Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:40
Behavioral task
behavioral1
Sample
NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe
-
Size
104KB
-
MD5
eab9de577dcfcbc48480e7b47107ae1d
-
SHA1
5e33356a6d2a5b6b975eae80cffa7c4f7225725c
-
SHA256
86b8019732e78a66997e6cdddaeef18c8307b8e8db6443cfd8bdc5e714a2824d
-
SHA512
8913f9212717730f1f9f862acf76a3ddd5b8a1ab0f2e77b4e4517ed69a8cac63615adb4753020fde47564d297fc5370cd7788cbbfd90c458d2cb632eaf64999f
-
SSDEEP
3072:0qZddunvwGu/672e5Fx7cEGrhkngpDvchkqbAIQS:nwnvH35Fx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicndaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcfgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fngcfikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbjidbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaaak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdloelpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhidcffq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdehep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkcfmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpaqkgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnanpfdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaeffpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Banjhbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pldljbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pckpja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdcli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingpgcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnegqjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jondojna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imklncch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldpkfoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobicbgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhfcbfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjopmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chepehne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdiohhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Celelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojommdfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbhhfbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iofpnhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbekgknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anobaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnmphag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgopnbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchljlpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkcehaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfqjhmhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclaeocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icedkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngdndfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kllodfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqjqab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndejcemn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnppbapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjcbljf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icedkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leenanik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlnqfanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlhlleeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfqjkljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celelf32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/752-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf1-6.dat family_berbew behavioral2/memory/4724-7-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf1-8.dat family_berbew behavioral2/files/0x0007000000022cf3-14.dat family_berbew behavioral2/memory/2208-15-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf3-16.dat family_berbew behavioral2/files/0x0008000000022cf5-22.dat family_berbew behavioral2/memory/1660-23-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf5-24.dat family_berbew behavioral2/files/0x0008000000022cf8-30.dat family_berbew behavioral2/memory/3352-31-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf8-32.dat family_berbew behavioral2/files/0x0006000000022cfa-38.dat family_berbew behavioral2/files/0x0006000000022cfa-40.dat family_berbew behavioral2/memory/3332-39-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-46.dat family_berbew behavioral2/files/0x0006000000022cfe-48.dat family_berbew behavioral2/memory/4968-47-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d01-49.dat family_berbew behavioral2/files/0x0006000000022d01-54.dat family_berbew behavioral2/files/0x0006000000022d01-56.dat family_berbew behavioral2/memory/556-55-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-62.dat family_berbew behavioral2/files/0x0006000000022d03-64.dat family_berbew behavioral2/memory/528-63-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-70.dat family_berbew behavioral2/memory/4112-71-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-72.dat family_berbew behavioral2/files/0x0007000000022d08-78.dat family_berbew behavioral2/memory/3512-79-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022d08-80.dat family_berbew behavioral2/files/0x0006000000022d0b-81.dat family_berbew behavioral2/files/0x0006000000022d0b-86.dat family_berbew behavioral2/memory/3596-88-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0b-87.dat family_berbew behavioral2/files/0x0006000000022d16-94.dat family_berbew behavioral2/memory/1112-95-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d16-96.dat family_berbew behavioral2/files/0x0006000000022d18-102.dat family_berbew behavioral2/files/0x0006000000022d18-103.dat family_berbew behavioral2/memory/2088-104-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022d0f-110.dat family_berbew behavioral2/memory/3208-111-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022d0f-112.dat family_berbew behavioral2/files/0x0007000000022d11-118.dat family_berbew behavioral2/memory/4220-119-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022d11-120.dat family_berbew behavioral2/files/0x0007000000022d13-121.dat family_berbew behavioral2/files/0x0007000000022d13-126.dat family_berbew behavioral2/memory/4472-128-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022d13-127.dat family_berbew behavioral2/files/0x0006000000022d1b-134.dat family_berbew behavioral2/files/0x0006000000022d1b-136.dat family_berbew behavioral2/memory/656-135-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1d-142.dat family_berbew behavioral2/memory/1460-143-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d1d-144.dat family_berbew behavioral2/files/0x0006000000022d1f-150.dat family_berbew behavioral2/files/0x0006000000022d1f-152.dat family_berbew behavioral2/memory/2064-151-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d21-159.dat family_berbew behavioral2/memory/4384-160-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d21-158.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4724 Bcpika32.exe 2208 Ecfhji32.exe 1660 Fnglcqio.exe 3352 Gjhonp32.exe 3332 Jnapgjdo.exe 4968 Kceoppmo.exe 556 Ldfhgn32.exe 528 Meoggpmd.exe 4112 Nkpijfgf.exe 3512 Oediim32.exe 3596 Pfpidk32.exe 1112 Qnbdjl32.exe 2088 Aohfdnil.exe 3208 Belemd32.exe 4220 Cfbhhfbg.exe 4472 Cbnbhfde.exe 656 Cbqonf32.exe 1460 Dpkehi32.exe 2064 Efampahd.exe 4384 Hlogfd32.exe 4004 Malnklgg.exe 4732 Mhmmieil.exe 1696 Ndejcemn.exe 748 Ndmpddfe.exe 212 Odcfdc32.exe 4740 Paomog32.exe 892 Pjoknhbe.exe 660 Aklciimh.exe 1344 Dlhlleeh.exe 4340 Gklnem32.exe 5096 Ikcmmjkb.exe 4176 Iofpnhmc.exe 3940 Jhjcbljf.exe 4712 Kmobii32.exe 3908 Lkiiee32.exe 4568 Lbcabo32.exe 3964 Lmheph32.exe 1200 Lfqjhmhk.exe 4052 Mmokpglb.exe 3468 Nfcoekhe.exe 4264 Olgnnqpe.exe 2092 Pkigbfja.exe 3132 Akbjidbf.exe 812 Angleokb.exe 3688 Ckclfp32.exe 2220 Ejfeij32.exe 3012 Flodilma.exe 232 Gdfhil32.exe 3996 Haobnpkc.exe 3868 Haeino32.exe 4372 Hhbnqi32.exe 4492 Ihnmlg32.exe 4596 Kaaaak32.exe 3768 Knhbflbp.exe 4952 Kkooep32.exe 4160 Lkmkfncf.exe 1260 Meepoc32.exe 4432 Mbbcofpf.exe 1892 Nfgbec32.exe 3516 Oihkgo32.exe 4860 Ponfed32.exe 2764 Plimpg32.exe 1316 Qpibke32.exe 3352 Gpnoigpe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbecnipp.exe Bafgdfim.exe File created C:\Windows\SysWOW64\Pnbjlolg.dll Bammeebe.exe File created C:\Windows\SysWOW64\Ljcejhnh.exe Lcimmn32.exe File created C:\Windows\SysWOW64\Opiipkfb.exe Ofaeffpa.exe File created C:\Windows\SysWOW64\Ecfhji32.exe Bcpika32.exe File created C:\Windows\SysWOW64\Jmgkja32.exe Impeib32.exe File created C:\Windows\SysWOW64\Hapancai.exe Hclaeocp.exe File created C:\Windows\SysWOW64\Bnhjinpo.exe Bccfleqi.exe File created C:\Windows\SysWOW64\Cagolf32.exe Celelf32.exe File created C:\Windows\SysWOW64\Jiejgm32.dll Keinepch.exe File created C:\Windows\SysWOW64\Pnjapoec.dll Liecmlno.exe File opened for modification C:\Windows\SysWOW64\Olbdacbp.exe Oampdkbj.exe File opened for modification C:\Windows\SysWOW64\Djqbeonf.exe Dkmebh32.exe File created C:\Windows\SysWOW64\Nmlafe32.dll Cfbhhfbg.exe File opened for modification C:\Windows\SysWOW64\Koonak32.exe Jbagkkgj.exe File created C:\Windows\SysWOW64\Nbjndimm.dll Knaldo32.exe File opened for modification C:\Windows\SysWOW64\Bbecnipp.exe Bafgdfim.exe File opened for modification C:\Windows\SysWOW64\Ffjdjmpf.exe Fcdbmb32.exe File opened for modification C:\Windows\SysWOW64\Mmlphfed.exe Mgagll32.exe File created C:\Windows\SysWOW64\Kdlfonlf.dll Fkiobhac.exe File created C:\Windows\SysWOW64\Gnjjpk32.exe Gpaqkgba.exe File opened for modification C:\Windows\SysWOW64\Hfcnicjl.exe Hpiemj32.exe File opened for modification C:\Windows\SysWOW64\Ppbepp32.exe Pldljbmn.exe File opened for modification C:\Windows\SysWOW64\Dhlhcl32.exe Docckfai.exe File created C:\Windows\SysWOW64\Badipiae.exe Bjkacoji.exe File opened for modification C:\Windows\SysWOW64\Pomgcc32.exe Phqbaj32.exe File opened for modification C:\Windows\SysWOW64\Phgagb32.exe Poomom32.exe File opened for modification C:\Windows\SysWOW64\Dkbomgde.exe Djqbeonf.exe File opened for modification C:\Windows\SysWOW64\Elkbcf32.exe Ecpmod32.exe File created C:\Windows\SysWOW64\Ihkigd32.exe Iaaakj32.exe File opened for modification C:\Windows\SysWOW64\Kdmjmqjf.exe Jncapf32.exe File created C:\Windows\SysWOW64\Ppgefpeb.dll Cagolf32.exe File created C:\Windows\SysWOW64\Pkachhph.dll Alnfiifd.exe File created C:\Windows\SysWOW64\Aafmqf32.dll Opiipkfb.exe File created C:\Windows\SysWOW64\Elkqqjac.dll Gfqjkljn.exe File opened for modification C:\Windows\SysWOW64\Cbnkhcha.exe Ckdcli32.exe File created C:\Windows\SysWOW64\Bmijllek.dll Dkmebh32.exe File opened for modification C:\Windows\SysWOW64\Kddnpj32.exe Jlmfomcp.exe File created C:\Windows\SysWOW64\Nophma32.dll Qkegiggl.exe File opened for modification C:\Windows\SysWOW64\Iaaakj32.exe Ihhmaehj.exe File created C:\Windows\SysWOW64\Nfgbec32.exe Mbbcofpf.exe File created C:\Windows\SysWOW64\Jpoagb32.exe Jondojna.exe File created C:\Windows\SysWOW64\Iooeol32.dll Locgagli.exe File created C:\Windows\SysWOW64\Ddpeigle.exe Dhidcffq.exe File created C:\Windows\SysWOW64\Kdkdqinj.exe Knaldo32.exe File created C:\Windows\SysWOW64\Aafefq32.exe Aklmjfad.exe File opened for modification C:\Windows\SysWOW64\Kidbnd32.exe Koonak32.exe File created C:\Windows\SysWOW64\Nheeabjo.dll Lmheph32.exe File created C:\Windows\SysWOW64\Fgppgi32.exe Feocoaai.exe File created C:\Windows\SysWOW64\Onohgh32.dll Cmcoflhh.exe File created C:\Windows\SysWOW64\Oleiga32.dll Ccbanfko.exe File created C:\Windows\SysWOW64\Oejbpb32.exe Ojdnbj32.exe File created C:\Windows\SysWOW64\Hbfgja32.dll Ojommdfh.exe File opened for modification C:\Windows\SysWOW64\Ihkigd32.exe Iaaakj32.exe File opened for modification C:\Windows\SysWOW64\Gdfhil32.exe Flodilma.exe File created C:\Windows\SysWOW64\Ghgfnlcj.dll Gdfhil32.exe File opened for modification C:\Windows\SysWOW64\Piknfgmd.exe Oldagc32.exe File opened for modification C:\Windows\SysWOW64\Jjeflc32.exe Jcknpi32.exe File opened for modification C:\Windows\SysWOW64\Poliog32.exe Phaabm32.exe File created C:\Windows\SysWOW64\Feoqiq32.dll Glpmkm32.exe File created C:\Windows\SysWOW64\Mncjffbl.exe Mnanpfdo.exe File created C:\Windows\SysWOW64\Afnpjk32.dll Ikcmmjkb.exe File created C:\Windows\SysWOW64\Opbedffg.dll Cjlijp32.exe File created C:\Windows\SysWOW64\Ahdpea32.exe Qlmopqdc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5304 2548 WerFault.exe 533 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfomone.dll" Dfglpjqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dohkhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iffcgoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglkbd32.dll" Hmfbcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olbdacbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjbfdakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbedag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppemmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombanm32.dll" Hdmohnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elednfne.dll" Pjoknhbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bopgdcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cellfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bccfleqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icdhojka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpohkn32.dll" Kleajegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcae32.dll" Ejojepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlafe32.dll" Cfbhhfbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqbgcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljqhaa32.dll" Fgppgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klifhpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmfnf32.dll" Kjblcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Papnhbgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmhma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cokpekpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkloef32.dll" Ipldpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Impeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knlknigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koonak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpibke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neebkkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleiga32.dll" Ccbanfko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geflmjjg.dll" Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfpidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meepoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofaeffpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkacff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennikm32.dll" Gdncfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmobii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpgbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpibai32.dll" Cobciblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnlqlc32.dll" Ncakglka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkiiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkmlgeje.dll" Mbedag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojfbfmbf.dll" Elkbcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfdmnqa.dll" Icdhojka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdmdf32.dll" Aapeakij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koonak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odcfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhfobnm.dll" Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbbcofpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppbepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkiiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libadidb.dll" Akbjidbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclaem32.dll" Lgffci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phdngljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dohkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kllodfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcbhdmai.dll" Kidbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plimpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jncapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Linmlm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 752 wrote to memory of 4724 752 NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe 91 PID 752 wrote to memory of 4724 752 NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe 91 PID 752 wrote to memory of 4724 752 NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe 91 PID 4724 wrote to memory of 2208 4724 Bcpika32.exe 92 PID 4724 wrote to memory of 2208 4724 Bcpika32.exe 92 PID 4724 wrote to memory of 2208 4724 Bcpika32.exe 92 PID 2208 wrote to memory of 1660 2208 Ecfhji32.exe 93 PID 2208 wrote to memory of 1660 2208 Ecfhji32.exe 93 PID 2208 wrote to memory of 1660 2208 Ecfhji32.exe 93 PID 1660 wrote to memory of 3352 1660 Fnglcqio.exe 95 PID 1660 wrote to memory of 3352 1660 Fnglcqio.exe 95 PID 1660 wrote to memory of 3352 1660 Fnglcqio.exe 95 PID 3352 wrote to memory of 3332 3352 Gjhonp32.exe 96 PID 3352 wrote to memory of 3332 3352 Gjhonp32.exe 96 PID 3352 wrote to memory of 3332 3352 Gjhonp32.exe 96 PID 3332 wrote to memory of 4968 3332 Jnapgjdo.exe 98 PID 3332 wrote to memory of 4968 3332 Jnapgjdo.exe 98 PID 3332 wrote to memory of 4968 3332 Jnapgjdo.exe 98 PID 4968 wrote to memory of 556 4968 Kceoppmo.exe 99 PID 4968 wrote to memory of 556 4968 Kceoppmo.exe 99 PID 4968 wrote to memory of 556 4968 Kceoppmo.exe 99 PID 556 wrote to memory of 528 556 Ldfhgn32.exe 100 PID 556 wrote to memory of 528 556 Ldfhgn32.exe 100 PID 556 wrote to memory of 528 556 Ldfhgn32.exe 100 PID 528 wrote to memory of 4112 528 Meoggpmd.exe 101 PID 528 wrote to memory of 4112 528 Meoggpmd.exe 101 PID 528 wrote to memory of 4112 528 Meoggpmd.exe 101 PID 4112 wrote to memory of 3512 4112 Nkpijfgf.exe 102 PID 4112 wrote to memory of 3512 4112 Nkpijfgf.exe 102 PID 4112 wrote to memory of 3512 4112 Nkpijfgf.exe 102 PID 3512 wrote to memory of 3596 3512 Oediim32.exe 103 PID 3512 wrote to memory of 3596 3512 Oediim32.exe 103 PID 3512 wrote to memory of 3596 3512 Oediim32.exe 103 PID 3596 wrote to memory of 1112 3596 Pfpidk32.exe 104 PID 3596 wrote to memory of 1112 3596 Pfpidk32.exe 104 PID 3596 wrote to memory of 1112 3596 Pfpidk32.exe 104 PID 1112 wrote to memory of 2088 1112 Qnbdjl32.exe 105 PID 1112 wrote to memory of 2088 1112 Qnbdjl32.exe 105 PID 1112 wrote to memory of 2088 1112 Qnbdjl32.exe 105 PID 2088 wrote to memory of 3208 2088 Aohfdnil.exe 106 PID 2088 wrote to memory of 3208 2088 Aohfdnil.exe 106 PID 2088 wrote to memory of 3208 2088 Aohfdnil.exe 106 PID 3208 wrote to memory of 4220 3208 Belemd32.exe 107 PID 3208 wrote to memory of 4220 3208 Belemd32.exe 107 PID 3208 wrote to memory of 4220 3208 Belemd32.exe 107 PID 4220 wrote to memory of 4472 4220 Cfbhhfbg.exe 108 PID 4220 wrote to memory of 4472 4220 Cfbhhfbg.exe 108 PID 4220 wrote to memory of 4472 4220 Cfbhhfbg.exe 108 PID 4472 wrote to memory of 656 4472 Cbnbhfde.exe 109 PID 4472 wrote to memory of 656 4472 Cbnbhfde.exe 109 PID 4472 wrote to memory of 656 4472 Cbnbhfde.exe 109 PID 656 wrote to memory of 1460 656 Cbqonf32.exe 110 PID 656 wrote to memory of 1460 656 Cbqonf32.exe 110 PID 656 wrote to memory of 1460 656 Cbqonf32.exe 110 PID 1460 wrote to memory of 2064 1460 Dpkehi32.exe 112 PID 1460 wrote to memory of 2064 1460 Dpkehi32.exe 112 PID 1460 wrote to memory of 2064 1460 Dpkehi32.exe 112 PID 2064 wrote to memory of 4384 2064 Efampahd.exe 113 PID 2064 wrote to memory of 4384 2064 Efampahd.exe 113 PID 2064 wrote to memory of 4384 2064 Efampahd.exe 113 PID 4384 wrote to memory of 4004 4384 Hlogfd32.exe 114 PID 4384 wrote to memory of 4004 4384 Hlogfd32.exe 114 PID 4384 wrote to memory of 4004 4384 Hlogfd32.exe 114 PID 4004 wrote to memory of 4732 4004 Malnklgg.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.eab9de577dcfcbc48480e7b47107ae1d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Qnbdjl32.exeC:\Windows\system32\Qnbdjl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Hlogfd32.exeC:\Windows\system32\Hlogfd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Malnklgg.exeC:\Windows\system32\Malnklgg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Mhmmieil.exeC:\Windows\system32\Mhmmieil.exe23⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe25⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Odcfdc32.exeC:\Windows\system32\Odcfdc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe27⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe29⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe31⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Ikcmmjkb.exeC:\Windows\system32\Ikcmmjkb.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Jhjcbljf.exeC:\Windows\system32\Jhjcbljf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Kmobii32.exeC:\Windows\system32\Kmobii32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Lbcabo32.exeC:\Windows\system32\Lbcabo32.exe37⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Lfqjhmhk.exeC:\Windows\system32\Lfqjhmhk.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe40⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe41⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe42⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe43⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe46⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Ejfeij32.exeC:\Windows\system32\Ejfeij32.exe47⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Gdfhil32.exeC:\Windows\system32\Gdfhil32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe50⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe51⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Hhbnqi32.exeC:\Windows\system32\Hhbnqi32.exe52⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Ihnmlg32.exeC:\Windows\system32\Ihnmlg32.exe53⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Kaaaak32.exeC:\Windows\system32\Kaaaak32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe55⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe56⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Lkmkfncf.exeC:\Windows\system32\Lkmkfncf.exe57⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Meepoc32.exeC:\Windows\system32\Meepoc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Mbbcofpf.exeC:\Windows\system32\Mbbcofpf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Nfgbec32.exeC:\Windows\system32\Nfgbec32.exe60⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Oihkgo32.exeC:\Windows\system32\Oihkgo32.exe61⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ponfed32.exeC:\Windows\system32\Ponfed32.exe62⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Gpnoigpe.exeC:\Windows\system32\Gpnoigpe.exe65⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Iffcgoka.exeC:\Windows\system32\Iffcgoka.exe66⤵
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Jmnheggo.exeC:\Windows\system32\Jmnheggo.exe67⤵PID:3332
-
C:\Windows\SysWOW64\Jdhpba32.exeC:\Windows\system32\Jdhpba32.exe68⤵PID:2360
-
C:\Windows\SysWOW64\Jondojna.exeC:\Windows\system32\Jondojna.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Jpoagb32.exeC:\Windows\system32\Jpoagb32.exe70⤵PID:3436
-
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe72⤵PID:2132
-
C:\Windows\SysWOW64\Kgbljkca.exeC:\Windows\system32\Kgbljkca.exe73⤵PID:2592
-
C:\Windows\SysWOW64\Ldiiio32.exeC:\Windows\system32\Ldiiio32.exe74⤵PID:3624
-
C:\Windows\SysWOW64\Ldkfno32.exeC:\Windows\system32\Ldkfno32.exe75⤵PID:2952
-
C:\Windows\SysWOW64\Lqbgcp32.exeC:\Windows\system32\Lqbgcp32.exe76⤵
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Locgagli.exeC:\Windows\system32\Locgagli.exe77⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Mnjqhcno.exeC:\Windows\system32\Mnjqhcno.exe78⤵PID:5068
-
C:\Windows\SysWOW64\Mdloelpc.exeC:\Windows\system32\Mdloelpc.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Nnfpcada.exeC:\Windows\system32\Nnfpcada.exe80⤵PID:4968
-
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe81⤵PID:936
-
C:\Windows\SysWOW64\Nkmmbe32.exeC:\Windows\system32\Nkmmbe32.exe82⤵PID:4884
-
C:\Windows\SysWOW64\Neebkkgi.exeC:\Windows\system32\Neebkkgi.exe83⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Nqlbqlmm.exeC:\Windows\system32\Nqlbqlmm.exe84⤵PID:4532
-
C:\Windows\SysWOW64\Nbkojo32.exeC:\Windows\system32\Nbkojo32.exe85⤵PID:4060
-
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe86⤵PID:872
-
C:\Windows\SysWOW64\Oelhljaq.exeC:\Windows\system32\Oelhljaq.exe87⤵PID:2064
-
C:\Windows\SysWOW64\Oabiak32.exeC:\Windows\system32\Oabiak32.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Oeqagi32.exeC:\Windows\system32\Oeqagi32.exe89⤵PID:2548
-
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe91⤵PID:2264
-
C:\Windows\SysWOW64\Pldljbmn.exeC:\Windows\system32\Pldljbmn.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ppbepp32.exeC:\Windows\system32\Ppbepp32.exe93⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Qbekgknb.exeC:\Windows\system32\Qbekgknb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3936 -
C:\Windows\SysWOW64\Qlmopqdc.exeC:\Windows\system32\Qlmopqdc.exe95⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe96⤵PID:712
-
C:\Windows\SysWOW64\Aaldngqg.exeC:\Windows\system32\Aaldngqg.exe97⤵PID:1896
-
C:\Windows\SysWOW64\Albikp32.exeC:\Windows\system32\Albikp32.exe98⤵PID:2892
-
C:\Windows\SysWOW64\Aaoadg32.exeC:\Windows\system32\Aaoadg32.exe99⤵PID:3284
-
C:\Windows\SysWOW64\Ahiiqafa.exeC:\Windows\system32\Ahiiqafa.exe100⤵PID:464
-
C:\Windows\SysWOW64\Bafgdfim.exeC:\Windows\system32\Bafgdfim.exe101⤵
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Bbecnipp.exeC:\Windows\system32\Bbecnipp.exe102⤵PID:1076
-
C:\Windows\SysWOW64\Boldcj32.exeC:\Windows\system32\Boldcj32.exe103⤵PID:3968
-
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe104⤵PID:216
-
C:\Windows\SysWOW64\Bammeebe.exeC:\Windows\system32\Bammeebe.exe105⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Blbabnbk.exeC:\Windows\system32\Blbabnbk.exe106⤵PID:3980
-
C:\Windows\SysWOW64\Baojkdqb.exeC:\Windows\system32\Baojkdqb.exe107⤵PID:5128
-
C:\Windows\SysWOW64\Bppjhl32.exeC:\Windows\system32\Bppjhl32.exe108⤵PID:5172
-
C:\Windows\SysWOW64\Cemcqcgi.exeC:\Windows\system32\Cemcqcgi.exe109⤵PID:5216
-
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe110⤵PID:5260
-
C:\Windows\SysWOW64\Cccppgcp.exeC:\Windows\system32\Cccppgcp.exe111⤵PID:5304
-
C:\Windows\SysWOW64\Chphhn32.exeC:\Windows\system32\Chphhn32.exe112⤵PID:5348
-
C:\Windows\SysWOW64\Caimachg.exeC:\Windows\system32\Caimachg.exe113⤵PID:5392
-
C:\Windows\SysWOW64\Coojpg32.exeC:\Windows\system32\Coojpg32.exe114⤵PID:5432
-
C:\Windows\SysWOW64\Doageg32.exeC:\Windows\system32\Doageg32.exe115⤵PID:5476
-
C:\Windows\SysWOW64\Docckfai.exeC:\Windows\system32\Docckfai.exe116⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Dhlhcl32.exeC:\Windows\system32\Dhlhcl32.exe117⤵PID:5564
-
C:\Windows\SysWOW64\Dcalae32.exeC:\Windows\system32\Dcalae32.exe118⤵PID:5608
-
C:\Windows\SysWOW64\Eodlad32.exeC:\Windows\system32\Eodlad32.exe119⤵PID:5652
-
C:\Windows\SysWOW64\Emhmkh32.exeC:\Windows\system32\Emhmkh32.exe120⤵PID:5692
-
C:\Windows\SysWOW64\Fcdbmb32.exeC:\Windows\system32\Fcdbmb32.exe121⤵
- Drops file in System32 directory
PID:5744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-