Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 20:12
Behavioral task
behavioral1
Sample
NEAS.bcd2e82a172371744ad567d9030f8770.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bcd2e82a172371744ad567d9030f8770.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.bcd2e82a172371744ad567d9030f8770.exe
-
Size
82KB
-
MD5
bcd2e82a172371744ad567d9030f8770
-
SHA1
8d17156fba0fffedf7af4b4add66a8ae93a9bad1
-
SHA256
674918f7f7c429b82216dd124fec7573e639374c245f8269b74f9d1731714e24
-
SHA512
ea9a1f991081643c631a149c366c5173bc69220375033c738c17428c77c26c89537a3a460e28715d83f166303700063139caa7e71b671e5b3da5d052f795ae7a
-
SSDEEP
1536:az3xkBIGUb2fGnEYaIBZde2L7cpm6+wDSmQFN6TiN1sJtvQu:Sqf+/nEYaIBLgpm6tm7N6TO1SpD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpbecod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boklbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbfdekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcjmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdaodja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boipmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjgjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfcaohp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfogeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfefkkqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomcopk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhflnpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdfoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdafkdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgclpkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdaodja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamiaboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqpoakco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fideeaco.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1288-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1288-1-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e67-7.dat family_berbew behavioral2/files/0x0007000000022e67-8.dat family_berbew behavioral2/memory/2632-9-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e71-15.dat family_berbew behavioral2/memory/2652-17-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e71-16.dat family_berbew behavioral2/files/0x0006000000022e73-23.dat family_berbew behavioral2/memory/3404-24-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e73-25.dat family_berbew behavioral2/files/0x0006000000022e75-31.dat family_berbew behavioral2/memory/1084-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e75-33.dat family_berbew behavioral2/files/0x0006000000022e77-39.dat family_berbew behavioral2/memory/3512-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e77-41.dat family_berbew behavioral2/files/0x0006000000022e79-47.dat family_berbew behavioral2/files/0x0006000000022e79-49.dat family_berbew behavioral2/memory/4540-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7b-57.dat family_berbew behavioral2/memory/4388-56-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7b-55.dat family_berbew behavioral2/files/0x0006000000022e7d-63.dat family_berbew behavioral2/files/0x0006000000022e7d-65.dat family_berbew behavioral2/memory/3940-64-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7f-71.dat family_berbew behavioral2/memory/1288-72-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1188-78-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/244-81-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e81-80.dat family_berbew behavioral2/files/0x0006000000022e7f-73.dat family_berbew behavioral2/files/0x0006000000022e81-82.dat family_berbew behavioral2/files/0x0006000000022e83-88.dat family_berbew behavioral2/files/0x0006000000022e83-90.dat family_berbew behavioral2/memory/2632-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2996-91-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e85-97.dat family_berbew behavioral2/memory/2652-98-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e85-99.dat family_berbew behavioral2/memory/1624-100-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e87-106.dat family_berbew behavioral2/files/0x0006000000022e87-108.dat family_berbew behavioral2/memory/3404-107-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3120-109-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e89-115.dat family_berbew behavioral2/memory/1084-116-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e89-117.dat family_berbew behavioral2/memory/4304-118-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3512-126-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4540-135-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1304-132-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4944-141-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8d-134.dat family_berbew behavioral2/memory/4388-143-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e8f-142.dat family_berbew behavioral2/files/0x0006000000022e8d-133.dat family_berbew behavioral2/files/0x0006000000022e8b-125.dat family_berbew behavioral2/files/0x0006000000022e8b-124.dat family_berbew behavioral2/files/0x0006000000022e8f-145.dat family_berbew behavioral2/memory/4720-144-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e91-151.dat family_berbew behavioral2/files/0x0006000000022e91-153.dat family_berbew behavioral2/memory/3940-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2632 Nchjdo32.exe 2652 Nlqomd32.exe 3404 Ogfcjm32.exe 1084 Opogbbig.exe 3512 Oghppm32.exe 4540 Opadhb32.exe 4388 Ohlimd32.exe 3940 Ocamjm32.exe 1188 Oohnonij.exe 244 Ojnblg32.exe 2996 Pedbahod.exe 1624 Ploknb32.exe 3120 Pgdokkfg.exe 4304 Plagcbdn.exe 1304 Phhhhc32.exe 4944 Pgihfj32.exe 4720 Phjenbhp.exe 1460 Plhnda32.exe 3356 Qcbfakec.exe 2332 Qqffjo32.exe 1492 Qfbobf32.exe 4744 Qqhcpo32.exe 3248 Ahchda32.exe 1236 Aompak32.exe 3380 Afghneoo.exe 4280 Ackigjmh.exe 2600 Amcmpodi.exe 2120 Agiamhdo.exe 2464 Aijnep32.exe 2776 Ajjjocap.exe 4612 Boipmj32.exe 4576 Bfchidda.exe 640 Boklbi32.exe 624 Bmomlnjk.exe 1888 Bfhadc32.exe 3308 Bmbiamhi.exe 2520 Bclang32.exe 5080 Cmdfgm32.exe 1508 Cpbbch32.exe 1772 Cflkpblf.exe 2452 Cabomkll.exe 3284 Cfogeb32.exe 1660 Cmipblaq.exe 3372 Ccchof32.exe 1552 Cippgm32.exe 1160 Dgejpd32.exe 4824 Dclkee32.exe 1076 Djfcaohp.exe 2188 Dapkni32.exe 4940 Dcogje32.exe 1280 Dmglcj32.exe 2908 Ddadpdmn.exe 3704 Dinmhkke.exe 2284 Ddcqedkk.exe 1880 Dfamapjo.exe 3400 Eagaoh32.exe 5032 Eibfck32.exe 3820 Eaindh32.exe 3596 Ehcfaboo.exe 3288 Eidbij32.exe 3756 Epokedmj.exe 4556 Ehfcfb32.exe 1312 Eigonjcj.exe 2252 Efkphnbd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okbcgopo.dll Ipmbjgpi.exe File opened for modification C:\Windows\SysWOW64\Jpaleglc.exe Jncoikmp.exe File created C:\Windows\SysWOW64\Ahgcjddh.exe Aamknj32.exe File opened for modification C:\Windows\SysWOW64\Aompak32.exe Ahchda32.exe File created C:\Windows\SysWOW64\Bheffh32.exe Bfgjjm32.exe File created C:\Windows\SysWOW64\Mhbhmhpf.dll Naaqofgj.exe File created C:\Windows\SysWOW64\Nolgijpk.exe Nhbolp32.exe File opened for modification C:\Windows\SysWOW64\Qlggjk32.exe Pemomqcn.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Nlfnaicd.exe File opened for modification C:\Windows\SysWOW64\Fhdohp32.exe Fajgkfio.exe File opened for modification C:\Windows\SysWOW64\Jqdoem32.exe Jkhgmf32.exe File created C:\Windows\SysWOW64\Oipckj32.dll Nbqmiinl.exe File created C:\Windows\SysWOW64\Lhhmmcaa.dll Cihclh32.exe File opened for modification C:\Windows\SysWOW64\Cofecami.exe Cmhigf32.exe File opened for modification C:\Windows\SysWOW64\Ecefqnel.exe Emkndc32.exe File created C:\Windows\SysWOW64\Eafhkhce.dll Efccmidp.exe File created C:\Windows\SysWOW64\Hlcjhkdp.exe Hienlpel.exe File created C:\Windows\SysWOW64\Ccemjbpf.dll Gahcmd32.exe File created C:\Windows\SysWOW64\Bionkjfo.dll Mahnhhod.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bopocbcq.exe File created C:\Windows\SysWOW64\Dcnfjkma.dll Inqbclob.exe File created C:\Windows\SysWOW64\Inmabofh.dll Knalji32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jnkldqkc.exe File created C:\Windows\SysWOW64\Achegd32.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Qlejfm32.dll Dpbdopck.exe File opened for modification C:\Windows\SysWOW64\Idahjg32.exe Ingpmmgm.exe File created C:\Windows\SysWOW64\Qmepam32.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Naaqofgj.exe Nobdbkhf.exe File opened for modification C:\Windows\SysWOW64\Bbiado32.exe Bmlilh32.exe File created C:\Windows\SysWOW64\Mnfnlf32.exe Mcqjon32.exe File opened for modification C:\Windows\SysWOW64\Opogbbig.exe Ogfcjm32.exe File created C:\Windows\SysWOW64\Gdbnag32.dll Dfamapjo.exe File created C:\Windows\SysWOW64\Eagaoh32.exe Dfamapjo.exe File created C:\Windows\SysWOW64\Camfoh32.dll Leopnglc.exe File created C:\Windows\SysWOW64\Ebkibb32.dll Okedcjcm.exe File created C:\Windows\SysWOW64\Ackbmcjl.exe Alqjpi32.exe File created C:\Windows\SysWOW64\Fbociolq.dll Boflmdkk.exe File opened for modification C:\Windows\SysWOW64\Megljppl.exe Mjahlgpf.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Amcmpodi.exe File created C:\Windows\SysWOW64\Cmipblaq.exe Cfogeb32.exe File created C:\Windows\SysWOW64\Bmhocd32.exe Aaenbd32.exe File opened for modification C:\Windows\SysWOW64\Dcigeooj.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Eplgeokq.exe Emmkiclm.exe File opened for modification C:\Windows\SysWOW64\Kgjgne32.exe Kqpoakco.exe File created C:\Windows\SysWOW64\Eadpldgf.dll Kecabifp.exe File opened for modification C:\Windows\SysWOW64\Lddgmbpb.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Aggamk32.dll Bfhadc32.exe File created C:\Windows\SysWOW64\Pjajmpkj.dll Iggjga32.exe File opened for modification C:\Windows\SysWOW64\Nclikl32.exe Mmbanbmg.exe File opened for modification C:\Windows\SysWOW64\Jkaicd32.exe Jibmgi32.exe File created C:\Windows\SysWOW64\Npodfe32.dll Fjjnifbl.exe File opened for modification C:\Windows\SysWOW64\Lggldm32.exe Lmbhgd32.exe File created C:\Windows\SysWOW64\Pagpdj32.dll Ehfcfb32.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Fmndpq32.exe Ffclcgfn.exe File created C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Obcceg32.exe Olijhmgj.exe File created C:\Windows\SysWOW64\Bfgjjm32.exe Bombmcec.exe File opened for modification C:\Windows\SysWOW64\Flngfn32.exe Fjmkoeqi.exe File created C:\Windows\SysWOW64\Ecgamkhq.dll Iciaqc32.exe File opened for modification C:\Windows\SysWOW64\Alpbecod.exe Aefjii32.exe File created C:\Windows\SysWOW64\Gccjmkko.dll Qqhcpo32.exe File created C:\Windows\SysWOW64\Jgamgpme.dll Lnnbqnjn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4964 3808 WerFault.exe 535 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbaokj32.dll" Ojnblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidcecbj.dll" Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehcfaboo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opogbbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeoblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abponp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhgcipb.dll" Paoollik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceelqcdb.dll" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmakeiil.dll" Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggahedjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecabifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efccmidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbiejoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Cippgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabibb32.dll" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkibdpe.dll" Pefhlaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idahjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll" Qemhbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccemjbpf.dll" Gahcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqnnno32.dll" Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedobm32.dll" Bhcjqinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdclcbj.dll" Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafnnj32.dll" Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fideeaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcniglmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbbch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqpfjnba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqpfjnba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocamjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddbcp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2632 1288 NEAS.bcd2e82a172371744ad567d9030f8770.exe 90 PID 1288 wrote to memory of 2632 1288 NEAS.bcd2e82a172371744ad567d9030f8770.exe 90 PID 1288 wrote to memory of 2632 1288 NEAS.bcd2e82a172371744ad567d9030f8770.exe 90 PID 2632 wrote to memory of 2652 2632 Nchjdo32.exe 91 PID 2632 wrote to memory of 2652 2632 Nchjdo32.exe 91 PID 2632 wrote to memory of 2652 2632 Nchjdo32.exe 91 PID 2652 wrote to memory of 3404 2652 Nlqomd32.exe 92 PID 2652 wrote to memory of 3404 2652 Nlqomd32.exe 92 PID 2652 wrote to memory of 3404 2652 Nlqomd32.exe 92 PID 3404 wrote to memory of 1084 3404 Ogfcjm32.exe 93 PID 3404 wrote to memory of 1084 3404 Ogfcjm32.exe 93 PID 3404 wrote to memory of 1084 3404 Ogfcjm32.exe 93 PID 1084 wrote to memory of 3512 1084 Opogbbig.exe 94 PID 1084 wrote to memory of 3512 1084 Opogbbig.exe 94 PID 1084 wrote to memory of 3512 1084 Opogbbig.exe 94 PID 3512 wrote to memory of 4540 3512 Oghppm32.exe 95 PID 3512 wrote to memory of 4540 3512 Oghppm32.exe 95 PID 3512 wrote to memory of 4540 3512 Oghppm32.exe 95 PID 4540 wrote to memory of 4388 4540 Opadhb32.exe 96 PID 4540 wrote to memory of 4388 4540 Opadhb32.exe 96 PID 4540 wrote to memory of 4388 4540 Opadhb32.exe 96 PID 4388 wrote to memory of 3940 4388 Ohlimd32.exe 97 PID 4388 wrote to memory of 3940 4388 Ohlimd32.exe 97 PID 4388 wrote to memory of 3940 4388 Ohlimd32.exe 97 PID 3940 wrote to memory of 1188 3940 Ocamjm32.exe 98 PID 3940 wrote to memory of 1188 3940 Ocamjm32.exe 98 PID 3940 wrote to memory of 1188 3940 Ocamjm32.exe 98 PID 1188 wrote to memory of 244 1188 Oohnonij.exe 99 PID 1188 wrote to memory of 244 1188 Oohnonij.exe 99 PID 1188 wrote to memory of 244 1188 Oohnonij.exe 99 PID 244 wrote to memory of 2996 244 Ojnblg32.exe 100 PID 244 wrote to memory of 2996 244 Ojnblg32.exe 100 PID 244 wrote to memory of 2996 244 Ojnblg32.exe 100 PID 2996 wrote to memory of 1624 2996 Pedbahod.exe 101 PID 2996 wrote to memory of 1624 2996 Pedbahod.exe 101 PID 2996 wrote to memory of 1624 2996 Pedbahod.exe 101 PID 1624 wrote to memory of 3120 1624 Ploknb32.exe 102 PID 1624 wrote to memory of 3120 1624 Ploknb32.exe 102 PID 1624 wrote to memory of 3120 1624 Ploknb32.exe 102 PID 3120 wrote to memory of 4304 3120 Pgdokkfg.exe 103 PID 3120 wrote to memory of 4304 3120 Pgdokkfg.exe 103 PID 3120 wrote to memory of 4304 3120 Pgdokkfg.exe 103 PID 4304 wrote to memory of 1304 4304 Plagcbdn.exe 104 PID 4304 wrote to memory of 1304 4304 Plagcbdn.exe 104 PID 4304 wrote to memory of 1304 4304 Plagcbdn.exe 104 PID 1304 wrote to memory of 4944 1304 Phhhhc32.exe 106 PID 1304 wrote to memory of 4944 1304 Phhhhc32.exe 106 PID 1304 wrote to memory of 4944 1304 Phhhhc32.exe 106 PID 4944 wrote to memory of 4720 4944 Pgihfj32.exe 107 PID 4944 wrote to memory of 4720 4944 Pgihfj32.exe 107 PID 4944 wrote to memory of 4720 4944 Pgihfj32.exe 107 PID 4720 wrote to memory of 1460 4720 Phjenbhp.exe 108 PID 4720 wrote to memory of 1460 4720 Phjenbhp.exe 108 PID 4720 wrote to memory of 1460 4720 Phjenbhp.exe 108 PID 1460 wrote to memory of 3356 1460 Plhnda32.exe 109 PID 1460 wrote to memory of 3356 1460 Plhnda32.exe 109 PID 1460 wrote to memory of 3356 1460 Plhnda32.exe 109 PID 3356 wrote to memory of 2332 3356 Qcbfakec.exe 110 PID 3356 wrote to memory of 2332 3356 Qcbfakec.exe 110 PID 3356 wrote to memory of 2332 3356 Qcbfakec.exe 110 PID 2332 wrote to memory of 1492 2332 Qqffjo32.exe 111 PID 2332 wrote to memory of 1492 2332 Qqffjo32.exe 111 PID 2332 wrote to memory of 1492 2332 Qqffjo32.exe 111 PID 1492 wrote to memory of 4744 1492 Qfbobf32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bcd2e82a172371744ad567d9030f8770.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bcd2e82a172371744ad567d9030f8770.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe25⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe26⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe27⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe29⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe30⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe31⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe33⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe37⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe38⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe39⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe41⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe42⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3284 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe44⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe45⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe47⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe48⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe50⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe51⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe52⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe54⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe55⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe57⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe58⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe59⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe61⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe64⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe65⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe66⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe67⤵
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe68⤵
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe69⤵
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe70⤵PID:4448
-
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe71⤵PID:1908
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe72⤵PID:2888
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe73⤵PID:1208
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe74⤵PID:3836
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe75⤵
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe76⤵PID:4808
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe77⤵PID:2596
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe79⤵PID:4640
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe80⤵PID:5136
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe82⤵PID:5232
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe83⤵PID:5312
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe84⤵PID:5348
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe85⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe86⤵PID:5456
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe87⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe88⤵PID:5552
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe91⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe92⤵PID:5772
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe93⤵PID:5820
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe94⤵PID:5860
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe95⤵PID:5908
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe98⤵PID:6040
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe99⤵PID:6088
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe100⤵PID:3948
-
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe101⤵PID:5168
-
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe102⤵PID:5308
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe103⤵PID:5372
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe104⤵PID:5496
-
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe105⤵PID:5604
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe106⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe107⤵PID:5784
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe108⤵PID:5904
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe110⤵PID:6056
-
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe111⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe112⤵PID:5376
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe114⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe115⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe116⤵PID:5988
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe118⤵PID:5380
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe119⤵PID:5640
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe120⤵PID:5800
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe121⤵PID:6076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-