Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 07:25
Behavioral task
behavioral1
Sample
NEAS.886ac67c6256fbcb96cad81506540010.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.886ac67c6256fbcb96cad81506540010.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.886ac67c6256fbcb96cad81506540010.exe
-
Size
404KB
-
MD5
886ac67c6256fbcb96cad81506540010
-
SHA1
5523377ec6fdb32c92875960a7df6052736a3f40
-
SHA256
6b9724b847a1777a40628263a22e630baf87da2cc34202d8835ddadc511324a1
-
SHA512
178b8a9b348963251dd8b8256053b26ce062816a00ea1c302842e4f91dfa04a8591ffeb3d35d7e5347cebe53b76c28e34baba48f97a506efc0edb041a4fa2bcc
-
SSDEEP
6144:tKFRMC3SdhENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:tKFxwcMpV6yYP4rbpV6yYPg058KS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbhildae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggejg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ookoaokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnlkfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biklho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgqpkip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adndoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnibokbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojcpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjfdfbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdpbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baepolni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkhapk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lomjicei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hedafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efjimhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egened32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpqggh32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022e14-6.dat family_berbew behavioral2/files/0x0006000000022e14-8.dat family_berbew behavioral2/files/0x0006000000022e16-14.dat family_berbew behavioral2/files/0x0006000000022e16-15.dat family_berbew behavioral2/files/0x0006000000022e18-22.dat family_berbew behavioral2/files/0x0006000000022e18-24.dat family_berbew behavioral2/files/0x0006000000022e1a-30.dat family_berbew behavioral2/files/0x0006000000022e1a-32.dat family_berbew behavioral2/files/0x0006000000022e1c-38.dat family_berbew behavioral2/files/0x0007000000022e11-47.dat family_berbew behavioral2/files/0x0007000000022e11-46.dat family_berbew behavioral2/files/0x0006000000022e1c-39.dat family_berbew behavioral2/files/0x0006000000022e1f-54.dat family_berbew behavioral2/files/0x0006000000022e1f-56.dat family_berbew behavioral2/files/0x0006000000022e21-63.dat family_berbew behavioral2/files/0x0006000000022e23-71.dat family_berbew behavioral2/files/0x0006000000022e26-78.dat family_berbew behavioral2/files/0x0006000000022e28-85.dat family_berbew behavioral2/files/0x0006000000022e2a-96.dat family_berbew behavioral2/files/0x0006000000022e2a-94.dat family_berbew behavioral2/files/0x0006000000022e28-84.dat family_berbew behavioral2/files/0x0006000000022e26-77.dat family_berbew behavioral2/files/0x0006000000022e23-70.dat family_berbew behavioral2/files/0x0006000000022e21-62.dat family_berbew behavioral2/files/0x0006000000022e2c-103.dat family_berbew behavioral2/files/0x0006000000022e2c-105.dat family_berbew behavioral2/files/0x0006000000022e2e-112.dat family_berbew behavioral2/files/0x0006000000022e2e-114.dat family_berbew behavioral2/files/0x0006000000022e30-121.dat family_berbew behavioral2/files/0x0006000000022e30-122.dat family_berbew behavioral2/files/0x0006000000022e32-130.dat family_berbew behavioral2/files/0x0006000000022e32-132.dat family_berbew behavioral2/files/0x0006000000022e34-139.dat family_berbew behavioral2/files/0x0006000000022e36-149.dat family_berbew behavioral2/files/0x0006000000022e36-148.dat family_berbew behavioral2/files/0x0006000000022e34-140.dat family_berbew behavioral2/files/0x0006000000022e38-157.dat family_berbew behavioral2/files/0x0006000000022e38-158.dat family_berbew behavioral2/files/0x0006000000022e3a-167.dat family_berbew behavioral2/files/0x0006000000022e3a-169.dat family_berbew behavioral2/files/0x0006000000022e3d-176.dat family_berbew behavioral2/files/0x0006000000022e3d-175.dat family_berbew behavioral2/files/0x0006000000022e40-183.dat family_berbew behavioral2/files/0x0006000000022e40-186.dat family_berbew behavioral2/files/0x0006000000022e42-192.dat family_berbew behavioral2/files/0x0006000000022e42-195.dat family_berbew behavioral2/files/0x0006000000022e44-201.dat family_berbew behavioral2/files/0x0006000000022e44-203.dat family_berbew behavioral2/files/0x0006000000022e46-210.dat family_berbew behavioral2/files/0x0006000000022e48-218.dat family_berbew behavioral2/files/0x0006000000022e48-217.dat family_berbew behavioral2/files/0x0006000000022e46-209.dat family_berbew behavioral2/files/0x0006000000022e4a-225.dat family_berbew behavioral2/files/0x0006000000022e4a-226.dat family_berbew behavioral2/files/0x0006000000022e4c-234.dat family_berbew behavioral2/files/0x0006000000022e4c-236.dat family_berbew behavioral2/files/0x0006000000022e4e-244.dat family_berbew behavioral2/files/0x0006000000022e4e-242.dat family_berbew behavioral2/files/0x0006000000022e50-251.dat family_berbew behavioral2/files/0x0006000000022e50-252.dat family_berbew behavioral2/files/0x0006000000022e52-260.dat family_berbew behavioral2/files/0x0006000000022e52-263.dat family_berbew behavioral2/files/0x0006000000022e54-269.dat family_berbew behavioral2/files/0x0006000000022e54-271.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4088 Achegd32.exe 4596 Ajdjin32.exe 1004 Akffafgg.exe 5028 Akhcfe32.exe 4304 Bjlpjm32.exe 5040 Bfbaonae.exe 2736 Bcfahbpo.exe 2192 Bmofagfp.exe 4476 Bcinna32.exe 3660 Bmabggdm.exe 5096 Bckkca32.exe 440 Cihclh32.exe 4424 Cfcjfk32.exe 2360 Ccgjopal.exe 3584 Dcigeooj.exe 4516 Dmalne32.exe 3192 Djhimica.exe 3980 Dpdaepai.exe 5100 Efafgifc.exe 1244 Ecgcfm32.exe 3504 Eciplm32.exe 2108 Efjimhnh.exe 3928 Fpejlmcf.exe 2348 Fdccbl32.exe 4352 Fibhpbea.exe 5020 Fdglmkeg.exe 3196 Fideeaco.exe 4184 Idcepgmg.exe 4972 Ipjedh32.exe 5092 Igdnabjh.exe 3164 Ipoopgnf.exe 2084 Jpdhkf32.exe 4016 Jpfepf32.exe 1932 Jgpmmp32.exe 1336 Jddnfd32.exe 2440 Jdfjld32.exe 4924 Knooej32.exe 3456 Kggcnoic.exe 3016 Knalji32.exe 2120 Knchpiom.exe 4756 Knfeeimj.exe 2280 Kcbnnpka.exe 2872 Knhakh32.exe 3740 Kqfngd32.exe 4548 Lgqfdnah.exe 1496 Lnjnqh32.exe 1348 Lgccinoe.exe 4456 Lqkgbcff.exe 3200 Ljclki32.exe 5048 Lmbhgd32.exe 3168 Lkchelci.exe 3548 Lgjijmin.exe 5008 Mkhapk32.exe 1872 Mnfnlf32.exe 4916 Mgobel32.exe 1860 Mcecjmkl.exe 4436 Mchppmij.exe 3884 Malpia32.exe 5108 Mjdebfnd.exe 2876 Nclikl32.exe 4604 Nlcalieg.exe 1628 Ngjbaj32.exe 1480 Nabfjpak.exe 468 Njkkbehl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Paoinm32.dll Foclgq32.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Kekbjo32.exe Klbnajqc.exe File created C:\Windows\SysWOW64\Cpacqg32.exe Cigkdmel.exe File opened for modification C:\Windows\SysWOW64\Nabfjpak.exe Ngjbaj32.exe File created C:\Windows\SysWOW64\Nhfjcpfb.dll Fmmmfj32.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jgmjmjnb.exe File opened for modification C:\Windows\SysWOW64\Cpfcfmlp.exe Caageq32.exe File opened for modification C:\Windows\SysWOW64\Aplaoj32.exe Ajohfcpj.exe File created C:\Windows\SysWOW64\Mhjmpfcl.dll Dkhnjk32.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File opened for modification C:\Windows\SysWOW64\Ogcnmc32.exe Nfcabp32.exe File created C:\Windows\SysWOW64\Kjiqkhgo.dll Iojkeh32.exe File opened for modification C:\Windows\SysWOW64\Opbean32.exe Omdieb32.exe File created C:\Windows\SysWOW64\Ojhiogdd.exe Opbean32.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe Paihlpfi.exe File opened for modification C:\Windows\SysWOW64\Akblfj32.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Ghojbq32.exe Gpdennml.exe File opened for modification C:\Windows\SysWOW64\Ibgdlg32.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Phdpmbnc.dll Knooej32.exe File created C:\Windows\SysWOW64\Kqfngd32.exe Knhakh32.exe File created C:\Windows\SysWOW64\Kbmimp32.dll Lomqcjie.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Iojkeh32.exe File opened for modification C:\Windows\SysWOW64\Jimldogg.exe Jafdcbge.exe File opened for modification C:\Windows\SysWOW64\Enkdaepb.exe Ekmhejao.exe File opened for modification C:\Windows\SysWOW64\Gbeejp32.exe Gpgind32.exe File created C:\Windows\SysWOW64\Hplbickp.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Hohahelb.dll Hoaojp32.exe File created C:\Windows\SysWOW64\Jjpdeo32.dll Gegkpf32.exe File created C:\Windows\SysWOW64\Ibgdlg32.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Mlljnf32.exe Mhoahh32.exe File created C:\Windows\SysWOW64\Dnodbhfi.dll Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Knchpiom.exe File opened for modification C:\Windows\SysWOW64\Qemhbj32.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Ilchfdgp.dll Dbnmke32.exe File created C:\Windows\SysWOW64\Cpkgohbq.dll Afpjel32.exe File created C:\Windows\SysWOW64\Lpphjbnh.dll Baepolni.exe File opened for modification C:\Windows\SysWOW64\Nhahaiec.exe Nccokk32.exe File created C:\Windows\SysWOW64\Bnhenj32.exe Bnfihkqm.exe File opened for modification C:\Windows\SysWOW64\Hbohpn32.exe Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Fdglmkeg.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Lflpengd.dll Ipoopgnf.exe File created C:\Windows\SysWOW64\Lfipab32.dll Eecphp32.exe File created C:\Windows\SysWOW64\Bhmbqm32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bogkmgba.exe File opened for modification C:\Windows\SysWOW64\Edbiniff.exe Ebdlangb.exe File created C:\Windows\SysWOW64\Hiplgm32.dll Hecjke32.exe File created C:\Windows\SysWOW64\Bcominjm.dll Bkmeha32.exe File opened for modification C:\Windows\SysWOW64\Ohcegi32.exe Nhahaiec.exe File created C:\Windows\SysWOW64\Omcjep32.exe Odjeljhd.exe File opened for modification C:\Windows\SysWOW64\Dmadco32.exe Cfkmkf32.exe File created C:\Windows\SysWOW64\Enkdaepb.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Akblfj32.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Bdojjo32.exe Bdmmeo32.exe File opened for modification C:\Windows\SysWOW64\Eghkjdoa.exe Enpfan32.exe File opened for modification C:\Windows\SysWOW64\Jddnfd32.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Dbnmke32.exe Dmadco32.exe File opened for modification C:\Windows\SysWOW64\Kpmdfonj.exe Jinboekc.exe File created C:\Windows\SysWOW64\Jbofpe32.dll Nmkmjjaa.exe File created C:\Windows\SysWOW64\Finnef32.exe Fniihmpf.exe File opened for modification C:\Windows\SysWOW64\Ibqnkh32.exe Hldiinke.exe File opened for modification C:\Windows\SysWOW64\Ihmfco32.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Nlcalieg.exe Nclikl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9236 10152 WerFault.exe 464 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghdfilo.dll" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmnjnld.dll" Nhahaiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll" Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocihgnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll" Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekooihip.dll" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqlfhjig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" Dmadco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpgind32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll" Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdfhgmd.dll" Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidbo32.dll" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jimldogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpacqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll" Omdieb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnpphljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcegclgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pioelhgj.dll" Ipjedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkfenfk.dll" Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll" Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqnjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll" Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeoam32.dll" Kcbnnpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdoacabq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll" Nncccnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbolagk.dll" Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfgeigk.dll" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpgind32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnnhndk.dll" Pmoiqneg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 4088 4612 NEAS.886ac67c6256fbcb96cad81506540010.exe 87 PID 4612 wrote to memory of 4088 4612 NEAS.886ac67c6256fbcb96cad81506540010.exe 87 PID 4612 wrote to memory of 4088 4612 NEAS.886ac67c6256fbcb96cad81506540010.exe 87 PID 4088 wrote to memory of 4596 4088 Achegd32.exe 88 PID 4088 wrote to memory of 4596 4088 Achegd32.exe 88 PID 4088 wrote to memory of 4596 4088 Achegd32.exe 88 PID 4596 wrote to memory of 1004 4596 Ajdjin32.exe 89 PID 4596 wrote to memory of 1004 4596 Ajdjin32.exe 89 PID 4596 wrote to memory of 1004 4596 Ajdjin32.exe 89 PID 1004 wrote to memory of 5028 1004 Akffafgg.exe 90 PID 1004 wrote to memory of 5028 1004 Akffafgg.exe 90 PID 1004 wrote to memory of 5028 1004 Akffafgg.exe 90 PID 5028 wrote to memory of 4304 5028 Akhcfe32.exe 92 PID 5028 wrote to memory of 4304 5028 Akhcfe32.exe 92 PID 5028 wrote to memory of 4304 5028 Akhcfe32.exe 92 PID 4304 wrote to memory of 5040 4304 Bjlpjm32.exe 93 PID 4304 wrote to memory of 5040 4304 Bjlpjm32.exe 93 PID 4304 wrote to memory of 5040 4304 Bjlpjm32.exe 93 PID 5040 wrote to memory of 2736 5040 Bfbaonae.exe 94 PID 5040 wrote to memory of 2736 5040 Bfbaonae.exe 94 PID 5040 wrote to memory of 2736 5040 Bfbaonae.exe 94 PID 2736 wrote to memory of 2192 2736 Bcfahbpo.exe 95 PID 2736 wrote to memory of 2192 2736 Bcfahbpo.exe 95 PID 2736 wrote to memory of 2192 2736 Bcfahbpo.exe 95 PID 2192 wrote to memory of 4476 2192 Bmofagfp.exe 96 PID 2192 wrote to memory of 4476 2192 Bmofagfp.exe 96 PID 2192 wrote to memory of 4476 2192 Bmofagfp.exe 96 PID 4476 wrote to memory of 3660 4476 Bcinna32.exe 99 PID 4476 wrote to memory of 3660 4476 Bcinna32.exe 99 PID 4476 wrote to memory of 3660 4476 Bcinna32.exe 99 PID 3660 wrote to memory of 5096 3660 Bmabggdm.exe 98 PID 3660 wrote to memory of 5096 3660 Bmabggdm.exe 98 PID 3660 wrote to memory of 5096 3660 Bmabggdm.exe 98 PID 5096 wrote to memory of 440 5096 Bckkca32.exe 97 PID 5096 wrote to memory of 440 5096 Bckkca32.exe 97 PID 5096 wrote to memory of 440 5096 Bckkca32.exe 97 PID 440 wrote to memory of 4424 440 Cihclh32.exe 100 PID 440 wrote to memory of 4424 440 Cihclh32.exe 100 PID 440 wrote to memory of 4424 440 Cihclh32.exe 100 PID 4424 wrote to memory of 2360 4424 Cfcjfk32.exe 101 PID 4424 wrote to memory of 2360 4424 Cfcjfk32.exe 101 PID 4424 wrote to memory of 2360 4424 Cfcjfk32.exe 101 PID 2360 wrote to memory of 3584 2360 Ccgjopal.exe 102 PID 2360 wrote to memory of 3584 2360 Ccgjopal.exe 102 PID 2360 wrote to memory of 3584 2360 Ccgjopal.exe 102 PID 3584 wrote to memory of 4516 3584 Dcigeooj.exe 103 PID 3584 wrote to memory of 4516 3584 Dcigeooj.exe 103 PID 3584 wrote to memory of 4516 3584 Dcigeooj.exe 103 PID 4516 wrote to memory of 3192 4516 Dmalne32.exe 105 PID 4516 wrote to memory of 3192 4516 Dmalne32.exe 105 PID 4516 wrote to memory of 3192 4516 Dmalne32.exe 105 PID 3192 wrote to memory of 3980 3192 Djhimica.exe 106 PID 3192 wrote to memory of 3980 3192 Djhimica.exe 106 PID 3192 wrote to memory of 3980 3192 Djhimica.exe 106 PID 3980 wrote to memory of 5100 3980 Dpdaepai.exe 107 PID 3980 wrote to memory of 5100 3980 Dpdaepai.exe 107 PID 3980 wrote to memory of 5100 3980 Dpdaepai.exe 107 PID 5100 wrote to memory of 1244 5100 Efafgifc.exe 108 PID 5100 wrote to memory of 1244 5100 Efafgifc.exe 108 PID 5100 wrote to memory of 1244 5100 Efafgifc.exe 108 PID 1244 wrote to memory of 3504 1244 Ecgcfm32.exe 109 PID 1244 wrote to memory of 3504 1244 Ecgcfm32.exe 109 PID 1244 wrote to memory of 3504 1244 Ecgcfm32.exe 109 PID 3504 wrote to memory of 2108 3504 Eciplm32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.886ac67c6256fbcb96cad81506540010.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.886ac67c6256fbcb96cad81506540010.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe12⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe13⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe15⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe16⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe19⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe21⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe25⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe28⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe30⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe33⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe35⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe37⤵PID:1672
-
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe39⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe41⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe42⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe46⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe47⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe49⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe51⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe53⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe54⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe55⤵PID:4768
-
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe56⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe57⤵
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe58⤵PID:4644
-
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe59⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe60⤵
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe61⤵PID:2980
-
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe62⤵PID:4540
-
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe64⤵PID:1536
-
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4624 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe66⤵PID:3480
-
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe68⤵PID:4680
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe69⤵PID:400
-
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe70⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe71⤵PID:4788
-
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe73⤵PID:232
-
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe74⤵PID:4828
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe75⤵
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe76⤵PID:3304
-
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe77⤵PID:2012
-
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe78⤵PID:4188
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe79⤵PID:1476
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe80⤵PID:5136
-
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe81⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe82⤵PID:5224
-
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe83⤵PID:5268
-
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe84⤵PID:5316
-
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe85⤵PID:5352
-
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe86⤵PID:5404
-
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe89⤵PID:5536
-
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe90⤵PID:5580
-
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe92⤵PID:5668
-
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe93⤵PID:5712
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe94⤵PID:5752
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe95⤵PID:5796
-
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe96⤵PID:5840
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe97⤵PID:5884
-
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe98⤵PID:5928
-
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe101⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe102⤵PID:6116
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe103⤵PID:1732
-
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe105⤵PID:5264
-
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe106⤵PID:5324
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe107⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe108⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe109⤵PID:5568
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe110⤵PID:5644
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe111⤵PID:5724
-
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe112⤵PID:5804
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe113⤵PID:5876
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe114⤵PID:3848
-
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe115⤵PID:4372
-
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:388 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe118⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe119⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe121⤵PID:5372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-