Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:38
Behavioral task
behavioral1
Sample
NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe
-
Size
391KB
-
MD5
0b4f1f1fc46f3924f0cbacbeaf572ecd
-
SHA1
4e64b4150870b62cf0a349ce54b5265d5cb7f684
-
SHA256
f7742ec27f983ccfd78a8db8a7a13607d32fc36aa2046fbf037327dcb4b8bb3a
-
SHA512
3f0dbab145396b53f0880f7d942f1ba2dd22d67a86225abb8b2d2c0c508997a27ce9b25358c5c22805ad97c428a86a9b980fd58ebb9abd9dc5d1c74ea7afddb8
-
SSDEEP
12288:qfKT9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:99XvEhdfJkKSkU3kHyuaRB5t6k0IJogU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaajed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmkqpkla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdijbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medqcmki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifkpknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaopfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmimai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikihe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jncoikmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbplml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdfdmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkiaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfjkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglpibgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehailbaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjaphek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikejgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlkfbocp.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022ddb-6.dat family_berbew behavioral2/files/0x0008000000022ddb-8.dat family_berbew behavioral2/files/0x0006000000022dea-15.dat family_berbew behavioral2/files/0x0006000000022dea-14.dat family_berbew behavioral2/files/0x0006000000022dec-23.dat family_berbew behavioral2/files/0x0006000000022dec-22.dat family_berbew behavioral2/files/0x0006000000022dee-30.dat family_berbew behavioral2/files/0x0006000000022dee-32.dat family_berbew behavioral2/files/0x0006000000022df1-38.dat family_berbew behavioral2/files/0x0006000000022df1-40.dat family_berbew behavioral2/files/0x0006000000022df3-46.dat family_berbew behavioral2/files/0x0006000000022df3-48.dat family_berbew behavioral2/files/0x0006000000022df5-54.dat family_berbew behavioral2/files/0x0006000000022df5-56.dat family_berbew behavioral2/files/0x0006000000022df7-63.dat family_berbew behavioral2/files/0x0006000000022df7-62.dat family_berbew behavioral2/files/0x0006000000022dfb-70.dat family_berbew behavioral2/files/0x0006000000022dfb-71.dat family_berbew behavioral2/files/0x0006000000022dfd-78.dat family_berbew behavioral2/files/0x0006000000022dfd-80.dat family_berbew behavioral2/files/0x0006000000022dff-86.dat family_berbew behavioral2/files/0x0006000000022dff-88.dat family_berbew behavioral2/files/0x0006000000022e02-94.dat family_berbew behavioral2/files/0x0006000000022e02-96.dat family_berbew behavioral2/files/0x0006000000022e04-104.dat family_berbew behavioral2/files/0x0006000000022e04-102.dat family_berbew behavioral2/files/0x0006000000022e06-110.dat family_berbew behavioral2/files/0x0006000000022e06-112.dat family_berbew behavioral2/files/0x0006000000022e08-118.dat family_berbew behavioral2/files/0x0006000000022e08-120.dat family_berbew behavioral2/files/0x0006000000022e10-126.dat family_berbew behavioral2/files/0x0006000000022e10-128.dat family_berbew behavioral2/files/0x0007000000022e0c-134.dat family_berbew behavioral2/files/0x0007000000022e0c-136.dat family_berbew behavioral2/files/0x0006000000022e13-142.dat family_berbew behavioral2/files/0x0006000000022e13-144.dat family_berbew behavioral2/files/0x0007000000022e0e-150.dat family_berbew behavioral2/files/0x0007000000022e0e-152.dat family_berbew behavioral2/files/0x0006000000022e17-158.dat family_berbew behavioral2/files/0x0006000000022e17-159.dat family_berbew behavioral2/files/0x0006000000022e1e-167.dat family_berbew behavioral2/files/0x0006000000022e1e-166.dat family_berbew behavioral2/files/0x0006000000022e22-174.dat family_berbew behavioral2/files/0x0006000000022e22-175.dat family_berbew behavioral2/files/0x0007000000022e19-182.dat family_berbew behavioral2/files/0x0007000000022e19-184.dat family_berbew behavioral2/files/0x0007000000022e1b-190.dat family_berbew behavioral2/files/0x0007000000022e1b-191.dat family_berbew behavioral2/files/0x0008000000022e1d-198.dat family_berbew behavioral2/files/0x0008000000022e1d-199.dat family_berbew behavioral2/files/0x0008000000022e24-206.dat family_berbew behavioral2/files/0x0008000000022e24-208.dat family_berbew behavioral2/files/0x0006000000022e26-214.dat family_berbew behavioral2/files/0x0006000000022e26-216.dat family_berbew behavioral2/files/0x0006000000022e28-223.dat family_berbew behavioral2/files/0x0006000000022e28-222.dat family_berbew behavioral2/files/0x0006000000022e2a-230.dat family_berbew behavioral2/files/0x0006000000022e2a-232.dat family_berbew behavioral2/files/0x0006000000022e2c-239.dat family_berbew behavioral2/files/0x0006000000022e2c-238.dat family_berbew behavioral2/files/0x0006000000022e2e-246.dat family_berbew behavioral2/files/0x0006000000022e2e-248.dat family_berbew behavioral2/files/0x0006000000022e30-254.dat family_berbew behavioral2/files/0x0006000000022e30-256.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1104 Oqfdnhfk.exe 4648 Pcijeb32.exe 924 Pnonbk32.exe 4712 Pggbkagp.exe 5112 Pflplnlg.exe 848 Pdmpje32.exe 3800 Pmidog32.exe 4248 Qqfmde32.exe 4988 Qmmnjfnl.exe 2240 Ampkof32.exe 4476 Ajckij32.exe 3304 Agglboim.exe 5068 Acnlgp32.exe 1860 Aeniabfd.exe 2408 Aadifclh.exe 1504 Bjokdipf.exe 4888 Bgcknmop.exe 3312 Balpgb32.exe 784 Bapiabak.exe 2372 Cjkjpgfi.exe 792 Cfbkeh32.exe 220 Ceckcp32.exe 372 Chcddk32.exe 3872 Ddjejl32.exe 60 Dmcibama.exe 1048 Daqbip32.exe 2576 Dmgbnq32.exe 4388 Dhmgki32.exe 3892 Daekdooc.exe 3436 Doilmc32.exe 4448 Ehapfiem.exe 4584 Eonehbjg.exe 3112 Ehfjah32.exe 3572 Ehiffh32.exe 3880 Edpgli32.exe 1676 Eoekia32.exe 4788 Foghnabl.exe 1364 Fknicb32.exe 4932 Fedmqk32.exe 4256 Fkqeib32.exe 2752 Fdijbg32.exe 1420 Fonnop32.exe 3624 Foqkdp32.exe 4316 Gglpibgm.exe 328 Gempgj32.exe 4140 Ggnlobej.exe 4492 Gdbmhf32.exe 4900 Gnkaalkd.exe 2572 Gkobjpin.exe 5092 Gdgfce32.exe 1320 Hghoeqmp.exe 4228 Hbmcbime.exe 1200 Hoadkn32.exe 4500 Hglipp32.exe 2640 Hdpiid32.exe 1764 Hbdjchgn.exe 2280 Jodjhkkj.exe 560 Jbgoof32.exe 2840 Jehhaaci.exe 3816 Jblijebc.exe 944 Jieagojp.exe 4780 Kgknhl32.exe 3720 Kflnfcgg.exe 4688 Kbbokdlk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eonehbjg.exe Ehapfiem.exe File created C:\Windows\SysWOW64\Mbmcqa32.dll Dhomfc32.exe File opened for modification C:\Windows\SysWOW64\Gjdaodja.exe Gdjibj32.exe File created C:\Windows\SysWOW64\Cklhcfle.exe Cdbpgl32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Bpkmil32.dll Cflkpblf.exe File created C:\Windows\SysWOW64\Igedlh32.exe Iahlcaol.exe File created C:\Windows\SysWOW64\Mnggge32.dll Lkofdbkj.exe File created C:\Windows\SysWOW64\Cgdgna32.dll Iinjhh32.exe File created C:\Windows\SysWOW64\Jlobem32.dll Cpmapodj.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Jllhpkfk.exe Jeapcq32.exe File opened for modification C:\Windows\SysWOW64\Pggbkagp.exe Pnonbk32.exe File created C:\Windows\SysWOW64\Moefhk32.dll Ookjdn32.exe File created C:\Windows\SysWOW64\Bqilgmdg.exe Bfchidda.exe File created C:\Windows\SysWOW64\Ejbbmnnb.exe Eibfck32.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hplicjok.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mcjmel32.exe File created C:\Windows\SysWOW64\Jgpfbjlo.exe Jpenfp32.exe File created C:\Windows\SysWOW64\Eibfck32.exe Ehailbaa.exe File created C:\Windows\SysWOW64\Pinnnm32.dll Llhikacp.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jjpode32.exe File created C:\Windows\SysWOW64\Dikihe32.exe Djelgied.exe File created C:\Windows\SysWOW64\Gdcliikj.exe Gmiclo32.exe File created C:\Windows\SysWOW64\Fgaemg32.dll Kgninn32.exe File created C:\Windows\SysWOW64\Bqbijpeo.dll Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Kbbokdlk.exe Kflnfcgg.exe File opened for modification C:\Windows\SysWOW64\Djhpgofm.exe Djfcaohp.exe File opened for modification C:\Windows\SysWOW64\Bnmoijje.exe Bkobmnka.exe File created C:\Windows\SysWOW64\Nalhik32.dll Cklhcfle.exe File created C:\Windows\SysWOW64\Jnhidk32.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Mdijliok.dll Bnhenj32.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gifkpknp.exe File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe Bapiabak.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Kioodcbn.dll Pocpfphe.exe File opened for modification C:\Windows\SysWOW64\Kodnmkap.exe Kncaec32.exe File created C:\Windows\SysWOW64\Iaejqcdo.dll Joqafgni.exe File created C:\Windows\SysWOW64\Nfenigce.dll Mbdiknlb.exe File created C:\Windows\SysWOW64\Pqbala32.exe Obqanjdb.exe File created C:\Windows\SysWOW64\Hgfnoiid.dll Jqhafffk.exe File opened for modification C:\Windows\SysWOW64\Ljfhqh32.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Oeheqm32.exe Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Npepkf32.exe Nncccnol.exe File created C:\Windows\SysWOW64\Mohidbkl.exe Mljmhflh.exe File created C:\Windows\SysWOW64\Cjkhnd32.dll Obgohklm.exe File opened for modification C:\Windows\SysWOW64\Ilibdmgp.exe Ieojgc32.exe File opened for modification C:\Windows\SysWOW64\Bfqkddfd.exe Bogcgj32.exe File opened for modification C:\Windows\SysWOW64\Niooqcad.exe Nbefdijg.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hplicjok.exe File opened for modification C:\Windows\SysWOW64\Lopmii32.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Mfchlbfd.exe Moipoh32.exe File created C:\Windows\SysWOW64\Bgagea32.dll Nfohgqlg.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Cocjiehd.exe File created C:\Windows\SysWOW64\Hcoejf32.dll Mfnhfm32.exe File opened for modification C:\Windows\SysWOW64\Oqhoeb32.exe Oiagde32.exe File created C:\Windows\SysWOW64\Qqfmde32.exe Pmidog32.exe File opened for modification C:\Windows\SysWOW64\Bifmqo32.exe Bpnihiio.exe File opened for modification C:\Windows\SysWOW64\Dmihij32.exe Ddadpdmn.exe File opened for modification C:\Windows\SysWOW64\Fmpqfq32.exe Fffhifdk.exe File opened for modification C:\Windows\SysWOW64\Lcgpni32.exe Ljnlecmp.exe File created C:\Windows\SysWOW64\Ekellcop.dll Eklajcmc.exe File created C:\Windows\SysWOW64\Eipinkib.exe Dhomfc32.exe File opened for modification C:\Windows\SysWOW64\Hloqml32.exe Gkmdecbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7404 7416 WerFault.exe 868 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbgoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhiajmod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiobceef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlgah32.dll" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdijf32.dll" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poblig32.dll" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkdliame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfedoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll" Flpmagqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iefgbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debcil32.dll" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpofmcef.dll" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll" Dhdbhifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebkbbmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgeoklj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnbklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amqhbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgnomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqlfhjig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jqknkedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blgifbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjdaodja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnhl32.dll" Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagpdj32.dll" Ehfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iljpij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jncoikmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjkgmg.dll" Jpcapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbbokdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgpogili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjglocmi.dll" Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdeookg.dll" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddkje32.dll" Plcdiabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glokko32.dll" Gdgfce32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 1104 956 NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe 88 PID 956 wrote to memory of 1104 956 NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe 88 PID 956 wrote to memory of 1104 956 NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe 88 PID 1104 wrote to memory of 4648 1104 Oqfdnhfk.exe 89 PID 1104 wrote to memory of 4648 1104 Oqfdnhfk.exe 89 PID 1104 wrote to memory of 4648 1104 Oqfdnhfk.exe 89 PID 4648 wrote to memory of 924 4648 Pcijeb32.exe 90 PID 4648 wrote to memory of 924 4648 Pcijeb32.exe 90 PID 4648 wrote to memory of 924 4648 Pcijeb32.exe 90 PID 924 wrote to memory of 4712 924 Pnonbk32.exe 91 PID 924 wrote to memory of 4712 924 Pnonbk32.exe 91 PID 924 wrote to memory of 4712 924 Pnonbk32.exe 91 PID 4712 wrote to memory of 5112 4712 Pggbkagp.exe 92 PID 4712 wrote to memory of 5112 4712 Pggbkagp.exe 92 PID 4712 wrote to memory of 5112 4712 Pggbkagp.exe 92 PID 5112 wrote to memory of 848 5112 Pflplnlg.exe 93 PID 5112 wrote to memory of 848 5112 Pflplnlg.exe 93 PID 5112 wrote to memory of 848 5112 Pflplnlg.exe 93 PID 848 wrote to memory of 3800 848 Pdmpje32.exe 94 PID 848 wrote to memory of 3800 848 Pdmpje32.exe 94 PID 848 wrote to memory of 3800 848 Pdmpje32.exe 94 PID 3800 wrote to memory of 4248 3800 Pmidog32.exe 95 PID 3800 wrote to memory of 4248 3800 Pmidog32.exe 95 PID 3800 wrote to memory of 4248 3800 Pmidog32.exe 95 PID 4248 wrote to memory of 4988 4248 Qqfmde32.exe 96 PID 4248 wrote to memory of 4988 4248 Qqfmde32.exe 96 PID 4248 wrote to memory of 4988 4248 Qqfmde32.exe 96 PID 4988 wrote to memory of 2240 4988 Qmmnjfnl.exe 97 PID 4988 wrote to memory of 2240 4988 Qmmnjfnl.exe 97 PID 4988 wrote to memory of 2240 4988 Qmmnjfnl.exe 97 PID 2240 wrote to memory of 4476 2240 Ampkof32.exe 98 PID 2240 wrote to memory of 4476 2240 Ampkof32.exe 98 PID 2240 wrote to memory of 4476 2240 Ampkof32.exe 98 PID 4476 wrote to memory of 3304 4476 Ajckij32.exe 99 PID 4476 wrote to memory of 3304 4476 Ajckij32.exe 99 PID 4476 wrote to memory of 3304 4476 Ajckij32.exe 99 PID 3304 wrote to memory of 5068 3304 Agglboim.exe 100 PID 3304 wrote to memory of 5068 3304 Agglboim.exe 100 PID 3304 wrote to memory of 5068 3304 Agglboim.exe 100 PID 5068 wrote to memory of 1860 5068 Acnlgp32.exe 102 PID 5068 wrote to memory of 1860 5068 Acnlgp32.exe 102 PID 5068 wrote to memory of 1860 5068 Acnlgp32.exe 102 PID 1860 wrote to memory of 2408 1860 Aeniabfd.exe 103 PID 1860 wrote to memory of 2408 1860 Aeniabfd.exe 103 PID 1860 wrote to memory of 2408 1860 Aeniabfd.exe 103 PID 2408 wrote to memory of 1504 2408 Aadifclh.exe 104 PID 2408 wrote to memory of 1504 2408 Aadifclh.exe 104 PID 2408 wrote to memory of 1504 2408 Aadifclh.exe 104 PID 1504 wrote to memory of 4888 1504 Bjokdipf.exe 105 PID 1504 wrote to memory of 4888 1504 Bjokdipf.exe 105 PID 1504 wrote to memory of 4888 1504 Bjokdipf.exe 105 PID 4888 wrote to memory of 3312 4888 Bgcknmop.exe 106 PID 4888 wrote to memory of 3312 4888 Bgcknmop.exe 106 PID 4888 wrote to memory of 3312 4888 Bgcknmop.exe 106 PID 3312 wrote to memory of 784 3312 Balpgb32.exe 107 PID 3312 wrote to memory of 784 3312 Balpgb32.exe 107 PID 3312 wrote to memory of 784 3312 Balpgb32.exe 107 PID 784 wrote to memory of 2372 784 Bapiabak.exe 108 PID 784 wrote to memory of 2372 784 Bapiabak.exe 108 PID 784 wrote to memory of 2372 784 Bapiabak.exe 108 PID 2372 wrote to memory of 792 2372 Cjkjpgfi.exe 110 PID 2372 wrote to memory of 792 2372 Cjkjpgfi.exe 110 PID 2372 wrote to memory of 792 2372 Cjkjpgfi.exe 110 PID 792 wrote to memory of 220 792 Cfbkeh32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0b4f1f1fc46f3924f0cbacbeaf572ecd.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe23⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe24⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe26⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe29⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe30⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe31⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe33⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe34⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe35⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe36⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe37⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe38⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe39⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe40⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe41⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe43⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe44⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe46⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe47⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe48⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe49⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe50⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe52⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe53⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe54⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe55⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe57⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe58⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe60⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe61⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe62⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe63⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe66⤵PID:2068
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe67⤵PID:3508
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe68⤵PID:4960
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe69⤵PID:2032
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe71⤵PID:1144
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe72⤵PID:4588
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe73⤵PID:3192
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe74⤵PID:4460
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe75⤵PID:3828
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4084 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe77⤵PID:1824
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe78⤵PID:3300
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe79⤵PID:184
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe80⤵PID:760
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe81⤵PID:4252
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe82⤵PID:3528
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe83⤵
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe84⤵PID:3868
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe85⤵PID:776
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe86⤵PID:4632
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe87⤵PID:4288
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4512 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe89⤵PID:4644
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5024 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe91⤵PID:4992
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe92⤵PID:4572
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe93⤵PID:4612
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe94⤵PID:3084
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe95⤵PID:2124
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe96⤵PID:5164
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe97⤵PID:5208
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe98⤵PID:5256
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe99⤵PID:5300
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe100⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe101⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe102⤵PID:5424
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe103⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe104⤵PID:5516
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe105⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe106⤵PID:5604
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe107⤵PID:5644
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe108⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe109⤵PID:5736
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe110⤵PID:5780
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe111⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe112⤵PID:5868
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe113⤵PID:5912
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe114⤵PID:5956
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe115⤵PID:5996
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe116⤵PID:6040
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe117⤵PID:6088
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe118⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe119⤵PID:5156
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe120⤵PID:5220
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe121⤵
- Drops file in System32 directory
PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-