Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 19:57
Behavioral task
behavioral1
Sample
NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe
-
Size
378KB
-
MD5
8e3e79eaaa01b9eb2f8805c5177e9650
-
SHA1
d4be22a0623c461dd92dae4ed04cf703566dee9d
-
SHA256
a36296a84ca1fd708d76953221352e823edbd04b46a60ec4266c33c6c004d70e
-
SHA512
27577375ca154e32905f3239b88511f44d49d1f3388a5e31883dbe9deb706dfbdf7986e20ead51350d019856bf785df08f1d0748eb043ec6c9c5c3e4ca0da911
-
SSDEEP
6144:Gf4S/m97OprtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5V0lL5:Gf4SmqRMsEat9pG4l+0K7WHT91M52vV1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnfanjqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflbjejb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clohhbli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Googaaej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofheeoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgihh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odljjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcfcakn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnfnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpaffhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjanjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglhob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnlpcel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknghk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iameid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqomdppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkifmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nohicdia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnjfojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbbqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkqbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apngjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgjjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micheb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepmjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnhne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Encgdbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adepji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfiagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geklckkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfjfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollgiplp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkigbfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeicajh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggmnmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apnndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbamcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkcbnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacgld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioafchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaodkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micheb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccipelcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflfdbip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Infqklol.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cef-7.dat family_berbew behavioral2/files/0x0007000000022cef-9.dat family_berbew behavioral2/files/0x0007000000022cf1-15.dat family_berbew behavioral2/files/0x0007000000022cf1-17.dat family_berbew behavioral2/files/0x0008000000022cf3-23.dat family_berbew behavioral2/files/0x0008000000022cf3-25.dat family_berbew behavioral2/files/0x0008000000022cf6-31.dat family_berbew behavioral2/files/0x0008000000022cf6-33.dat family_berbew behavioral2/files/0x0006000000022cf8-39.dat family_berbew behavioral2/files/0x0006000000022cf8-41.dat family_berbew behavioral2/files/0x0006000000022cfa-42.dat family_berbew behavioral2/files/0x0006000000022cfa-47.dat family_berbew behavioral2/files/0x0006000000022cfa-49.dat family_berbew behavioral2/files/0x0006000000022cfc-55.dat family_berbew behavioral2/files/0x0006000000022cfc-56.dat family_berbew behavioral2/files/0x0006000000022cfe-62.dat family_berbew behavioral2/files/0x0006000000022cfe-65.dat family_berbew behavioral2/files/0x0006000000022d00-73.dat family_berbew behavioral2/files/0x0006000000022d00-71.dat family_berbew behavioral2/files/0x0006000000022d02-80.dat family_berbew behavioral2/files/0x0006000000022d02-82.dat family_berbew behavioral2/files/0x0006000000022d04-88.dat family_berbew behavioral2/files/0x0006000000022d04-90.dat family_berbew behavioral2/files/0x0006000000022d06-91.dat family_berbew behavioral2/files/0x0006000000022d06-96.dat family_berbew behavioral2/files/0x0006000000022d06-97.dat family_berbew behavioral2/files/0x0006000000022d08-104.dat family_berbew behavioral2/files/0x0006000000022d08-106.dat family_berbew behavioral2/files/0x0006000000022d0a-112.dat family_berbew behavioral2/files/0x0006000000022d0a-114.dat family_berbew behavioral2/files/0x0006000000022d0e-120.dat family_berbew behavioral2/files/0x0006000000022d0e-122.dat family_berbew behavioral2/files/0x0006000000022d11-128.dat family_berbew behavioral2/files/0x0006000000022d11-130.dat family_berbew behavioral2/files/0x0006000000022d13-136.dat family_berbew behavioral2/files/0x0006000000022d13-138.dat family_berbew behavioral2/files/0x0006000000022d16-144.dat family_berbew behavioral2/files/0x0006000000022d16-146.dat family_berbew behavioral2/files/0x0007000000022d18-147.dat family_berbew behavioral2/files/0x0007000000022d18-152.dat family_berbew behavioral2/files/0x0007000000022d18-153.dat family_berbew behavioral2/files/0x0006000000022d1a-160.dat family_berbew behavioral2/files/0x0006000000022d1a-162.dat family_berbew behavioral2/files/0x0006000000022d1c-168.dat family_berbew behavioral2/files/0x0006000000022d1c-170.dat family_berbew behavioral2/files/0x0006000000022d1e-171.dat family_berbew behavioral2/files/0x0006000000022d1e-176.dat family_berbew behavioral2/files/0x0006000000022d1e-177.dat family_berbew behavioral2/files/0x0006000000022d20-184.dat family_berbew behavioral2/files/0x0006000000022d20-185.dat family_berbew behavioral2/files/0x0006000000022d22-192.dat family_berbew behavioral2/files/0x0006000000022d22-193.dat family_berbew behavioral2/files/0x0006000000022d26-202.dat family_berbew behavioral2/files/0x0006000000022d26-200.dat family_berbew behavioral2/files/0x0006000000022d30-203.dat family_berbew behavioral2/files/0x0006000000022d30-208.dat family_berbew behavioral2/files/0x0006000000022d30-210.dat family_berbew behavioral2/files/0x0006000000022d32-215.dat family_berbew behavioral2/files/0x0006000000022d32-218.dat family_berbew behavioral2/files/0x0006000000022d34-220.dat family_berbew behavioral2/files/0x0006000000022d34-224.dat family_berbew behavioral2/files/0x0006000000022d34-226.dat family_berbew behavioral2/files/0x0006000000022d36-232.dat family_berbew behavioral2/files/0x0006000000022d36-233.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 696 Kjeiodek.exe 224 Nncccnol.exe 3996 Ncchae32.exe 4612 Onocomdo.exe 3836 Ogjdmbil.exe 1688 Pdenmbkk.exe 748 Pmblagmf.exe 4976 Qmgelf32.exe 2240 Ahaceo32.exe 3672 Bdagpnbk.exe 4460 Bpkdjofm.exe 2104 Cpmapodj.exe 2304 Cocjiehd.exe 4648 Cacckp32.exe 3888 Dhdbhifj.exe 3780 Edbiniff.exe 3128 Ebfign32.exe 3600 Edionhpn.exe 2976 Figgdg32.exe 3908 Fndpmndl.exe 4216 Fecadghc.exe 4248 Gicgpelg.exe 2584 Gndick32.exe 4384 Glhimp32.exe 436 Ghojbq32.exe 2760 Ilfennic.exe 4448 Iondqhpl.exe 4980 Jemfhacc.exe 4952 Jhplpl32.exe 4508 Khbiello.exe 844 Kidben32.exe 3116 Lepleocn.exe 2548 Legben32.exe 812 Lpochfji.exe 2132 Mokfja32.exe 3872 Nfnamjhk.exe 1020 Nofefp32.exe 2396 Obgohklm.exe 2360 Ojhiogdd.exe 380 Ppdbgncl.exe 4444 Pfagighf.exe 2340 Pmmlla32.exe 3852 Pjaleemj.exe 3152 Adepji32.exe 2264 Apnndj32.exe 2220 Bdlfjh32.exe 1640 Ccmcgcmp.exe 3724 Caqpkjcl.exe 4524 Cpfmlghd.exe 4568 Dnljkk32.exe 4392 Ejjaqk32.exe 4956 Edoencdm.exe 976 Egbken32.exe 2236 Fcekfnkb.exe 4112 Fjocbhbo.exe 492 Gkcigjel.exe 1896 Gdnjfojj.exe 1220 Hccggl32.exe 3912 Hnbnjc32.exe 1728 Ijiopd32.exe 4296 Ijmhkchl.exe 1372 Inkaqb32.exe 1044 Koljgppp.exe 4272 Khihld32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bckknd32.exe Bnobfn32.exe File opened for modification C:\Windows\SysWOW64\Blnoad32.exe Bojohp32.exe File created C:\Windows\SysWOW64\Kacgld32.exe Koekpi32.exe File opened for modification C:\Windows\SysWOW64\Edionhpn.exe Ebfign32.exe File created C:\Windows\SysWOW64\Pfagighf.exe Ppdbgncl.exe File created C:\Windows\SysWOW64\Adepji32.exe Pjaleemj.exe File opened for modification C:\Windows\SysWOW64\Fjocbhbo.exe Fcekfnkb.exe File opened for modification C:\Windows\SysWOW64\Kmobii32.exe Kmmedi32.exe File opened for modification C:\Windows\SysWOW64\Qibfdkgh.exe Qojeabie.exe File created C:\Windows\SysWOW64\Bcoaln32.dll Edbiniff.exe File created C:\Windows\SysWOW64\Odaodc32.dll Gndick32.exe File opened for modification C:\Windows\SysWOW64\Koljgppp.exe Inkaqb32.exe File created C:\Windows\SysWOW64\Molpkleo.dll Dcqmpa32.exe File created C:\Windows\SysWOW64\Kpeekc32.dll Mmfjfp32.exe File created C:\Windows\SysWOW64\Mgngih32.exe Maoakaip.exe File created C:\Windows\SysWOW64\Kkbfan32.dll Nncccnol.exe File created C:\Windows\SysWOW64\Oheienli.exe Napameoi.exe File created C:\Windows\SysWOW64\Oihlnd32.dll Bbcignbo.exe File created C:\Windows\SysWOW64\Lmhnea32.exe Lbbjhini.exe File opened for modification C:\Windows\SysWOW64\Lnhdbc32.exe Lgnleiid.exe File created C:\Windows\SysWOW64\Keoaokpd.dll Ghojbq32.exe File created C:\Windows\SysWOW64\Iqaiga32.exe Igieoleg.exe File created C:\Windows\SysWOW64\Hakidd32.exe Hedhoc32.exe File opened for modification C:\Windows\SysWOW64\Opefdo32.exe Ndgpnogo.exe File created C:\Windows\SysWOW64\Anekdd32.dll Aljmal32.exe File created C:\Windows\SysWOW64\Nfnamjhk.exe Mokfja32.exe File created C:\Windows\SysWOW64\Kdjhkp32.exe Kffhakjp.exe File opened for modification C:\Windows\SysWOW64\Mkdiog32.exe Lmqiec32.exe File created C:\Windows\SysWOW64\Mlkngglh.dll Dlobmd32.exe File opened for modification C:\Windows\SysWOW64\Blflmj32.exe Bkepeaaa.exe File opened for modification C:\Windows\SysWOW64\Omfcmm32.exe Obqopddf.exe File created C:\Windows\SysWOW64\Mqkijnkp.exe Mkoaagmh.exe File created C:\Windows\SysWOW64\Aecbge32.exe Agjhbbob.exe File opened for modification C:\Windows\SysWOW64\Qdflaa32.exe Pknghk32.exe File opened for modification C:\Windows\SysWOW64\Micheb32.exe Mbiphhhq.exe File opened for modification C:\Windows\SysWOW64\Mbkfcabb.exe Mgebfhcl.exe File created C:\Windows\SysWOW64\Gdnjfojj.exe Gkcigjel.exe File created C:\Windows\SysWOW64\Acbhhf32.exe Alhpkldp.exe File opened for modification C:\Windows\SysWOW64\Mohplf32.exe Lnhdbc32.exe File created C:\Windows\SysWOW64\Npqplk32.dll Ommjnlnd.exe File created C:\Windows\SysWOW64\Piceflpi.exe Pfeijqqe.exe File opened for modification C:\Windows\SysWOW64\Lmqiec32.exe Lhdqml32.exe File created C:\Windows\SysWOW64\Pmceobnb.dll Ilqmam32.exe File created C:\Windows\SysWOW64\Dqdnjfpc.exe Dnfanjqp.exe File opened for modification C:\Windows\SysWOW64\Linojbdc.exe Lbdgmh32.exe File opened for modification C:\Windows\SysWOW64\Caqpkjcl.exe Ccmcgcmp.exe File created C:\Windows\SysWOW64\Gmkibl32.exe Gfaaebnj.exe File created C:\Windows\SysWOW64\Lfcfpn32.dll Jggmnmmo.exe File created C:\Windows\SysWOW64\Gcoheeen.dll Glchjedc.exe File created C:\Windows\SysWOW64\Amjcol32.dll Kmobii32.exe File created C:\Windows\SysWOW64\Hekpnp32.dll Eghimo32.exe File opened for modification C:\Windows\SysWOW64\Momqblgj.exe Micheb32.exe File opened for modification C:\Windows\SysWOW64\Limioiia.exe Lbcabo32.exe File opened for modification C:\Windows\SysWOW64\Gfaaebnj.exe Gpgihh32.exe File created C:\Windows\SysWOW64\Nncccnol.exe Kjeiodek.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Jemfhacc.exe Iondqhpl.exe File created C:\Windows\SysWOW64\Nlhego32.dll Nfnamjhk.exe File created C:\Windows\SysWOW64\Gggfme32.exe Gjcfcakn.exe File opened for modification C:\Windows\SysWOW64\Ofooqinh.exe Opefdo32.exe File created C:\Windows\SysWOW64\Bnobfn32.exe Bdfnmhnj.exe File created C:\Windows\SysWOW64\Jkgmmjgh.dll Iaahjmkn.exe File created C:\Windows\SysWOW64\Ndbefkjk.exe Nildajdg.exe File opened for modification C:\Windows\SysWOW64\Ogjdmbil.exe Onocomdo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2600 5944 WerFault.exe 466 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kacgld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpigao32.dll" Gcpcgfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnlgdfg.dll" Hgmebnpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippephla.dll" Kffhakjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnhpf32.dll" Gegchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhdkp32.dll" Cfiiggpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbecgn32.dll" Dnhgidka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odljjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffhakjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djabhe32.dll" Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmdmk32.dll" Micheb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkoaagmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpkpbgq.dll" Mkoaagmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geipnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Algiaepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgifhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdghfg32.dll" Lhgdmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnlpcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbkm32.dll" Ficlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhhdgfp.dll" Copajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll" Pmeoqlpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claenb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkgmmjgh.dll" Iaahjmkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjapelnf.dll" Jlblcdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kolaqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcigjel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldckan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oolnabal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqdnjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdlch32.dll" Lknjhokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmlpjdgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaahjmkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbkc32.dll" Gcngafol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqjdd32.dll" Alhpkldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicgcm32.dll" Lonnfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linojbdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Claenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocjiehd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fndpmndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgkaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knphfklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmldgdc.dll" Kofheeoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edbiniff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnjfojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aecialmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheani32.dll" Dlncla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcdfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmiijjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Falcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnejfn32.dll" Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doidql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbefkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcghnpc.dll" Dekapfke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 696 3568 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 90 PID 3568 wrote to memory of 696 3568 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 90 PID 3568 wrote to memory of 696 3568 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 90 PID 696 wrote to memory of 224 696 Kjeiodek.exe 91 PID 696 wrote to memory of 224 696 Kjeiodek.exe 91 PID 696 wrote to memory of 224 696 Kjeiodek.exe 91 PID 224 wrote to memory of 3996 224 Nncccnol.exe 92 PID 224 wrote to memory of 3996 224 Nncccnol.exe 92 PID 224 wrote to memory of 3996 224 Nncccnol.exe 92 PID 3996 wrote to memory of 4612 3996 Ncchae32.exe 93 PID 3996 wrote to memory of 4612 3996 Ncchae32.exe 93 PID 3996 wrote to memory of 4612 3996 Ncchae32.exe 93 PID 4612 wrote to memory of 3836 4612 Onocomdo.exe 94 PID 4612 wrote to memory of 3836 4612 Onocomdo.exe 94 PID 4612 wrote to memory of 3836 4612 Onocomdo.exe 94 PID 3836 wrote to memory of 1688 3836 Ogjdmbil.exe 95 PID 3836 wrote to memory of 1688 3836 Ogjdmbil.exe 95 PID 3836 wrote to memory of 1688 3836 Ogjdmbil.exe 95 PID 1688 wrote to memory of 748 1688 Pdenmbkk.exe 96 PID 1688 wrote to memory of 748 1688 Pdenmbkk.exe 96 PID 1688 wrote to memory of 748 1688 Pdenmbkk.exe 96 PID 748 wrote to memory of 4976 748 Pmblagmf.exe 97 PID 748 wrote to memory of 4976 748 Pmblagmf.exe 97 PID 748 wrote to memory of 4976 748 Pmblagmf.exe 97 PID 4976 wrote to memory of 2240 4976 Qmgelf32.exe 98 PID 4976 wrote to memory of 2240 4976 Qmgelf32.exe 98 PID 4976 wrote to memory of 2240 4976 Qmgelf32.exe 98 PID 2240 wrote to memory of 3672 2240 Ahaceo32.exe 99 PID 2240 wrote to memory of 3672 2240 Ahaceo32.exe 99 PID 2240 wrote to memory of 3672 2240 Ahaceo32.exe 99 PID 3672 wrote to memory of 4460 3672 Bdagpnbk.exe 100 PID 3672 wrote to memory of 4460 3672 Bdagpnbk.exe 100 PID 3672 wrote to memory of 4460 3672 Bdagpnbk.exe 100 PID 4460 wrote to memory of 2104 4460 Bpkdjofm.exe 102 PID 4460 wrote to memory of 2104 4460 Bpkdjofm.exe 102 PID 4460 wrote to memory of 2104 4460 Bpkdjofm.exe 102 PID 2104 wrote to memory of 2304 2104 Cpmapodj.exe 103 PID 2104 wrote to memory of 2304 2104 Cpmapodj.exe 103 PID 2104 wrote to memory of 2304 2104 Cpmapodj.exe 103 PID 2304 wrote to memory of 4648 2304 Cocjiehd.exe 104 PID 2304 wrote to memory of 4648 2304 Cocjiehd.exe 104 PID 2304 wrote to memory of 4648 2304 Cocjiehd.exe 104 PID 4648 wrote to memory of 3888 4648 Cacckp32.exe 106 PID 4648 wrote to memory of 3888 4648 Cacckp32.exe 106 PID 4648 wrote to memory of 3888 4648 Cacckp32.exe 106 PID 3888 wrote to memory of 3780 3888 Dhdbhifj.exe 107 PID 3888 wrote to memory of 3780 3888 Dhdbhifj.exe 107 PID 3888 wrote to memory of 3780 3888 Dhdbhifj.exe 107 PID 3780 wrote to memory of 3128 3780 Edbiniff.exe 108 PID 3780 wrote to memory of 3128 3780 Edbiniff.exe 108 PID 3780 wrote to memory of 3128 3780 Edbiniff.exe 108 PID 3128 wrote to memory of 3600 3128 Ebfign32.exe 109 PID 3128 wrote to memory of 3600 3128 Ebfign32.exe 109 PID 3128 wrote to memory of 3600 3128 Ebfign32.exe 109 PID 3600 wrote to memory of 2976 3600 Edionhpn.exe 110 PID 3600 wrote to memory of 2976 3600 Edionhpn.exe 110 PID 3600 wrote to memory of 2976 3600 Edionhpn.exe 110 PID 2976 wrote to memory of 3908 2976 Figgdg32.exe 111 PID 2976 wrote to memory of 3908 2976 Figgdg32.exe 111 PID 2976 wrote to memory of 3908 2976 Figgdg32.exe 111 PID 3908 wrote to memory of 4216 3908 Fndpmndl.exe 112 PID 3908 wrote to memory of 4216 3908 Fndpmndl.exe 112 PID 3908 wrote to memory of 4216 3908 Fndpmndl.exe 112 PID 4216 wrote to memory of 4248 4216 Fecadghc.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe23⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe25⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe27⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe29⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe30⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe31⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe32⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe33⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe35⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe38⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe39⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe40⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe42⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe47⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe49⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe50⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe51⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe53⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Egbken32.exeC:\Windows\system32\Egbken32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe59⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe60⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe61⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe62⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe64⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe65⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe66⤵PID:3616
-
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe67⤵
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe68⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe69⤵PID:4208
-
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe71⤵
- Drops file in System32 directory
PID:4104 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe72⤵PID:4176
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe74⤵PID:1660
-
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe76⤵
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3336 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe78⤵PID:852
-
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe80⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe82⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe83⤵PID:1344
-
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe84⤵
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe85⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe86⤵PID:640
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe87⤵PID:4076
-
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe88⤵PID:3432
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe90⤵PID:1820
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe91⤵
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe92⤵PID:1696
-
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe93⤵PID:5160
-
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe94⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe95⤵PID:5256
-
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe96⤵PID:5300
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe99⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe101⤵PID:5632
-
C:\Windows\SysWOW64\Ldckan32.exeC:\Windows\system32\Ldckan32.exe102⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe103⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5772 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe105⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe106⤵
- Drops file in System32 directory
PID:5860 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe107⤵PID:5900
-
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe108⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe109⤵PID:6000
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe110⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe111⤵PID:6080
-
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe112⤵PID:6136
-
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe113⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe114⤵PID:5220
-
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe115⤵PID:5296
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe116⤵PID:5360
-
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe117⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe118⤵PID:5496
-
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe119⤵PID:5516
-
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe120⤵PID:5608
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe121⤵
- Modifies registry class
PID:5712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-