Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:52
Behavioral task
behavioral1
Sample
NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe
-
Size
98KB
-
MD5
38a3e66ef0036007c8a4700dcaf699c0
-
SHA1
4c08d942af6a55a2136d52bacad8706eaa6b1887
-
SHA256
4817e520099da1e54e4c420daa7569cabfd5ddb509a8a632f10e62c0481ac591
-
SHA512
51e0e30c8bbf2568348e0e0030898cc2244100ec4334d2fe279fa93708dc30cdec5adc94824104c42e38e047dd7e4de554bfc9c272949909cb7064e7168aeb52
-
SSDEEP
3072:OwFWRiB84NpXMezr2w5365GURlSjgjxxt8v:PfNqezqU65LRlUivKv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aooche32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpoqenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjcgdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnlhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpiligj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhqoaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiocde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbecnipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chhdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjdkeaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqago32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmancbji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejagkodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eogahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbpnegbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdgapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddhofjpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jggmnmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhpic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pceglamm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgedpln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkggadh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqbfjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feaiencc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmkcjjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkeaopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeejipmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbieoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkhphmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dendiach.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcllilo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnakqcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkmdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiidnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eenfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acgfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlihek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpcajflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoadabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbicjlji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflbdibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbpmhjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeodjeha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlqohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkdieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bflaqmnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomnmfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaodek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhelke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbmdnmdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doeghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlpcagfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmneocgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnccmddi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcchmlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhqolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qajhigcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flgaodbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifaeidae.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3064-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-6.dat family_berbew behavioral2/files/0x0006000000022cec-8.dat family_berbew behavioral2/memory/2712-7-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-14.dat family_berbew behavioral2/memory/3564-15-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-16.dat family_berbew behavioral2/files/0x0006000000022cf5-22.dat family_berbew behavioral2/memory/2044-23-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-24.dat family_berbew behavioral2/files/0x0007000000022cf0-30.dat family_berbew behavioral2/files/0x0007000000022cf0-32.dat family_berbew behavioral2/memory/3164-31-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf2-33.dat family_berbew behavioral2/files/0x0007000000022cf2-38.dat family_berbew behavioral2/memory/4420-39-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0007000000022cf2-40.dat family_berbew behavioral2/files/0x0008000000022cf4-46.dat family_berbew behavioral2/memory/3588-47-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf4-48.dat family_berbew behavioral2/files/0x0008000000022cf9-53.dat family_berbew behavioral2/memory/2452-55-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf9-56.dat family_berbew behavioral2/files/0x0006000000022cfb-57.dat family_berbew behavioral2/files/0x0006000000022cfb-62.dat family_berbew behavioral2/memory/4444-63-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-64.dat family_berbew behavioral2/files/0x0006000000022cfd-69.dat family_berbew behavioral2/files/0x0006000000022cfd-72.dat family_berbew behavioral2/memory/5000-71-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-78.dat family_berbew behavioral2/memory/60-79-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-80.dat family_berbew behavioral2/memory/1944-87-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d01-88.dat family_berbew behavioral2/files/0x0006000000022d01-85.dat family_berbew behavioral2/files/0x0006000000022d03-94.dat family_berbew behavioral2/files/0x0006000000022d03-96.dat family_berbew behavioral2/memory/4752-95-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-97.dat family_berbew behavioral2/files/0x0006000000022d05-102.dat family_berbew behavioral2/memory/4432-103-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-104.dat family_berbew behavioral2/files/0x0006000000022d07-110.dat family_berbew behavioral2/memory/5008-111-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d07-112.dat family_berbew behavioral2/files/0x0006000000022d09-118.dat family_berbew behavioral2/memory/2908-119-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d09-120.dat family_berbew behavioral2/files/0x0006000000022d0b-126.dat family_berbew behavioral2/files/0x0006000000022d0b-128.dat family_berbew behavioral2/memory/3076-127-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0d-129.dat family_berbew behavioral2/files/0x0006000000022d0d-134.dat family_berbew behavioral2/files/0x0006000000022d0d-136.dat family_berbew behavioral2/memory/4808-135-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d0f-142.dat family_berbew behavioral2/files/0x0006000000022d0f-144.dat family_berbew behavioral2/memory/1576-143-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d11-150.dat family_berbew behavioral2/files/0x0006000000022d11-152.dat family_berbew behavioral2/memory/3436-151-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022d13-158.dat family_berbew behavioral2/memory/4108-159-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2712 Pdchakoo.exe 3564 Cqfahh32.exe 2044 Dkgeao32.exe 3164 Dklomnmf.exe 4420 Eclmlpfl.exe 3588 Febogbhg.exe 2452 Fmejlcoj.exe 4444 Glmqjj32.exe 5000 Hhpaki32.exe 60 Iehkpmgl.exe 1944 Ihkpgg32.exe 4752 Jdgjgh32.exe 4432 Jhdcmf32.exe 5008 Kbfjljhf.exe 2908 Lfimmhkg.exe 3076 Lnfngj32.exe 4808 Lfpcngdo.exe 1576 Megldcgd.exe 3436 Mkfnlmkl.exe 4108 Nblfee32.exe 3992 Oimdbnip.exe 4276 Omkmhlpf.exe 2012 Pblolb32.exe 1328 Qefkcl32.exe 1668 Apnkfelb.exe 4856 Algiaepd.exe 2972 Begcjjql.exe 3312 Bjielh32.exe 1308 Cohkinob.exe 3192 Dlfniafa.exe 2600 Dfeibf32.exe 3952 Fmkqknci.exe 2004 Fnjmea32.exe 2292 Fpbpmhjb.exe 1520 Gcceifof.exe 2108 Gjojkpdp.exe 5024 Hmginjki.exe 2596 Hjkigojc.exe 2368 Ijpcbn32.exe 5056 Iandjg32.exe 1496 Iaqapggb.exe 4656 Jahgpf32.exe 4524 Jggmnmmo.exe 1436 Kdbchp32.exe 916 Lkcaeige.exe 5004 Lhkkjl32.exe 1292 Mgebfhcl.exe 5112 Mggolhaj.exe 1948 Mglhgg32.exe 1692 Nbbldp32.exe 3972 Nbdijpjh.exe 2344 Nqnofkkj.exe 3928 Onifpodl.exe 1132 Picchg32.exe 2424 Phhpic32.exe 4428 Paqebike.exe 4260 Qiocde32.exe 740 Qajhigcj.exe 1340 Aified32.exe 4984 Bimoecio.exe 4408 Bbecnipp.exe 2008 Bidefbcg.exe 4712 Bbljoh32.exe 3368 Eckogc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hchickeo.exe Hlnqfanb.exe File created C:\Windows\SysWOW64\Ibgkdmmh.dll Ncjmob32.exe File opened for modification C:\Windows\SysWOW64\Dfiiejnl.exe Ddjmkg32.exe File opened for modification C:\Windows\SysWOW64\Ogefjjfg.exe Oahnbc32.exe File created C:\Windows\SysWOW64\Dbphmedd.exe Digcdp32.exe File created C:\Windows\SysWOW64\Pemfefqc.dll Paqebike.exe File created C:\Windows\SysWOW64\Lfdflk32.dll Qiocde32.exe File opened for modification C:\Windows\SysWOW64\Jfffcf32.exe Jmnakqcc.exe File created C:\Windows\SysWOW64\Clbmobdi.exe Cfedgkfa.exe File created C:\Windows\SysWOW64\Hoibmm32.dll Fkpoce32.exe File created C:\Windows\SysWOW64\Idfaolpb.exe Hchickeo.exe File opened for modification C:\Windows\SysWOW64\Mmmqbb32.exe Mgphjk32.exe File opened for modification C:\Windows\SysWOW64\Jgeknfdb.exe Jjakebfi.exe File created C:\Windows\SysWOW64\Nbmbdmkj.dll Noglik32.exe File opened for modification C:\Windows\SysWOW64\Gohajhao.exe Ghnimn32.exe File created C:\Windows\SysWOW64\Fkpoce32.exe Fiobkmii.exe File created C:\Windows\SysWOW64\Jianpl32.exe Jbcmhb32.exe File opened for modification C:\Windows\SysWOW64\Fgkfjlib.exe Fncbag32.exe File created C:\Windows\SysWOW64\Igonmilc.dll Kallhjoc.exe File created C:\Windows\SysWOW64\Ehfckkja.exe Ebijcdlj.exe File opened for modification C:\Windows\SysWOW64\Lqdakjak.exe Kjjinp32.exe File created C:\Windows\SysWOW64\Ipphcb32.dll Gdgdofep.exe File created C:\Windows\SysWOW64\Iagqac32.exe Ieqplb32.exe File opened for modification C:\Windows\SysWOW64\Nbnpmp32.exe Nophfa32.exe File opened for modification C:\Windows\SysWOW64\Gpolld32.exe Gicgjk32.exe File created C:\Windows\SysWOW64\Njfbkhnd.dll Mbgejcpm.exe File created C:\Windows\SysWOW64\Pahdfp32.dll Ndokko32.exe File opened for modification C:\Windows\SysWOW64\Igomeb32.exe Iiipfnch.exe File opened for modification C:\Windows\SysWOW64\Phheeffi.exe Oaqqgnkl.exe File created C:\Windows\SysWOW64\Bmpdhk32.dll Pioleb32.exe File opened for modification C:\Windows\SysWOW64\Cbialf32.exe Ckoiolbp.exe File opened for modification C:\Windows\SysWOW64\Digcdp32.exe Dkcbjl32.exe File opened for modification C:\Windows\SysWOW64\Kbfjljhf.exe Jhdcmf32.exe File created C:\Windows\SysWOW64\Nlefebfg.exe Mlciobhj.exe File opened for modification C:\Windows\SysWOW64\Fclmkb32.exe Epdaneff.exe File created C:\Windows\SysWOW64\Blamdnfl.dll Aloekjod.exe File opened for modification C:\Windows\SysWOW64\Nanmhf32.exe Ncjmob32.exe File created C:\Windows\SysWOW64\Mpjlbjnp.dll Pfkpcaka.exe File created C:\Windows\SysWOW64\Didpdkmp.dll Jmdqlm32.exe File created C:\Windows\SysWOW64\Jpnjfi32.dll Icpemc32.exe File created C:\Windows\SysWOW64\Dkcbjl32.exe Deijna32.exe File created C:\Windows\SysWOW64\Cpkonnoh.dll Alaaajmb.exe File created C:\Windows\SysWOW64\Fpejec32.exe Fbajlo32.exe File opened for modification C:\Windows\SysWOW64\Kongfe32.exe Klmnejfj.exe File created C:\Windows\SysWOW64\Eidjjdgb.exe Efemni32.exe File created C:\Windows\SysWOW64\Eeejipmp.exe Dnkbmf32.exe File created C:\Windows\SysWOW64\Cmdcap32.dll Hhpaki32.exe File created C:\Windows\SysWOW64\Ddkbfp32.exe Dnajjfjo.exe File opened for modification C:\Windows\SysWOW64\Adllplel.exe Aooche32.exe File opened for modification C:\Windows\SysWOW64\Bpaanfce.exe Bkdieo32.exe File created C:\Windows\SysWOW64\Bmeddk32.dll Afpbenhi.exe File opened for modification C:\Windows\SysWOW64\Aglngaoa.exe Aqbfjg32.exe File created C:\Windows\SysWOW64\Elqplq32.dll Dlhlek32.exe File created C:\Windows\SysWOW64\Nqdfipld.dll Dfeibf32.exe File created C:\Windows\SysWOW64\Ikndpm32.exe Iddlccfp.exe File opened for modification C:\Windows\SysWOW64\Gmndjf32.exe Gjohnkdd.exe File created C:\Windows\SysWOW64\Oplhok32.dll Phheeffi.exe File created C:\Windows\SysWOW64\Famffa32.dll Hdhlhd32.exe File created C:\Windows\SysWOW64\Iphcjffo.dll Kgjggkqi.exe File opened for modification C:\Windows\SysWOW64\Ohicho32.exe Nhffcpjj.exe File created C:\Windows\SysWOW64\Mjnmmcel.dll Gcekocqp.exe File created C:\Windows\SysWOW64\Lhdaad32.dll Kjamai32.exe File created C:\Windows\SysWOW64\Lfpcngdo.exe Lnfngj32.exe File created C:\Windows\SysWOW64\Naaejj32.exe Nkgmmpab.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7776 5648 WerFault.exe 939 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjnpj32.dll" Foebmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Midfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnaajje.dll" Ddjmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jialbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgfodak.dll" Pnifoaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmipo32.dll" Gqjada32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgpokbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Digcdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcijmjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeaqpdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeojpdgc.dll" Jmdjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fealcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnodmijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidigfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbkdcni.dll" Bqkiqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjokqial.dll" Mpkkphbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfgfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnjollpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmgheaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcefbhpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimpgo32.dll" Mglhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckeji32.dll" Gbgbgalj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobbap32.dll" Knkcfobb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhpaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkoinlbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofckao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbijh32.dll" Jlmenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adpoqenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqboadia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdgjgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpejec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijgadmjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlfkb32.dll" Ddbppa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjlplg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqjada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkgfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmndjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgipmdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgocji32.dll" Ielmki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pblolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmgfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eejjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfefeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bimoecio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llppob32.dll" Alfpijll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbkekhfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alqjiohm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhmcmqbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfphdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcnmafdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dciflf32.dll" Mlciobhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjdkeaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gckjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfanc32.dll" Ddjecalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkdieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgndmabm.dll" Dhaipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghdhcgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhljpcfk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2712 3064 NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe 91 PID 3064 wrote to memory of 2712 3064 NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe 91 PID 3064 wrote to memory of 2712 3064 NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe 91 PID 2712 wrote to memory of 3564 2712 Pdchakoo.exe 92 PID 2712 wrote to memory of 3564 2712 Pdchakoo.exe 92 PID 2712 wrote to memory of 3564 2712 Pdchakoo.exe 92 PID 3564 wrote to memory of 2044 3564 Cqfahh32.exe 94 PID 3564 wrote to memory of 2044 3564 Cqfahh32.exe 94 PID 3564 wrote to memory of 2044 3564 Cqfahh32.exe 94 PID 2044 wrote to memory of 3164 2044 Dkgeao32.exe 95 PID 2044 wrote to memory of 3164 2044 Dkgeao32.exe 95 PID 2044 wrote to memory of 3164 2044 Dkgeao32.exe 95 PID 3164 wrote to memory of 4420 3164 Dklomnmf.exe 96 PID 3164 wrote to memory of 4420 3164 Dklomnmf.exe 96 PID 3164 wrote to memory of 4420 3164 Dklomnmf.exe 96 PID 4420 wrote to memory of 3588 4420 Eclmlpfl.exe 97 PID 4420 wrote to memory of 3588 4420 Eclmlpfl.exe 97 PID 4420 wrote to memory of 3588 4420 Eclmlpfl.exe 97 PID 3588 wrote to memory of 2452 3588 Febogbhg.exe 98 PID 3588 wrote to memory of 2452 3588 Febogbhg.exe 98 PID 3588 wrote to memory of 2452 3588 Febogbhg.exe 98 PID 2452 wrote to memory of 4444 2452 Fmejlcoj.exe 99 PID 2452 wrote to memory of 4444 2452 Fmejlcoj.exe 99 PID 2452 wrote to memory of 4444 2452 Fmejlcoj.exe 99 PID 4444 wrote to memory of 5000 4444 Glmqjj32.exe 100 PID 4444 wrote to memory of 5000 4444 Glmqjj32.exe 100 PID 4444 wrote to memory of 5000 4444 Glmqjj32.exe 100 PID 5000 wrote to memory of 60 5000 Hhpaki32.exe 101 PID 5000 wrote to memory of 60 5000 Hhpaki32.exe 101 PID 5000 wrote to memory of 60 5000 Hhpaki32.exe 101 PID 60 wrote to memory of 1944 60 Iehkpmgl.exe 102 PID 60 wrote to memory of 1944 60 Iehkpmgl.exe 102 PID 60 wrote to memory of 1944 60 Iehkpmgl.exe 102 PID 1944 wrote to memory of 4752 1944 Ihkpgg32.exe 103 PID 1944 wrote to memory of 4752 1944 Ihkpgg32.exe 103 PID 1944 wrote to memory of 4752 1944 Ihkpgg32.exe 103 PID 4752 wrote to memory of 4432 4752 Jdgjgh32.exe 104 PID 4752 wrote to memory of 4432 4752 Jdgjgh32.exe 104 PID 4752 wrote to memory of 4432 4752 Jdgjgh32.exe 104 PID 4432 wrote to memory of 5008 4432 Jhdcmf32.exe 105 PID 4432 wrote to memory of 5008 4432 Jhdcmf32.exe 105 PID 4432 wrote to memory of 5008 4432 Jhdcmf32.exe 105 PID 5008 wrote to memory of 2908 5008 Kbfjljhf.exe 106 PID 5008 wrote to memory of 2908 5008 Kbfjljhf.exe 106 PID 5008 wrote to memory of 2908 5008 Kbfjljhf.exe 106 PID 2908 wrote to memory of 3076 2908 Lfimmhkg.exe 107 PID 2908 wrote to memory of 3076 2908 Lfimmhkg.exe 107 PID 2908 wrote to memory of 3076 2908 Lfimmhkg.exe 107 PID 3076 wrote to memory of 4808 3076 Lnfngj32.exe 108 PID 3076 wrote to memory of 4808 3076 Lnfngj32.exe 108 PID 3076 wrote to memory of 4808 3076 Lnfngj32.exe 108 PID 4808 wrote to memory of 1576 4808 Lfpcngdo.exe 109 PID 4808 wrote to memory of 1576 4808 Lfpcngdo.exe 109 PID 4808 wrote to memory of 1576 4808 Lfpcngdo.exe 109 PID 1576 wrote to memory of 3436 1576 Megldcgd.exe 110 PID 1576 wrote to memory of 3436 1576 Megldcgd.exe 110 PID 1576 wrote to memory of 3436 1576 Megldcgd.exe 110 PID 3436 wrote to memory of 4108 3436 Mkfnlmkl.exe 111 PID 3436 wrote to memory of 4108 3436 Mkfnlmkl.exe 111 PID 3436 wrote to memory of 4108 3436 Mkfnlmkl.exe 111 PID 4108 wrote to memory of 3992 4108 Nblfee32.exe 112 PID 4108 wrote to memory of 3992 4108 Nblfee32.exe 112 PID 4108 wrote to memory of 3992 4108 Nblfee32.exe 112 PID 3992 wrote to memory of 4276 3992 Oimdbnip.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.38a3e66ef0036007c8a4700dcaf699c0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cqfahh32.exeC:\Windows\system32\Cqfahh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Dkgeao32.exeC:\Windows\system32\Dkgeao32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Eclmlpfl.exeC:\Windows\system32\Eclmlpfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Jdgjgh32.exeC:\Windows\system32\Jdgjgh32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Jhdcmf32.exeC:\Windows\system32\Jhdcmf32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Lfimmhkg.exeC:\Windows\system32\Lfimmhkg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Lfpcngdo.exeC:\Windows\system32\Lfpcngdo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Megldcgd.exeC:\Windows\system32\Megldcgd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Mkfnlmkl.exeC:\Windows\system32\Mkfnlmkl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Nblfee32.exeC:\Windows\system32\Nblfee32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe23⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe25⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe26⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Algiaepd.exeC:\Windows\system32\Algiaepd.exe27⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Begcjjql.exeC:\Windows\system32\Begcjjql.exe28⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Bjielh32.exeC:\Windows\system32\Bjielh32.exe29⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Cohkinob.exeC:\Windows\system32\Cohkinob.exe30⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Dlfniafa.exeC:\Windows\system32\Dlfniafa.exe31⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Fmkqknci.exeC:\Windows\system32\Fmkqknci.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe34⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Gcceifof.exeC:\Windows\system32\Gcceifof.exe36⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Gjojkpdp.exeC:\Windows\system32\Gjojkpdp.exe37⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe38⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Hjkigojc.exeC:\Windows\system32\Hjkigojc.exe39⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe40⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Iandjg32.exeC:\Windows\system32\Iandjg32.exe41⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Iaqapggb.exeC:\Windows\system32\Iaqapggb.exe42⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jahgpf32.exeC:\Windows\system32\Jahgpf32.exe43⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Jggmnmmo.exeC:\Windows\system32\Jggmnmmo.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Kdbchp32.exeC:\Windows\system32\Kdbchp32.exe45⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Lkcaeige.exeC:\Windows\system32\Lkcaeige.exe46⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Lhkkjl32.exeC:\Windows\system32\Lhkkjl32.exe47⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Mgebfhcl.exeC:\Windows\system32\Mgebfhcl.exe48⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mggolhaj.exeC:\Windows\system32\Mggolhaj.exe49⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Mglhgg32.exeC:\Windows\system32\Mglhgg32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Nbbldp32.exeC:\Windows\system32\Nbbldp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Nbdijpjh.exeC:\Windows\system32\Nbdijpjh.exe52⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Nqnofkkj.exeC:\Windows\system32\Nqnofkkj.exe53⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe54⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Picchg32.exeC:\Windows\system32\Picchg32.exe55⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Phhpic32.exeC:\Windows\system32\Phhpic32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4428 -
C:\Windows\SysWOW64\Qiocde32.exeC:\Windows\system32\Qiocde32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4260 -
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Aified32.exeC:\Windows\system32\Aified32.exe60⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Bimoecio.exeC:\Windows\system32\Bimoecio.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Bbecnipp.exeC:\Windows\system32\Bbecnipp.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Bidefbcg.exeC:\Windows\system32\Bidefbcg.exe63⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bbljoh32.exeC:\Windows\system32\Bbljoh32.exe64⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Eckogc32.exeC:\Windows\system32\Eckogc32.exe65⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Foplnb32.exeC:\Windows\system32\Foplnb32.exe66⤵PID:364
-
C:\Windows\SysWOW64\Ffjdjmpf.exeC:\Windows\system32\Ffjdjmpf.exe67⤵PID:2356
-
C:\Windows\SysWOW64\Gjlfkj32.exeC:\Windows\system32\Gjlfkj32.exe68⤵PID:3360
-
C:\Windows\SysWOW64\Hjcllilo.exeC:\Windows\system32\Hjcllilo.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Hadkib32.exeC:\Windows\system32\Hadkib32.exe70⤵PID:4776
-
C:\Windows\SysWOW64\Impeib32.exeC:\Windows\system32\Impeib32.exe71⤵PID:4356
-
C:\Windows\SysWOW64\Jfopcgpk.exeC:\Windows\system32\Jfopcgpk.exe72⤵PID:1476
-
C:\Windows\SysWOW64\Jmnakqcc.exeC:\Windows\system32\Jmnakqcc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Jfffcf32.exeC:\Windows\system32\Jfffcf32.exe74⤵PID:4552
-
C:\Windows\SysWOW64\Kmbkfp32.exeC:\Windows\system32\Kmbkfp32.exe75⤵PID:1232
-
C:\Windows\SysWOW64\Kmegkp32.exeC:\Windows\system32\Kmegkp32.exe76⤵PID:4852
-
C:\Windows\SysWOW64\Kbapdfkb.exeC:\Windows\system32\Kbapdfkb.exe77⤵PID:5136
-
C:\Windows\SysWOW64\Kilhqq32.exeC:\Windows\system32\Kilhqq32.exe78⤵PID:5232
-
C:\Windows\SysWOW64\Lkbkkbdj.exeC:\Windows\system32\Lkbkkbdj.exe79⤵PID:5328
-
C:\Windows\SysWOW64\Lijdbofo.exeC:\Windows\system32\Lijdbofo.exe80⤵PID:5368
-
C:\Windows\SysWOW64\Lcbikd32.exeC:\Windows\system32\Lcbikd32.exe81⤵PID:5440
-
C:\Windows\SysWOW64\Mgdklb32.exeC:\Windows\system32\Mgdklb32.exe82⤵PID:5484
-
C:\Windows\SysWOW64\Mpmodg32.exeC:\Windows\system32\Mpmodg32.exe83⤵PID:5548
-
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe84⤵
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Naaejj32.exeC:\Windows\system32\Naaejj32.exe85⤵PID:5632
-
C:\Windows\SysWOW64\Nnhfokoc.exeC:\Windows\system32\Nnhfokoc.exe86⤵PID:5680
-
C:\Windows\SysWOW64\Oggqho32.exeC:\Windows\system32\Oggqho32.exe87⤵PID:5716
-
C:\Windows\SysWOW64\Ocnampdp.exeC:\Windows\system32\Ocnampdp.exe88⤵PID:5784
-
C:\Windows\SysWOW64\Onhoehpp.exeC:\Windows\system32\Onhoehpp.exe89⤵PID:5828
-
C:\Windows\SysWOW64\Aaianaoo.exeC:\Windows\system32\Aaianaoo.exe90⤵PID:5872
-
C:\Windows\SysWOW64\Aloekjod.exeC:\Windows\system32\Aloekjod.exe91⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Alaaajmb.exeC:\Windows\system32\Alaaajmb.exe92⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Aejfjocb.exeC:\Windows\system32\Aejfjocb.exe93⤵PID:6028
-
C:\Windows\SysWOW64\Anbkbe32.exeC:\Windows\system32\Anbkbe32.exe94⤵PID:6096
-
C:\Windows\SysWOW64\Bjkhme32.exeC:\Windows\system32\Bjkhme32.exe95⤵PID:6132
-
C:\Windows\SysWOW64\Beqljn32.exeC:\Windows\system32\Beqljn32.exe96⤵PID:5336
-
C:\Windows\SysWOW64\Dejhgkgm.exeC:\Windows\system32\Dejhgkgm.exe97⤵PID:5656
-
C:\Windows\SysWOW64\Eceoanpo.exeC:\Windows\system32\Eceoanpo.exe98⤵PID:5704
-
C:\Windows\SysWOW64\Fhljpcfk.exeC:\Windows\system32\Fhljpcfk.exe99⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Foebmn32.exeC:\Windows\system32\Foebmn32.exe100⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Fkopgn32.exeC:\Windows\system32\Fkopgn32.exe101⤵PID:6020
-
C:\Windows\SysWOW64\Ffdddg32.exeC:\Windows\system32\Ffdddg32.exe102⤵PID:6104
-
C:\Windows\SysWOW64\Fkalmn32.exeC:\Windows\system32\Fkalmn32.exe103⤵PID:5160
-
C:\Windows\SysWOW64\Fbkdjh32.exeC:\Windows\system32\Fbkdjh32.exe104⤵PID:5392
-
C:\Windows\SysWOW64\Flqigq32.exeC:\Windows\system32\Flqigq32.exe105⤵PID:5476
-
C:\Windows\SysWOW64\Fckacknf.exeC:\Windows\system32\Fckacknf.exe106⤵PID:5568
-
C:\Windows\SysWOW64\Ghgjlaln.exeC:\Windows\system32\Ghgjlaln.exe107⤵PID:4804
-
C:\Windows\SysWOW64\Gbpnegbo.exeC:\Windows\system32\Gbpnegbo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4220 -
C:\Windows\SysWOW64\Goconkah.exeC:\Windows\system32\Goconkah.exe109⤵PID:5804
-
C:\Windows\SysWOW64\Gfngke32.exeC:\Windows\system32\Gfngke32.exe110⤵PID:5856
-
C:\Windows\SysWOW64\Gkoinlbg.exeC:\Windows\system32\Gkoinlbg.exe111⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Ikmepj32.exeC:\Windows\system32\Ikmepj32.exe112⤵PID:5156
-
C:\Windows\SysWOW64\Ibgmldnd.exeC:\Windows\system32\Ibgmldnd.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Ickcaf32.exeC:\Windows\system32\Ickcaf32.exe114⤵PID:5560
-
C:\Windows\SysWOW64\Ilfhfh32.exeC:\Windows\system32\Ilfhfh32.exe115⤵PID:4004
-
C:\Windows\SysWOW64\Jbcmhb32.exeC:\Windows\system32\Jbcmhb32.exe116⤵
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Jianpl32.exeC:\Windows\system32\Jianpl32.exe117⤵PID:2220
-
C:\Windows\SysWOW64\Jidkek32.exeC:\Windows\system32\Jidkek32.exe118⤵PID:6128
-
C:\Windows\SysWOW64\Kdiobd32.exeC:\Windows\system32\Kdiobd32.exe119⤵PID:5132
-
C:\Windows\SysWOW64\Lmkfah32.exeC:\Windows\system32\Lmkfah32.exe120⤵PID:4444
-
C:\Windows\SysWOW64\Libggiik.exeC:\Windows\system32\Libggiik.exe121⤵PID:5088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-