Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 20:17
Behavioral task
behavioral1
Sample
NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe
-
Size
833KB
-
MD5
ecb05fd023db95df1c538b8720b7f9b0
-
SHA1
07785f7878001c01a7a5be3a5c1c864c7b2eaf56
-
SHA256
01922d005a39d0a63a35ed4adcceca233f4fc4a18f6b45cf8712d1f61e03568b
-
SHA512
26def53240d528999a77416a5b65784e71f9f34ca79ff4774c2467b80d323e684c29faf58adcdd1231fee4b3669430f8921388728d0dc3d38f684981eeee44c7
-
SSDEEP
24576:UdXHfNIVyeNIVy2jU13fS2hEYM9RIPqcNaAarJWw6j0dFZg0ZktGlIOfSJbuIs8N:UdXeyjC3a2hEY2RIPqcNaAarJWwq0dFo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepkkefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnanioad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehghhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcddlhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdjjemp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efolidno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnkedd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlpbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhdkajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojndd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkhjim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcjjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjbapj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfkpnji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghanoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdbmalja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efolidno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goediekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kieaqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqehgco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkplilgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkqepi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkjgpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mackpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccipelcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpdcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejennd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbkjgpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekckpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmblkpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmkcjjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdigekj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbkeacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jondojna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoogpcco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbjpmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdmdhhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbljkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oooodcci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpqhdkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apimodmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelaef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbhiaf.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2760-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/2760-1-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e47-7.dat family_berbew behavioral2/files/0x0006000000022e47-8.dat family_berbew behavioral2/files/0x0006000000022e49-16.dat family_berbew behavioral2/files/0x0006000000022e49-15.dat family_berbew behavioral2/memory/4572-21-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/4764-9-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4b-23.dat family_berbew behavioral2/memory/4248-24-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4b-25.dat family_berbew behavioral2/files/0x0006000000022e51-31.dat family_berbew behavioral2/files/0x0006000000022e51-33.dat family_berbew behavioral2/memory/2764-32-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e55-39.dat family_berbew behavioral2/memory/4996-40-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e55-41.dat family_berbew behavioral2/files/0x0006000000022e5c-47.dat family_berbew behavioral2/files/0x0006000000022e5c-49.dat family_berbew behavioral2/memory/1704-48-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e5e-57.dat family_berbew behavioral2/memory/2788-56-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e5e-55.dat family_berbew behavioral2/files/0x0006000000022e60-63.dat family_berbew behavioral2/memory/4804-64-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e60-65.dat family_berbew behavioral2/files/0x0006000000022e63-73.dat family_berbew behavioral2/memory/1908-72-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e63-71.dat family_berbew behavioral2/memory/2760-81-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0007000000022e52-80.dat family_berbew behavioral2/files/0x0007000000022e52-79.dat family_berbew behavioral2/memory/4068-86-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0007000000022e58-88.dat family_berbew behavioral2/files/0x0007000000022e58-89.dat family_berbew behavioral2/memory/3708-90-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e64-96.dat family_berbew behavioral2/files/0x0006000000022e64-97.dat family_berbew behavioral2/memory/2268-98-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e66-104.dat family_berbew behavioral2/memory/1932-106-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e66-105.dat family_berbew behavioral2/files/0x0006000000022e68-112.dat family_berbew behavioral2/memory/3280-114-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e68-113.dat family_berbew behavioral2/files/0x0006000000022e6a-120.dat family_berbew behavioral2/memory/3264-122-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6a-121.dat family_berbew behavioral2/files/0x0006000000022e6d-129.dat family_berbew behavioral2/files/0x0006000000022e6d-128.dat family_berbew behavioral2/memory/1652-130-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6f-136.dat family_berbew behavioral2/memory/3484-138-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6f-137.dat family_berbew behavioral2/files/0x0006000000022e71-144.dat family_berbew behavioral2/memory/860-145-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e71-146.dat family_berbew behavioral2/files/0x0006000000022e73-152.dat family_berbew behavioral2/memory/2136-154-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e73-153.dat family_berbew behavioral2/files/0x0006000000022e75-160.dat family_berbew behavioral2/files/0x0006000000022e75-161.dat family_berbew behavioral2/memory/4964-162-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7e-168.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4764 Qfjcep32.exe 4572 Amkabind.exe 4248 Apimodmh.exe 2764 Beoimjce.exe 4996 Bbcignbo.exe 1704 Cefoni32.exe 2788 Cmpcdfll.exe 4804 Cfmahknh.exe 1908 Dpgbgpbe.exe 4068 Dmkcpdao.exe 3708 Dpllbp32.exe 2268 Dlcmgqdd.exe 1932 Eleimp32.exe 3280 Eepkkefp.exe 3264 Egpgehnb.exe 1652 Egbdjhlp.exe 3484 Ecidpiad.exe 860 Fdjnolfd.exe 2136 Fdmjdkda.exe 4964 Fjlpbb32.exe 4420 Gjqinamq.exe 1456 Ggdigekj.exe 4408 Gnanioad.exe 5080 Gmfkjl32.exe 2176 Hjjldpdf.exe 1828 Hfamia32.exe 4448 Hgpibdam.exe 3348 Hfhbipdb.exe 3288 Ijfkpnji.exe 3768 Ifoijonj.exe 1636 Ahpdcn32.exe 2248 Bbkeacqo.exe 1028 Cbfema32.exe 3820 Fhalcm32.exe 4708 Jekpljgg.exe 4712 Pllieg32.exe 2896 Bcmqin32.exe 1160 Cphgca32.exe 2364 Clohhbli.exe 4904 Ccipelcf.exe 1476 Cckmklac.exe 632 Dqomdppm.exe 2808 Eonmkkmj.exe 1748 Emanepld.exe 4576 Eckfaj32.exe 4068 Ejennd32.exe 1332 Eqpfknbj.exe 1316 Eodclj32.exe 3708 Efolidno.exe 1532 Eqdpfm32.exe 1088 Egnhcgeb.exe 3444 Fmkqknci.exe 1772 Fgqehgco.exe 3848 Fplimi32.exe 1120 Ffeaichg.exe 1828 Fmpjfn32.exe 4844 Ffhnocfd.exe 3124 Fanbll32.exe 4484 Fjfgealk.exe 3724 Fcnlng32.exe 4980 Gjhdkajh.exe 908 Ggldde32.exe 2040 Gmimll32.exe 2548 Ggoaje32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gqfochal.exe Fdpnng32.exe File created C:\Windows\SysWOW64\Cdnjil32.dll Bbqlkdio.exe File created C:\Windows\SysWOW64\Onkbenbi.exe Ogajid32.exe File created C:\Windows\SysWOW64\Pbmlng32.dll Inkjao32.exe File opened for modification C:\Windows\SysWOW64\Ahgjnpna.exe Ackbfioj.exe File opened for modification C:\Windows\SysWOW64\Gkhkdjli.exe Gmdjjemp.exe File created C:\Windows\SysWOW64\Dojahakp.dll Beoimjce.exe File opened for modification C:\Windows\SysWOW64\Fmkqknci.exe Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Bfpdcc32.exe Bkjpek32.exe File created C:\Windows\SysWOW64\Combgh32.exe Bcfabgel.exe File created C:\Windows\SysWOW64\Ogajid32.exe Oagbljcp.exe File created C:\Windows\SysWOW64\Jelplp32.dll Hbbmgn32.exe File created C:\Windows\SysWOW64\Gadqepkn.exe Goediekj.exe File opened for modification C:\Windows\SysWOW64\Kldmmp32.exe Kieaqe32.exe File created C:\Windows\SysWOW64\Iphcjffo.dll Kbbhjc32.exe File opened for modification C:\Windows\SysWOW64\Pklkmo32.exe Pacfdila.exe File created C:\Windows\SysWOW64\Fqkiecpd.dll Amkabind.exe File created C:\Windows\SysWOW64\Fpoagpmc.dll Gnanioad.exe File created C:\Windows\SysWOW64\Lhdbcimn.dll Bfpdcc32.exe File created C:\Windows\SysWOW64\Nqdlpmce.exe Moofmeal.exe File created C:\Windows\SysWOW64\Lplgpkah.dll Pldljbmn.exe File opened for modification C:\Windows\SysWOW64\Jekpljgg.exe Fhalcm32.exe File created C:\Windows\SysWOW64\Eonmkkmj.exe Dqomdppm.exe File created C:\Windows\SysWOW64\Kfgdae32.dll Pllieg32.exe File created C:\Windows\SysWOW64\Olkbkbih.dll Fmpjfn32.exe File created C:\Windows\SysWOW64\Pdgkicol.dll Pbndgl32.exe File opened for modification C:\Windows\SysWOW64\Ooqqmoac.exe Oehldi32.exe File created C:\Windows\SysWOW64\Ppemkhaa.dll Bcfabgel.exe File created C:\Windows\SysWOW64\Dpgbgpbe.exe Cfmahknh.exe File created C:\Windows\SysWOW64\Dejhkj32.dll Dlcmgqdd.exe File created C:\Windows\SysWOW64\Ffhnocfd.exe Fmpjfn32.exe File opened for modification C:\Windows\SysWOW64\Fifhmi32.exe Elbhde32.exe File created C:\Windows\SysWOW64\Hfhbipdb.exe Hgpibdam.exe File created C:\Windows\SysWOW64\Nljeagnn.dll Oehldi32.exe File created C:\Windows\SysWOW64\Jkkbnl32.exe Ikifhm32.exe File opened for modification C:\Windows\SysWOW64\Gjqinamq.exe Fjlpbb32.exe File created C:\Windows\SysWOW64\Nghjle32.dll Hmginjki.exe File opened for modification C:\Windows\SysWOW64\Laacmbkm.exe Lpmmhpgp.exe File created C:\Windows\SysWOW64\Ndpelmaa.dll Ihlechfj.exe File opened for modification C:\Windows\SysWOW64\Acaopjgd.exe Qhlkbaho.exe File created C:\Windows\SysWOW64\Ahgjnpna.exe Ackbfioj.exe File created C:\Windows\SysWOW64\Fccigg32.dll Jekpljgg.exe File opened for modification C:\Windows\SysWOW64\Lnkedd32.exe Kbbhjc32.exe File created C:\Windows\SysWOW64\Bcmolimg.exe Ahgjnpna.exe File created C:\Windows\SysWOW64\Pamgnckh.dll Dqomdppm.exe File created C:\Windows\SysWOW64\Hojndd32.exe Hgcfcg32.exe File created C:\Windows\SysWOW64\Celldhhb.dll Bhqmdoef.exe File created C:\Windows\SysWOW64\Gnmlbl32.exe Gbfkmk32.exe File created C:\Windows\SysWOW64\Hfklamii.exe Hoadecal.exe File created C:\Windows\SysWOW64\Alnmdojp.exe Ajpqhdkl.exe File created C:\Windows\SysWOW64\Oipfgk32.dll Pacfdila.exe File created C:\Windows\SysWOW64\Doiabgqc.exe Cbeaib32.exe File opened for modification C:\Windows\SysWOW64\Fikbhiaf.exe Fpbmpc32.exe File created C:\Windows\SysWOW64\Cpeleo32.dll Gkhkdjli.exe File created C:\Windows\SysWOW64\Egbdjhlp.exe Egpgehnb.exe File created C:\Windows\SysWOW64\Hmkpdlhe.dll Nogngp32.exe File created C:\Windows\SysWOW64\Cghemnje.dll Hmnmqdee.exe File created C:\Windows\SysWOW64\Beahon32.dll Nlbkjf32.exe File created C:\Windows\SysWOW64\Gaafqjcd.dll Bjgghc32.exe File opened for modification C:\Windows\SysWOW64\Mbgjlq32.exe Meqmmm32.exe File created C:\Windows\SysWOW64\Ombonc32.dll Nhkief32.exe File opened for modification C:\Windows\SysWOW64\Ackbfioj.exe Alqjiohm.exe File opened for modification C:\Windows\SysWOW64\Ejennd32.exe Eckfaj32.exe File opened for modification C:\Windows\SysWOW64\Hgcfcg32.exe Gfaikoad.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmjdkda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekpljgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejbhf32.dll" Meqmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npaphh32.dll" Eodclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqfochal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhalcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmgj32.dll" Kblidkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkpdlhe.dll" Nogngp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eonmkkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcaqohc.dll" Fcnlng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjhdkajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll" NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnplqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojahakp.dll" Beoimjce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oogbel32.dll" Jhfihp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjqinamq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacfdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjle32.dll" Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piippecd.dll" Gnfhob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfkbnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogajid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhqmdoef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjqbndk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjhdkajh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kieaqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celldhhb.dll" Bhqmdoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbhiamb.dll" Bcddlhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnopqnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfkpnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibdiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemephgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdmag32.dll" Hmicee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdjnolfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnfhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljanf32.dll" Bcmolimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmlng32.dll" Inkjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcmqin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbmclobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbbim32.dll" Bjicnbba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaldkid.dll" Gfkbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndolnm32.dll" Gjhdkajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agccao32.dll" Apimodmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqpiiqce.dll" Fhalcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmobbm32.dll" Gnckjbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meqmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcikeamg.dll" Fnopqnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fanbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhfihp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdjbapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfqpno32.dll" Gglpbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkmfgo.dll" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogajid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldljbmn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 4764 2760 NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe 89 PID 2760 wrote to memory of 4764 2760 NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe 89 PID 2760 wrote to memory of 4764 2760 NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe 89 PID 4764 wrote to memory of 4572 4764 Qfjcep32.exe 90 PID 4764 wrote to memory of 4572 4764 Qfjcep32.exe 90 PID 4764 wrote to memory of 4572 4764 Qfjcep32.exe 90 PID 4572 wrote to memory of 4248 4572 Amkabind.exe 91 PID 4572 wrote to memory of 4248 4572 Amkabind.exe 91 PID 4572 wrote to memory of 4248 4572 Amkabind.exe 91 PID 4248 wrote to memory of 2764 4248 Apimodmh.exe 92 PID 4248 wrote to memory of 2764 4248 Apimodmh.exe 92 PID 4248 wrote to memory of 2764 4248 Apimodmh.exe 92 PID 2764 wrote to memory of 4996 2764 Beoimjce.exe 94 PID 2764 wrote to memory of 4996 2764 Beoimjce.exe 94 PID 2764 wrote to memory of 4996 2764 Beoimjce.exe 94 PID 4996 wrote to memory of 1704 4996 Bbcignbo.exe 95 PID 4996 wrote to memory of 1704 4996 Bbcignbo.exe 95 PID 4996 wrote to memory of 1704 4996 Bbcignbo.exe 95 PID 1704 wrote to memory of 2788 1704 Cefoni32.exe 96 PID 1704 wrote to memory of 2788 1704 Cefoni32.exe 96 PID 1704 wrote to memory of 2788 1704 Cefoni32.exe 96 PID 2788 wrote to memory of 4804 2788 Cmpcdfll.exe 97 PID 2788 wrote to memory of 4804 2788 Cmpcdfll.exe 97 PID 2788 wrote to memory of 4804 2788 Cmpcdfll.exe 97 PID 4804 wrote to memory of 1908 4804 Cfmahknh.exe 98 PID 4804 wrote to memory of 1908 4804 Cfmahknh.exe 98 PID 4804 wrote to memory of 1908 4804 Cfmahknh.exe 98 PID 1908 wrote to memory of 4068 1908 Dpgbgpbe.exe 99 PID 1908 wrote to memory of 4068 1908 Dpgbgpbe.exe 99 PID 1908 wrote to memory of 4068 1908 Dpgbgpbe.exe 99 PID 4068 wrote to memory of 3708 4068 Dmkcpdao.exe 100 PID 4068 wrote to memory of 3708 4068 Dmkcpdao.exe 100 PID 4068 wrote to memory of 3708 4068 Dmkcpdao.exe 100 PID 3708 wrote to memory of 2268 3708 Dpllbp32.exe 101 PID 3708 wrote to memory of 2268 3708 Dpllbp32.exe 101 PID 3708 wrote to memory of 2268 3708 Dpllbp32.exe 101 PID 2268 wrote to memory of 1932 2268 Dlcmgqdd.exe 102 PID 2268 wrote to memory of 1932 2268 Dlcmgqdd.exe 102 PID 2268 wrote to memory of 1932 2268 Dlcmgqdd.exe 102 PID 1932 wrote to memory of 3280 1932 Eleimp32.exe 103 PID 1932 wrote to memory of 3280 1932 Eleimp32.exe 103 PID 1932 wrote to memory of 3280 1932 Eleimp32.exe 103 PID 3280 wrote to memory of 3264 3280 Eepkkefp.exe 104 PID 3280 wrote to memory of 3264 3280 Eepkkefp.exe 104 PID 3280 wrote to memory of 3264 3280 Eepkkefp.exe 104 PID 3264 wrote to memory of 1652 3264 Egpgehnb.exe 105 PID 3264 wrote to memory of 1652 3264 Egpgehnb.exe 105 PID 3264 wrote to memory of 1652 3264 Egpgehnb.exe 105 PID 1652 wrote to memory of 3484 1652 Egbdjhlp.exe 106 PID 1652 wrote to memory of 3484 1652 Egbdjhlp.exe 106 PID 1652 wrote to memory of 3484 1652 Egbdjhlp.exe 106 PID 3484 wrote to memory of 860 3484 Ecidpiad.exe 107 PID 3484 wrote to memory of 860 3484 Ecidpiad.exe 107 PID 3484 wrote to memory of 860 3484 Ecidpiad.exe 107 PID 860 wrote to memory of 2136 860 Fdjnolfd.exe 108 PID 860 wrote to memory of 2136 860 Fdjnolfd.exe 108 PID 860 wrote to memory of 2136 860 Fdjnolfd.exe 108 PID 2136 wrote to memory of 4964 2136 Fdmjdkda.exe 109 PID 2136 wrote to memory of 4964 2136 Fdmjdkda.exe 109 PID 2136 wrote to memory of 4964 2136 Fdmjdkda.exe 109 PID 4964 wrote to memory of 4420 4964 Fjlpbb32.exe 110 PID 4964 wrote to memory of 4420 4964 Fjlpbb32.exe 110 PID 4964 wrote to memory of 4420 4964 Fjlpbb32.exe 110 PID 4420 wrote to memory of 1456 4420 Gjqinamq.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ecb05fd023db95df1c538b8720b7f9b0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe26⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe27⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe29⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe31⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe34⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Pllieg32.exeC:\Windows\system32\Pllieg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\Bcmqin32.exeC:\Windows\system32\Bcmqin32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Cphgca32.exeC:\Windows\system32\Cphgca32.exe39⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Clohhbli.exeC:\Windows\system32\Clohhbli.exe40⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ccipelcf.exeC:\Windows\system32\Ccipelcf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Cckmklac.exeC:\Windows\system32\Cckmklac.exe42⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Emanepld.exeC:\Windows\system32\Emanepld.exe45⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Eckfaj32.exeC:\Windows\system32\Eckfaj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Ejennd32.exeC:\Windows\system32\Ejennd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Eqpfknbj.exeC:\Windows\system32\Eqpfknbj.exe48⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Eodclj32.exeC:\Windows\system32\Eodclj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Efolidno.exeC:\Windows\system32\Efolidno.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe51⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Egnhcgeb.exeC:\Windows\system32\Egnhcgeb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Fmkqknci.exeC:\Windows\system32\Fmkqknci.exe53⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Ffeaichg.exeC:\Windows\system32\Ffeaichg.exe56⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Ffhnocfd.exeC:\Windows\system32\Ffhnocfd.exe58⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Fanbll32.exeC:\Windows\system32\Fanbll32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Ggldde32.exeC:\Windows\system32\Ggldde32.exe63⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Gmimll32.exeC:\Windows\system32\Gmimll32.exe64⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ggoaje32.exeC:\Windows\system32\Ggoaje32.exe65⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ghanoeel.exeC:\Windows\system32\Ghanoeel.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3860 -
C:\Windows\SysWOW64\Gcgndf32.exeC:\Windows\system32\Gcgndf32.exe67⤵PID:2764
-
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe68⤵PID:4804
-
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe69⤵PID:4828
-
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe71⤵PID:3604
-
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Ikifhm32.exeC:\Windows\system32\Ikifhm32.exe73⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Jkkbnl32.exeC:\Windows\system32\Jkkbnl32.exe74⤵PID:5116
-
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe75⤵PID:1664
-
C:\Windows\SysWOW64\Jpjhlche.exeC:\Windows\system32\Jpjhlche.exe76⤵PID:3292
-
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe78⤵PID:4464
-
C:\Windows\SysWOW64\Jondojna.exeC:\Windows\system32\Jondojna.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Jhfihp32.exeC:\Windows\system32\Jhfihp32.exe80⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe81⤵PID:3304
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe82⤵PID:4420
-
C:\Windows\SysWOW64\Kpdjbapj.exeC:\Windows\system32\Kpdjbapj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Kgbljkca.exeC:\Windows\system32\Kgbljkca.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732 -
C:\Windows\SysWOW64\Kkqepi32.exeC:\Windows\system32\Kkqepi32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3720 -
C:\Windows\SysWOW64\Lpmmhpgp.exeC:\Windows\system32\Lpmmhpgp.exe86⤵
- Drops file in System32 directory
PID:3924 -
C:\Windows\SysWOW64\Laacmbkm.exeC:\Windows\system32\Laacmbkm.exe87⤵PID:1920
-
C:\Windows\SysWOW64\Mohplf32.exeC:\Windows\system32\Mohplf32.exe88⤵PID:4308
-
C:\Windows\SysWOW64\Moofmeal.exeC:\Windows\system32\Moofmeal.exe89⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe90⤵PID:4012
-
C:\Windows\SysWOW64\Ngaabfio.exeC:\Windows\system32\Ngaabfio.exe91⤵PID:5128
-
C:\Windows\SysWOW64\Nbfeoohe.exeC:\Windows\system32\Nbfeoohe.exe92⤵PID:5168
-
C:\Windows\SysWOW64\Nbibeo32.exeC:\Windows\system32\Nbibeo32.exe93⤵PID:5208
-
C:\Windows\SysWOW64\Ngekmf32.exeC:\Windows\system32\Ngekmf32.exe94⤵PID:5248
-
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe95⤵PID:5288
-
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Oapllk32.exeC:\Windows\system32\Oapllk32.exe97⤵PID:5388
-
C:\Windows\SysWOW64\Ooalibaf.exeC:\Windows\system32\Ooalibaf.exe98⤵PID:5436
-
C:\Windows\SysWOW64\Oijqbh32.exeC:\Windows\system32\Oijqbh32.exe99⤵PID:5536
-
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe100⤵PID:5580
-
C:\Windows\SysWOW64\Oagbljcp.exeC:\Windows\system32\Oagbljcp.exe101⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe103⤵PID:5704
-
C:\Windows\SysWOW64\Oeekbhif.exeC:\Windows\system32\Oeekbhif.exe104⤵PID:5768
-
C:\Windows\SysWOW64\Pnnokn32.exeC:\Windows\system32\Pnnokn32.exe105⤵PID:5816
-
C:\Windows\SysWOW64\Pehghhgc.exeC:\Windows\system32\Pehghhgc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860 -
C:\Windows\SysWOW64\Pnplqn32.exeC:\Windows\system32\Pnplqn32.exe107⤵
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Pldljbmn.exeC:\Windows\system32\Pldljbmn.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe109⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Phkmoc32.exeC:\Windows\system32\Phkmoc32.exe110⤵PID:6072
-
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe111⤵PID:6112
-
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe112⤵PID:2940
-
C:\Windows\SysWOW64\Qimfoe32.exeC:\Windows\system32\Qimfoe32.exe113⤵PID:5220
-
C:\Windows\SysWOW64\Qiocde32.exeC:\Windows\system32\Qiocde32.exe114⤵PID:5400
-
C:\Windows\SysWOW64\Ljlagndl.exeC:\Windows\system32\Ljlagndl.exe115⤵PID:5476
-
C:\Windows\SysWOW64\Mjhqcmjo.exeC:\Windows\system32\Mjhqcmjo.exe116⤵PID:5736
-
C:\Windows\SysWOW64\Gbbkjgpl.exeC:\Windows\system32\Gbbkjgpl.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Pjnipc32.exeC:\Windows\system32\Pjnipc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Gkeonggf.exeC:\Windows\system32\Gkeonggf.exe119⤵PID:5240
-
C:\Windows\SysWOW64\Gnckjbfj.exeC:\Windows\system32\Gnckjbfj.exe120⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gekckpgl.exeC:\Windows\system32\Gekckpgl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-