkhf.exe 93 PID 4796 wrote to memory of 4064 4796 Noeahkfc.exe 94 PID 4796 wrote to memory of 4064 4796 Noeahkfc.exe 94 PID 4796 wrote to memory of 4064 4796 Noeahkfc.exe 94 PID 4064 wrote to memory of 5080 4064 Nliaao32.exe 95 PID 4064 wrote to memory of 5080 4064 Nliaao32.exe 95 PID 4064 wrote to memory of 5080 4064 Nliaao32.exe 95 PID 5080 wrote to memory of 3528 5080 Nhpbfpka.exe 96 PID 5080 wrote to memory of 3528 5080 Nhpbfpka.exe 96 PID 5080 wrote to memory of 3528 5080 Nhpbfpka.exe 96 PID 3528 wrote to memory of 428 3528 Nbefdijg.exe 97 PID 3528 wrote to memory of 428 3528 Nbefdijg.exe 97 PID 3528 wrote to memory of 428 3528 Nbefdijg.exe 97 PID 428 wrote to memory of 1172 428 Nbgcih32.exe 98 PID 428 wrote to memory of 1172 428 Nbgcih32.exe 98 PID 428 wrote to memory of 1172 428 Nbgcih32.exe 98 PID 1172 wrote to memory of 2324 1172 Niakfbpa.exe 99 PID 1172 wrote to memory of 2324 1172 Niakfbpa.exe 99 PID 1172 wrote to memory of 2324 1172 Niakfbpa.exe 99 PID 2324 wrote to memory of 2484 2324 Oondnini.exe 100 PID 2324 wrote to memory of 2484 2324 Oondnini.exe 100 PID 2324 wrote to memory of 2484 2324 Oondnini.exe 100 PID 2484 wrote to memory of 856 2484 Oidhlb32.exe 101 PID 2484 wrote to memory of 856 2484 Oidhlb32.exe 101 PID 2484 wrote to memory of 856 2484 Oidhlb32.exe 101 PID 856 wrote to memory of 1016 856 Okedcjcm.exe 102 PID 856 wrote to memory of 1016 856 Okedcjcm.exe 102 PID 856 wrote to memory of 1016 856 Okedcjcm.exe 102 PID 1016 wrote to memory of 2880 1016 Oldamm32.exe 103 PID 1016 wrote to memory of 2880 1016 Oldamm32.exe 103 PID 1016 wrote to memory of 2880 1016 Oldamm32.exe 103 PID 2880 wrote to memory of 2248 2880 Oemefcap.exe 104 PID 2880 wrote to memory of 2248 2880 Oemefcap.exe 104 PID 2880 wrote to memory of 2248 2880 Oemefcap.exe 104 PID 2248 wrote to memory of 4724 2248 Obafpg32.exe 105 PID 2248 wrote to memory of 4724 2248 Obafpg32.exe 105 PID 2248 wrote to memory of 4724 2248 Obafpg32.exe 105 PID 4724 wrote to memory of 3700 4724 Obcceg32.exe 106 PID 4724 wrote to memory of 3700 4724 Obcceg32.exe 106 PID 4724 wrote to memory of 3700 4724 Obcceg32.exe 106 PID 3700 wrote to memory of 1532 3700 Pcepkfld.exe 107 PID 3700 wrote to memory of 1532 3700 Pcepkfld.exe 107 PID 3700 wrote to memory of 1532 3700 Pcepkfld.exe 107 PID 1532 wrote to memory of 3848 1532 Piphgq32.exe 108 PID 1532 wrote to memory of 3848 1532 Piphgq32.exe 108 PID 1532 wrote to memory of 3848 1532 Piphgq32.exe 108 PID 3848 wrote to memory of 4504 3848 Pefhlaie.exe 109 PID 3848 wrote to memory of 4504 3848 Pefhlaie.exe 109 PID 3848 wrote to memory of 4504 3848 Pefhlaie.exe 109 PID 4504 wrote to memory of 1556 4504 Plpqil32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b855077b45106d78ff1de67d7ad3a210.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b855077b45106d78ff1de67d7ad3a210.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe24⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe29⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe32⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe35⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe36⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe37⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe38⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe42⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe43⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe45⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe47⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe48⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe50⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe51⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe52⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe53⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe54⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe55⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe56⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe57⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe58⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe59⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe60⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe61⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe62⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe63⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe64⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe65⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe66⤵PID:1148
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe67⤵PID:2396
-
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe68⤵PID:388
-
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe69⤵PID:1312
-
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe70⤵PID:1624
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe71⤵
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe72⤵PID:3056
-
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe73⤵
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe74⤵PID:2548
-
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe75⤵
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe76⤵PID:5016
-
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe77⤵PID:2860
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe79⤵PID:1356
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe80⤵PID:5136
-
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe82⤵PID:5216
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe83⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe84⤵PID:5304
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe85⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe86⤵PID:5392
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe87⤵PID:5436
-
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe88⤵PID:5480
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe89⤵PID:5520
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe90⤵PID:5564
-
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe91⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe92⤵PID:5664
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe93⤵PID:5712
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe94⤵PID:5752
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe95⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe96⤵PID:5844
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe97⤵PID:5908
-
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe98⤵PID:5964
-
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe99⤵PID:6028
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe100⤵PID:6072
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe101⤵PID:6116
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe102⤵PID:5148
-
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe103⤵PID:5248
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe104⤵PID:5356
-
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe105⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe106⤵PID:5492
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe107⤵PID:5596
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe108⤵
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe109⤵
- Drops file in System32 directory
PID:5828 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe110⤵PID:5932
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe111⤵PID:6012
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe113⤵PID:3200
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe114⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe115⤵PID:5336
-
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe116⤵PID:5448
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe117⤵PID:5576
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe118⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5948 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe120⤵PID:6104
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe121⤵
- Drops file in System32 directory
PID:5212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-